GRC Officer: OT & IT Risk, Compliance & Governance

We are recruiting for a client in London for a GRC Officer (with OT and IT experience) reporting into the Head of IT and Security. The role ensures that security/operational risks are effectively identified, assessed and monitored, and that the organisation maintains compliance with relevant legislation, industry standards and internal policies.

This position operates as a key member of the second line of defence, working closely with business units, technical teams and senior stakeholders to embed robust governance and risk practices.

• Demonstrable experience in governance, risk management or compliance within an IT/technology, operational, regulated or critical services environment.
• Strong understanding of risk management methodologies and compliance frameworks (e.g., ISO 27001, NIST CSF, NIS, CAF).
• Excellent written and verbal communication skills with proven stakeholder engagement capability.
• Ability to interpret and translate regulatory requirements into practical processes and controls.
• Strong organisational skills with the ability to manage multiple workstreams effectively.
• Experience working in regulated sectors (e.g., transport, utilities, financial services, health, government, technology).
• Exposure to OT or industrial control systems (ICS) risk and compliance.
• Experience in developing policies, standards and governance reporting.
• Relevant certifications such as ISO 27001 Lead Implementer/Lead Auditor, CISMP, CRISC, CISM, or similar.

Areas of focus:

• Implement and maintain the organisation’s risk management framework, including risk identification, assessment, treatment planning and monitoring.
• Facilitate risk assessments across business units and support the development of risk mitigation strategies.
• Monitor and report on risk trends, control effectiveness and emerging threats.

Compliance:

• Support the organisation’s compliance programme, ensuring adherence to relevant laws, regulations and standards (e.g., ISO 27001, NIS Regulations, GDPR, sector‑specific obligations).
• Maintain compliance registers, audit evidence repositories and documentation to demonstrate ongoing compliance.
• Monitor changes in regulatory and industry requirements and assess their impact on the organisation.
• Coordinate internal and external audits, including evidence collection and management of findings.

Governance & Policy Support:

• Contribute to the development, review and implementation of policies, standards and governance processes.
• Produce clear, accurate reports for senior leadership, committees and governance bodies.
• Support the establishment and continuous improvement of governance controls and assurance mechanisms.
• Hold accountability across all technology departments for the governance and assurance of change management, including oversight of changes to systems, data pipelines, AI models, prompts, and configurations, ensuring that appropriate approval, risk assessment, testing, documentation, and audit evidence are maintained prior to implementation.

Awareness & Engagement:

• Assist in the design and delivery of awareness, engagement and training activities related to security, compliance and risk.
• Communicate complex requirements to both technical and non-technical stakeholders in a practical and business relevant manner.

Qualifications:

• Degree in Information Security, Risk Management, Business, Law or a related discipline; or equivalent professional experience.
• Professional qualifications in information security, risk or compliance are beneficial but not essential.

Personal Attributes:

• Detail‑oriented and methodical, with strong analytical skills.
• Proactive and able to work independently while engaging collaboratively across teams.
• Able to simplify complex subjects into accessible and actionable guidance.
• Confident engaging with stakeholders at all levels, including senior leaders.