Cyber Security Contracts Manager (NIS/CAF)

Utilities is heavily-regulated and given we work with multiple suppliers we must adhere to certain framework-driven compliances (NIS/CAF). We need someone to oversee and review our current contracts with suppliers and look for gaps that would lead us to fail an audit. The person we need will wear two hats:

• Strong knowledge around NIS / CAF process and policies, where they apply and how to write scope documents.
• Experience in reviewing supplier contracts from a Cyber framework perspective.

We appreciate that this is a niche requirement so if you lean more towards NIS / CAF policies with some contract experience then we’re open to a chat; similarly, if you lean more towards contracts management but have reviewed supplier agreements with a focus on cyber then please also apply.

Requirement

We are seeking an additional resource to support the development of our processes, policies and contract documents relating to the Cyber Assessment Framework (CAF) and Network and Information (NIS) Regulations.

Assignment Overview

We are seeking an experienced Cyber Assessment Framework (CAF) and Network and Information (NIS) Regulations professional to undertake a contract assignment focused on updating and enhancing service supplier contracts across four operational sites within the energy sector. Each site supports four to five operational systems, with contracts requiring updates to ensure the provision of services will support and sustain CAF Enhanced Profile compliance.

This role will work closely with operational, technical, and commercial stakeholders to review existing contractual arrangements, identify gaps, and implement updated contract terms aligned with regulatory, operational, and assurance requirements.

Key Responsibilities

• Review and assess existing service supplier contracts across four operational sites.
• Identify contractual gaps, risks, and improvement opportunities related to CAF Enhanced Profile compliance.
• Work with internal stakeholders (operations, engineering, cyber/security, legal, and commercial teams) to validate service requirements and compliance needs.
• Update and negotiate contract terms, service schedules, KPIs, and obligations to ensure appropriate maintenance, support, and assurance coverage.
• Engagement and negotiation with service suppliers to agree revised contractual positions.
• Ensure contractual outputs are practical, measurable, and aligned with operational maintenance realities.
• Develop and implement a consistent contractual approach across sites while accommodating site-specific requirements.
• Maintain clear documentation, contract registers, and audit trails to support compliance assurance.
• Provide regular progress updates and risk assessments to project or commercial leads.

Key Deliverables

• Updated and agreed service supplier contracts supporting CAF Enhanced Profile compliance.
• Clear service definitions, KPIs, SLAs, and compliance obligations.
• A consistent contractual framework across all operational sites.
• Documented risks, assumptions, and mitigation actions.

Skills and Experience

Essential

• Proven experience in CAF, cyber resilience, assurance, or compliance-driven contracting environments.
• Strong experience reviewing, updating, and negotiating supplier contracts.
• Ability to work in complex, multi-site operational environments.
• Clear understanding of service-based contracting and supplier management.
• Strong stakeholder management and communication skills.
• Detail-oriented approach with strong documentation and governance practices.

Desirable

• Experience in regulated or operationally critical environments such as energy, utilities, water, rail, MoD or similar sectors.
• Experience working on contract remediation or compliance uplift programmes.
• Direct experience of delivering into a security framework (e.g. CAF, 62443, NIST).
• Direct experience of delivering service contracts for data centres.

Personal Attributes

• Pragmatic and solutions-focused.
• Comfortable working autonomously within a defined assignment scope.
• Able to balance commercial, operational, and compliance considerations.
• Confident engaging with both technical and non-technical stakeholders.

Candidates will ideally show evidence of the above in their CV in order to be considered.

Please be advised if you haven't heard from us within 48 hours then unfortunately your application has not been successful on this occasion, we may however keep your details on file for any suitable future vacancies and contact you accordingly.

Pontoon is an employment consultancy and operates as an equal opportunities employer. We use generative AI tools to support our candidate screening process. This helps us ensure a fair, consistent, and efficient experience for all applicants. Rest assured, all final decisions are made by our hiring team, and your application will be reviewed with care and attention.