AMS PSR

On behalf of UKAEA (UK Atomic Energy Authority) we are looking for a Cyber Security Assurance Specialist (INSIDE IR35) for an 8-month contract based Hybrid in the Abingdon, Oxford office.

Overall Purpose

UKAEA's mission is to lead the delivery of sustainable fusion energy and maximise scientific and economic impact. The Computing Division underpins this mission by delivering secure, scalable, and innovative digital solutions.

The Cyber Security Assurance Specialist plays a pivotal role in advancing UKAEA’s hybrid digital estate, encompassing enterprise IT, operational technology (OT), and research platforms. This role sits within the Information & Cyber Security Group and provides subject matter expertise in security architecture, cyber risk governance, and assurance frameworks.

This is a cross-functional role with both advisory and hands-on responsibilities, focusing on security assurance, risk management and supporting architecture reviews, vulnerability management, risk assessments, cyber defence posture, driving technical assurance, and embedding risk-aligned security controls across IT and OT systems and secure-by-design practices. You will work across hybrid environments including cloud, infrastructure, applications, and OT systems. You will be responsible for reviewing and advising on security architecture patterns, reviewing and maintaining risk registers, leading assurance assessments, and embedding security controls across infrastructure and platforms. You will also guide teams in applying secure-by-design principles and support both internal audit and external compliance efforts including Gov Assure, CAF, ISO 27001, and Cyber Essentials (CE and CE+) while supporting the secure operation of core services. The role requires strong stakeholder engagement, technical depth, and a sound understanding of UK-specific cyber risk frameworks. You will help shape and maintain a secure posture across UKAEA.

As a Cyber Security Assurance Specialist your main responsibilities will be to:

• Conduct cyber security risk assessments across IT, cloud and OT environments, including the evaluation of significant technical and architectural changes (e.g network reconfiguration and application onboarding)
• Provide secure‑by‑design assurance and guidance to digital projects across cloud, infrastructure and application initiatives
• Maintain, update and govern the cyber security risk register
• Represent Cyber Security within governance forums and cyber design / architecture authorities
• Lead internal technical assurance reviews aligned to Gov Assure, CAF and ISO 27001, including documentation of evidence gathering and remediation plans
• Support compliance activities and audit evidence packs for Gov Assure, CAF, Cyber Essentials (CE/CE+) and ISO 27001
• Maintain traceability of security controls to relevant frameworks (e.g NIST, NCSC and Cyber Essentials)
• Evaluate suppliers and third‑party services against internal and external cyber risk and assurance criteria
• Develop, update and maintain security standards and documentation, including threat modelling, vulnerability management and control guidance
• Work with IT and platform teams to co‑author, test and maintain secure configuration standards and playbooks (e.g SaaS, Azure services, Entra ID, Linux, Microsoft 365 and OT upgrades)
• Contribute to the adoption of Zero Trust principles within platform and service design
• Produce technical assurance reports, deliver knowledge‑sharing sessions, and support cyber input across IT, research and OT programmes

Essential:

• Demonstrable experience reviewing or contributing to secure infrastructure or cloud architecture designs.
• Proven experience with risk assessment methodologies and maintaining enterprise risk registers.
• Working knowledge of risk assessment methodologies (e.g. ISO 31000, FAIR, OWASP risk rating).
• Strong understanding of Gov Assure, CAF, ISO 27001, Cyber Essentials, and NIST frameworks.
• Experience conducting or supporting security audits and implementing remediation plans.
• Proficiency in assessing and securing platforms such as Entra ID (Azure AD), Microsoft 365 E5, Azure IaaS/PaaS, Windows/Linux/Unix.
• Strong knowledge of security tooling such as SIEM, endpoint detection (EDR/XDR), and vulnerability management platforms.
• Hands-on experience with policy development, access control models (RBAC, ABAC), and logging standards.
• Experience supporting assurance activities or government-mandated reviews (e.g. GovAssure, Secure by Design).
• Knowledge of Incident Management, Vulnerability Assessments, SIEM & SOC Systems.
• Familiarity with ITSM workflows and change control procedures
• Experience designing or reviewing secure software supply chain and CI/CD security.
• Ability to interpret CVEs, CVSS scores, and threat intelligence feeds.
• Strong stakeholder engagement and communication skills with an ability to produce technical reports and articulate risk to non-specialists.

SC Clearance is an essential requirement for this role, as a minimum you must be willing & eligible to undergo checks. Please note, due to the exceptional requirements of this position (short-term nature of this role and speed at which we require a postholder in situ) preference may be given to candidates who meet all of the essential criteria and hold active security clearance. 

Desirable:

• A degree in Cybersecurity, Information Technology, or a STEM subject (or equivalent experience).
• Security Assurance certifications such as CCP, SIRA
• Security certifications such as CISSP, SSCP, CISM, CRISC, CCSP, SABSA, or SANS GIAC (GSEC, GCCC, GCPM).
• Experience working in a regulated or government environment, particularly within research, energy, or national infrastructure.
• Knowledge of OT / ICS/ SCADA security principles and industrial control environments.

Please be aware that this role can only be worked within the UK and not Overseas.

In applying for this role, you acknowledge the following "this role falls in scope of the Off Payroll Working in the Public Sector legislation. Any rates of payment quoted will reflect the gross rate per day for the assignment and will be subject to appropriate taxes and statutory costs. As such the payment to the intermediary and your income resulting from this contract will be different".