INFORMATION SECURITY AND TECHNOLOGY RISK, REGULATION (GRC) AND AWARENESS LEAD

Our Client, a Major Oil and Gas Operator is seeking an Information Security Governance, Risk, Policy, Framework & Awareness Lead. This is a 12 month PAYE contract role based in Aberdeen with a hybrid working model in place.

Role overview

The Information Security Governance, Risk, Policy, Framework & Awareness Lead is accountable for designing and maintaining the enterprise’s security governance structures, risk management frameworks, policy ecosystem, and security awareness strategy. This role ensures cybersecurity is effectively governed, risk-managed, and communicated across all levels of the organisation through structured frameworks, stakeholder engagement, and compliance oversight.

Key Responsibilities:

Security governance and frameworks

Design and maintain the organisation’s overarching information security governance model.

Define roles, responsibilities, forums, and escalation paths for cyber governance across business units and functions.

Align frameworks with industry standards (e.g. ISO/IEC 27001, NIST CSF, CAF) and integrate with enterprise governance structures.

Information Security Risk Management

Lead the design and operation of the security risk management framework, including risk identification, assessment, treatment, and reporting.

Ensure risk registers are maintained and embedded into governance reviews and decision-making forums.

Coordinate with Enterprise Risk Management (ERM) to integrate cyber risk into the broader risk posture.

Policy, standards and compliance

Own the lifecycle of information security policies, standards, procedures, and guidelines.

Ensure alignment with legal, regulatory, and industry requirements (e.g., NIS2, GDPR).

Establish governance routines to review, approve, and communicate policy updates organisation-wide.

Awareness, culture and training

Develop and lead a comprehensive cybersecurity awareness and training strategy for all staff.

Drive behavioural change through targeted campaigns, phishing simulations, and executive-level engagement.

Measure awareness effectiveness through KPIs, surveys, and cultural assessments.

Executive reporting and assurance

Deliver regular reporting to senior leadership and boards on governance effectiveness, risk posture, and policy compliance.

Support internal and external audit activity and ensure timely remediation of control deficiencies.

Lead maturity assessments (e.g. ISO 27001 audits, CAF assessments) and track progress against strategic goals.

Stakeholder Engagement & Integration

Collaborate with Legal, Compliance, HR, and IT to embed governance, risk, and policy practices into business-as-usual activities.

Act as a subject matter expert to guide the development of secure business processes and projects.

Ensure governance and awareness initiatives are adapted to regional, cultural, and operational contexts.

Skills, experience & attributes of candidate:

Experience with setting Information Security Policy and Frameworks

Experience with Technology Risk Reporting and engagement with Enterprise Risk and Audit Committees

Excellent understanding of regulatory frameworks e.g. UK CAF, Cyber Security and Resilience Bill, NIS2

Confident engaging senior leadership and explaining the current risk position and option for risk reduction

Familiar with IT security frameworks such as the NIST CSF

Bachelor’s in CS, InfoSec, or equivalent experience

Certifications: GICSP, CISSP, or equivalent qualification