IS Security Supply Chain Expert

A large public transport operator operates a mixed IT and OT estate that supports passenger information, signalling, ticketing and operations. The IS Security Supply Chain Expert role exists to design and operate a supply chain cybersecurity strategy, combining cyber security, supply chain management, and certifications such as CRISC and ISO27001 Lead Implementer to reduce third‑party risk across the supplier lifecycle.

The mission

The IT Security department owns information security across the organisation's IT and operational technology (OT) environments. The team is responsible for policy, controls and compliance work that affects on-prem systems, cloud services and suppliers who provide software, hardware and operational services. Strengthening third‑party controls and aligning with standards such as ISO 27001 and NIS2 is a priority for upcoming roadmap work.

Day to day you will define and maintain the supply chain cybersecurity strategy and run the third party risk management process end to end. You will assess suppliers, draft security clauses for contracts, lead maturity assessments and compliance reviews, and coordinate remediation plans with Procurement, Legal, IT and business teams. You will also track risk indicators and keep stakeholders informed so that supplier risks feed into operational risk reporting.

Your responsibilities

• Define and maintain a supply chain cybersecurity strategy that covers IT and non‑IT suppliers and maps to ISO 27001 and NIS2 requirements.
• Identify, analyse and quantify cyber risks from suppliers, producing risk ratings and actionable remediation plans that reduce exposure to critical services.
• Implement and operate a repeatable third party risk management process, including questionnaires, risk acceptance, continuous monitoring and evidence collection.
• Contribute clear, enforceable security clauses for supplier contracts and participate in contractual negotiations with Procurement and Legal.
• Conduct supplier security assessments, maturity audits and compliance reviews, and deliver concise executive reports and dashboards of key risk indicators.
• Coordinate cross‑functional remediation activities with IT, OT, business owners and external suppliers until risks are mitigated.

Your profile

Essential skills

• Proven senior experience in supply chain security or third party risk management, with practical application across IT and OT environments.
• Hands‑on knowledge of TPRM processes, vendor assessments, and continuous monitoring approaches.
• Certification as CRISC and experience applying risk frameworks in operational contexts.
• Certification or demonstrable experience as an ISO27001 Lead Implementer, able to run audits and maturity assessments.
• Strong stakeholder management skills, able to work with Procurement, Legal, IT and business units to translate security requirements into contracts and processes.
• Practical familiarity with NIS2 obligations and their impact on supplier controls.