Principal Third Party Risk Analyst

We are seeking a highly skilled and experienced Principal Third-Party Cybersecurity Risk Analyst to take end-to-end ownership of OneAdvanced’s supplier cybersecurity risk management activities. This role is responsible for assessing, monitoring, and managing cybersecurity risks arising from third-party suppliers, ensuring they meet OneAdvanced’s security, privacy, and resilience expectations.

You will independently perform and manage supplier cybersecurity assessments, review control environments, evaluate risk exposure, and provide clear, risk-based recommendations to internal stakeholders. You will also improve processes, enhance tooling (including the use of AI), and ensure strong risk governance across the supplier lifecycle.

If you have strong cybersecurity knowledge, deep assessment experience, and the ability to operate with high ownership and autonomy, this role offers a meaningful opportunity to strengthen OneAdvanced’s supply-chain security posture.

Supplier Cybersecurity Assessments

• Conduct detailed cybersecurity assessments for new and existing suppliers based on their classification and inherent risk.
• Review supplier evidence including SOC 2 reports, ISO 27001 certifications, penetration test results, data flows, architecture diagrams, cloud security configurations, and security policies.
• Evaluate cybersecurity controls across key areas such as access management, encryption, monitoring, incident response, business continuity, and vulnerability management.
• Document risks, observations, and required actions with clarity and accuracy.

Risk Governance & Exception Support

• Maintain and update the supplier cybersecurity risk register, ensuring risks are tracked, monitored, and managed through their lifecycle.
• Support the exception process by preparing well-reasoned, risk-based recommendations and identifying potential compensating controls.
• Ensure consistency and adherence to ISO 27001, NIST CSF, GDPR, and internal security policies.

Execution of the TPRM Process

• Manage all cybersecurity-related elements of the TPRM workflow, including RSQ/SAQ review, supplier classification, assessment execution, and remediation follow-up.
• Ensure assessments are completed within agreed timelines while maintaining high quality and accuracy.
• Coordinate with suppliers and internal stakeholders to obtain required information and progress reviews.

Continuous Improvement & AI Enablement

• Improve assessment quality, efficiency, and consistency through updated templates, improved scoring methods, and streamlined review processes.
• Leverage AI-enabled tools for evidence extraction, document review, control mapping, or supplier intelligence where applicable.
• Contribute to the evolution of the TPRM methodology and the cybersecurity control library.

Collaboration & Stakeholder Engagement

• Work closely with Procurement, Legal, Technology, and Business teams to embed supplier cybersecurity expectations into procurement and contracting activities.
• Provide clear communication on assessment outcomes, risks, and mitigation actions.
• Support security clause reviews and input to contract obligations when required.

Metrics, Monitoring & Reporting

• Produce dashboards and reports to reflect supplier assessment progress, open risks, exceptions, and remediation status.
• Identify trends or recurring issues across suppliers and provide insights for programme improvement.
• Support updates to relevant governance forums when needed.

Awareness & Knowledge Sharing

• Deliver internal awareness sessions on supplier cybersecurity expectations and TPRM processes.
• Stay informed about emerging supply-chain threats, regulatory developments, and best practices.

Skills and Experience

• Minimum of 8 years in Third-Party Risk Management, cybersecurity assessment, audit, security assurance, or related roles.
• Strong understanding of cybersecurity frameworks such as ISO 27001:2022, NIST CSF, SOC 2, GDPR, cloud security principles, and SaaS security controls.
• Proven ability to review complex technical documents and extract meaningful risk insights.
• Strong analytical ability with high attention to detail and structured documentation skills.
• Ability to work autonomously, manage multiple assessments, and handle changing priorities.
• Effective written and verbal communication suitable for cross-functional teams.

Preferred Qualifications

• Bachelor’s degree in Cybersecurity, Information Security, IT, Risk Management, or equivalent.
• Certifications such as CRISC, CTPRP, CISA, CISSP, ISO 27001 Lead Auditor/Implementer are desirable.
• Experience with AI-enabled assessment or automation tools is advantageous.

Behavioural Attributes

• A balanced, risk-based mindset with the ability to make sound, well-reasoned decisions.
• Logical thinking, problem-solving ability, and willingness to challenge assumptions where needed.
• Commitment to continuous improvement and professional growth.
• Collaborative, dependable, and able to build strong working relationships

• Wellbeing focused – Our people are our greatest assets, and ensuring everyone feels their best self to come to work is integral. 
• Annual Leave – 20 days of annual leave, plus public holidays 
• Employee Assistance Programme – Free advice, support, and confidential counselling available 24/7.
• Personal Growth - Regardless of where you are at in your career, we’re committed to enabling your growth personally and professionally
  • Development Programmes – From Future Managers to Leadership Training, our development programmes help you get where you need to go
  • Online Learning Platform: SkillsHub! - Learning at your fingertips, anytime from anywhere. You can access our online library with relevant content for your career growth. 
• Life Insurance - 3x annual salary 
• Personal Accident Insurance - providing cover in the event of serious injury/illness.
• Performance Bonus – Our Group-wide bonus scheme enables you to reap the rewards of your success