Compliance Officer

  • London, England, United Kingdom
  • Full-Time
  • On-Site
  • 45,000 GBP / Month

Job Description:

Location - UK remote - fully remote
Hours - 37.5 hours
Salary -up to £45,000 per annum


About EnergySys
EnergySys is a platform used by software builders and consultants who serve oil and gas companies. Our partners build applications on top of us, and those applications run some of the most critical data and reporting workflows in the energy sector.
We've been around for over 20 years, which means we're not a startup bet. We're an established business with a real product, real customers, and a PE-backed growth target.

Our culture:
EnergySys is shifting towards a high-performing, high-trust environment based on freedom
and responsibility. That means we expect our people to take ownership, use their
judgement, and care deeply about their impact. In return, we give them the space and trust
to do the job the way they believe is best. This role is perfect for someone who wants to
lead and build, not just follow a playbook

Why this role exists:
As the business scales, the need for structured governance, process integrity, and accountability across day-to-day operations has become a strategic priority.
This role exists to own that accountability. The postholder will serve as the operational backbone of the company- ensuring that internal processes are documented, consistently applied, and aligned with applicable regulatory requirements. Working closely with the CEO and leadership team, they will maintain clear ownership of cross-functional projects, people-related processes, and compliance-sensitive workflows, ensuring that nothing falls through the gaps as the business grows.


What you’ll be responsible for:

Audit & Certification
You'll own the ongoing SOC 2 Type II and ISO 27001:2022 audit lifecycle for an already-certified organisation: surveillance and recertification audit planning, evidence readiness, auditor liaison, and remediation tracking.You'll maintain the ISMS (including the Statement of Applicability), ensure continuous audit readiness, and handle customer security assessments and certification enquiries as they arise.

Drata
Primary administrator. You'll own framework configuration and control mapping (largely built, with ongoing refinement as frameworks evolve), and maintain integration health across AWS, Microsoft Entra ID, Intune, GitHub, Rippling, and connected systems. Automated evidence collection sits with individual control owners; you monitor for gaps or failures and escalate to keep owners accountable. Drata is the system of record, working alongside the ISMS manual as a maintained backup; you keep both consistent.

Governance & Risk
Chair the Governance, Risk and Compliance Committee, owning the agenda and policy review cycle. Maintain the company risk register in Drata, and produce clear, concise reporting for leadership and the board on audit status, risk exposure, and control effectiveness.

Policy & Documentation
Own the policy register in Drata, ensuring policies stay current and accurate. Update existing policies as needed in response to regulatory changes, certification requirements, or operational changes, working within the review cycle set by the Governance and Compliance Committee. Monitor regulatory and certification developments to advise leadership on required updates.

Vendor & Third-Party Risk
Conduct and support structured vendor risk assessments in Drata alongside vendor owners, who are responsible for periodic reviews of their assigned vendors. Review SOC 2 reports, ISO certificates, and DPAs, maintain the vendor register, and ensure periodic reviews are completed on schedule, escalating where owners fall behind. Oversee third-party due diligence and contract compliance requirements.

Infrastructure & Evidence
Navigate AWS, Microsoft Entra ID, Intune, and GitHub to pull evidence with little to no developer assistance. Use AI tools actively to accelerate evidence gathering, policy drafting, and control assessments. Support access management and joiner/mover/leaver processes from a governance perspective.

Training, Culture & Regulatory
Administer cybersecurity awareness training via Rippling LMS and track completion against framework requirements. Support compliance across EnergySys's three legal entities (UK, Australia, US), including GDPR and relevant data protection obligations. Embed a culture where compliance is practical, proportionate, and understood across the organisation.

What we're looking for:
Essential
- Hands-on SOC 2 and/or ISO 27001 experience: evidence management, direct auditor engagement
- GRC platform experience (Drata, Vanta, or similar)
- Cloud literacy: comfortable navigating AWS and Microsoft Entra ID, or actively willing to learn
- Strong written communication: policies, risk registers, committee papers & minutes
- Self-directed and ownership-minded, able to run a compliance programme independently
- AI-native: you use LLMs and AI tools as genuine productivity accelerators

In short:

  • We need someone who maintains, operates, and owns; not someone who reports findings to others.
  • You will be the sole compliance resource, working closely with the Head of Operations and engineering leadership.
  • EnergySys is lean and fast-moving; pragmatism and proportionality are valued over process for process's sake.
  • Drata is your tool, but the thinking, the judgement, and the ownership are yours.

    What We Offer here @ EnergySys
  •  Unlimited holiday — flexibility to take the time you need; we trust you to manage your time and deliver
  •  Private medical insurance
  •  EnergySys matches your contributions up to 8% of salary
  •  Enhanced parental leave — 3 months full pay maternity, 4 weeks full pay paternity
  •  ISO 27001 Lead Implementer certification funded 
  •  Direct access to senior leadership — you will work closely with the Head of Operations and CEO with genuine influence
  •   Real ownership — the compliance programme is yours to run; we have the foundations and the tools in place, but we need someone who takes initiative, sets the direction, and moves without waiting to be told

    How to Apply
    Please send your CV alongside a brief cover note, no more than one page, addressing the following two questions:
  1. Describe a time you owned and improved an existing compliance programme rather than building one from scratch. What did you change, what resistance did you encounter, and how did you bring people with you?
  2. Walk us through how you've used a GRC platform (Drata, Vanta, or similar) to maintain audit readiness between certification cycles ,including a time something slipped (a control owner missed evidence, an integration broke, a review lapsed) and how you caught and resolved it.



We will read your CV for the technical baseline. The cover note is how we understand how you think and how you work with people. Keep it concise, quality over length.
Applications without a cover note will not be progressed.