Posted 8 July, 2026
Job Id: 629071
Compliance Manager (NIST Cybersecurity Framework Maturity Lead) (Contract)
Job Description
Description
Seeking an experienced, self-directed cybersecurity contractor to serve as the NIST Cybersecurity Framework (CSF) Maturity Lead for a focused six-month engagement. This individual will own the design, execution, and documentation of our journey toward NIST CSF maturity — driving the organization from its current baseline to a defined, measurable, and sustainable maturity target. The Lead will operate with a high degree of autonomy, partnering with a junior GRC contractor and collaborating across IT, Engineering, Quality, and Regulatory functions. This is a build role: the person we hire will create the processes, tooling, and governance artifacts needed to support the program — and will be accountable for ensuring those outputs can be transitioned to internal staff at engagement close.
Requirements
What You’ll Do NIST CSF Assessment & Roadmap
* Lead a current-state assessment of company cybersecurity posture against the NIST CSF (v1.1 or v2.0) across all five Functions: Identify, Protect, Detect, Respond, and Recover.
* Establish a target maturity tier and define a prioritized, time-boxed roadmap with clear milestones within the six-month engagement window.
* Map existing controls (policies, procedures, technical safeguards) to CSF Categories and Subcategories; identify gaps and document residual risk.
* Where NIST CSF does not apply directly, leverage equivalent controls from NIST 800-53, ISO 27001, SOC 2, CMMC, or other applicable frameworks to provide crosswalk evidence. Program Governance &
Project Management
* Establish and maintain a formal program charter, RACI matrix, and weekly status reporting cadence for all NIST CSF workstreams.
* Own the program plan — maintaining tasks, owners, dependencies, and milestone dates with rigorous tracking and proactive escalation of blockers.
* Manage the junior GRC contractor: assign work, review deliverables, provide structured feedback, and ensure quality and consistency across outputs.
* Run structured stakeholder meetings, produce clear meeting notes, action registers, and decision logs. * Maintain a living program dashboard visible to CISO and senior leadership reflecting current maturity scores, risk posture, and roadmap status.
Policy, Process & Control Development
* Draft, revise, and finalize cybersecurity policies, standards, procedures, and control narratives required to close CSF gaps.
* Design and implement repeatable processes for control execution — including access reviews, vulnerability management SLA tracking, patch governance, and control attestations.
* Develop evidence collection templates, control calendars, and checklists to support ongoing monitoring post-engagement.
* Build a governance repository (SharePoint, Confluence, or equivalent) organized for auditability and long-term operability.
Risk Management
* Maintain a cybersecurity risk register aligned to CSF subcategories, capturing likelihood, impact, ownership, and remediation status.
* Facilitate risk assessment workshops with IT, Engineering, and Quality stakeholders; document findings and drive decisions to closure.
* Identify, document, and manage exceptions; develop compensating controls where remediation timelines extend beyond engagement scope. Stakeholder Engagement & Influence
* Operate as the primary point of accountability for all NIST CSF maturity activities, working without direct authority over functional teams.
* Build trusted relationships across IT, Engineering, Quality, Legal, and Regulatory Affairs to drive compliant outcomes.
* Communicate program status, risk posture, and decisions clearly to both technical and executive audiences.
* Deliver training or awareness content to stakeholders on relevant control expectations and their responsibilities.
Transition & Knowledge Transfer
* Design all processes with handoff in mind: document workflows, runbooks, and control calendars sufficient for an internal team member to continue operating the program independently.
* Conduct formal knowledge transfer sessions in the final 30 days of the engagement.
* Produce a final engagement report summarizing maturity progress, residual gaps, and recommended next steps.
Required Experience
* 7+ years of experience in cybersecurity, GRC, or a closely related field.
* Demonstrated hands-on experience leading a NIST CSF assessment, gap analysis, or maturity improvement program — OR equivalent depth in NIST 800-53, ISO 27001, SOC 2, or CMMC with proven ability to apply crosswalk to NIST CSF.
* Strong project management skills: the ability to build and manage a formal program plan, track milestones, escalate risks, and deliver consistently on schedule.
* Proven track record of working autonomously in contractor or consulting roles with minimal supervision.
* Experience managing or mentoring junior team members and reviewing their work for quality.
* Demonstrated ability to build processes and documentation from scratch that are designed to outlast the builder’s tenure.
* Experience producing executive-facing reporting (dashboards, risk summaries, status decks).
* Strong written communication skills — policies, procedures, and program documentation must be clear, concise, and audit-ready.
Preferred Qualifications
* Prior engagement in a regulated industry (medical device, pharma, financial services, defense) where compliance rigor and documentation standards are high.
* Familiarity with the NIST CSF v2.0 update and its new Govern function.
* Experience with GRC platforms (ServiceNow GRC, Archer, Drata, Vanta, or similar).
* Relevant certifications: CISM, CRISC, CGRC/CAP, CISSP, ISO 27001 Lead Implementer, or equivalent.
* Familiarity with FDA cybersecurity guidance in the context of medical device GRC (a plus, not a requirement).
Working Style Requirements
* Must be able to operate as a self-starter — define the work, not just execute it.
* Must demonstrate structured thinking: organized, methodical, detail-oriented with an eye for process quality.
* Must be comfortable with ambiguity and building structure in environments where it does not yet fully exist.
* Must communicate proactively — surfacing issues, seeking alignment, and keeping stakeholders informed without being prompted.
Equal Opportunity Employer
We are proud to be an equal opportunity employer. We welcome and encourage applications from all qualified candidates regardless of race, sex, gender identity or expression, disability, age, religion or belief, sexual orientation, or any other characteristic protected by applicable laws and regulations. It is our policy not to discriminate against any applicant or employee, and we are committed to fostering a diverse, inclusive, and respectful work environment across all locations in which we operate. We believe that diversity, equity, and inclusion are fundamental to our mission and enhance our ability to serve clients globally. If you have a disability or require any reasonable accommodations during the application or interview process, please inform your recruiter or contact us directly so that we can explore the appropriate arrangements.
Fraud Alert
Candidate safety is a top priority at Planet Pharma. The industry has seen an increase in people falsely representing themselves as recruiters to gather personal information from job seekers. For your safety, do not provide sensitive data to anyone you have not spoken with thoroughly, never provide banking information during the application process and always double check the email address of the Recruiter to ensure it’s from an official Planet Pharma domain (@planet-pharma.com, @planet-pharma.co.uk, and @ppgadvisorypartners.com) and not a domain with an alternative extension like .net, .org or .jobs.