Inside IR35 DevOps Auditor Fully Remote

Posted 2 hours 26 minutes ago by InterAct Consulting

£475 - £525 Daily
Contract
Not Specified
Other
London, United Kingdom
Job Description

Inside IR35 | DevOps Auditor (Audit Phase) Duration: Initial 7 days (potential extension up to 12 months) Day Rate: £475-£525 (Inside IR35) Location: Fully remote (UK-based contractors only) Sector: Healthcare/DevOps & Systems Audit

This engagement is ideal for a hands-on DevOps or platform practitioner with audit, compliance, and regulated environment experience who can quickly assess maturity and advise on next steps toward secure, governed operations.

We're seeking an experienced DevOps Auditor to support a UK healthcare client with an audit of their CI/CD, infrastructure, and operational controls. This short engagement (approx. 7 days) will deliver a compliance-ready assessment, gap analysis, and remediation roadmap, laying the foundation for a potential longer-term 12-month engagement to implement improvements.

Key Responsibilities

  • Review current-state AWS DevOps practices across CI/CD pipelines, infrastructure-as-code (Terraform/Bicep), secrets management, and release/change controls.
  • Capture and assess evidence such as pipeline logs, approvals, artefact integrity/signing, access controls, and configuration baselines.
  • Validate security posture via SAST/DAST scans, dependency and licence reviews, container/image policies, and supply-chain controls.
  • Evaluate logging, monitoring, and observability practices.
  • Map findings to compliance frameworks (eg, ISO 27001, SOC 2, or NHS DSPT where applicable).
  • Produce a comprehensive gap analysis, risk register (with severity and likelihood ratings), and prioritised remediation backlog.
  • Define minimum DevOps guardrails for the next delivery phase (eg, mandatory checks, branch protection, promotion criteria).

Deliverables (by end of audit)

  • DevOps Audit Report (executive summary + detailed findings).
  • Compliance mapping (ISO 27001 Annex A/SOC 2 trust principles) with gap list.
  • Risk register including mitigations, effort, and impact estimates.
  • Prioritised remediation backlog and proposed guardrails for Phase 2.
  • RACI for change/release management and access review summary.