Information Security Specialist: GRC

Job description

• Role: Information Security Specialist
• Location: London or Newcastle
• Salary: London - up to £70,000 per annum; Newcastle - up to £61,000 per annum
• Type of contract: Full Time, permanent
• Working arrangement: Hybrid - on-site at our London or Newcastle office 2 days per week minimum

Nationality Requirement

• UK Nationals
• Nationals of Commonwealth countries who have the right to work in the UK
• Nationals from the EU, EEA or Switzerland with (or eligible for) status under the European Union Settlement Scheme (EUSS)

We are not able to sponsor work visas or accept temporary visas as we are looking to hire on a permanent basis. Please contact the HR Service desk () should you have any questions on your nationality eligibility.

Why are we recruiting?

In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investment aimed at enhancing the NAO's security maturity our Information Security team is expanding. This is your chance to join a dynamic organisation with clear strategic objectives and help advance our data use and embrace new technologies securely.

We're not just growing-we're evolving. As part of a forward thinking organisation with a strong mandate to harness data and embrace cutting edge technologies, our InfoSec team is central to enabling and securing the NAO's digital future.

We're on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you'll find real scope to make an impact - both within InfoSec and across the wider organisation.

• Be part of a diverse and expanding team that thrives on challenge and innovation.
• Work in a complex, data rich environment where your insights will shape national level outcomes.
• Help embed security into every layer of our digital transformation - from strategy to code.

This is more than a job. It's a chance to help define the future of security at the NAO and be part of a high performing, and fun team.

Who are the team?

Our team is inclusive, diverse, and agile, dedicated to helping the business understand, identify, and manage threats and risks that could affect the NAO's vision and strategy.

The National Audit Office (NAO) is the UK's main public sector audit body. Independent of government, we have responsibility for auditing the accounts of various public sector bodies, examining the propriety of government spending, assessing risks to financial control and accountability, and reviewing the economy, efficiency and effectiveness of programmes, projects and activities. We report directly to Parliament, through the Committee of Public Accounts of the House of Commons which uses our reports as the basis of its own investigations. We employ some 1300 staff, most of whom are qualified accountants, trainees or technicians. They work in one of two main areas, financial audit or value for money (VFM) audit.

The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people have the opportunity to develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria.

The NAO supports flexible working and is happy to discuss this with you at application stage.

Relationships

• Reporting to: Head of Information Security
• Internal: Close working relationships with InfoSec peers, Digital Services, and development teams.
• External: Microsoft and other key suppliers, vendors, and peers in similar organisations.
• Resources Managed: None

Responsibilities

Responsibilities for this role include bridging the running and continual improvement of technical controls, procedural documentation and compliance certification, and evolving over time with new or improved capabilities.

Compliance and Process

• Management of the Cyber Essentials and CE+ certification process.
• Maintaining ISO27001:2022 compliance.
• Establish and run the review and improvement of the NAO's Disaster Recovery plans.
• Ensuring our technical policies stay relevant and fit for purpose, and maintaining them in line with ISO27001 requirements, NCSC best practice, and alignment with HMG standards.
• Support in developing and implementing a Product Assurance framework with the GRC team; own the process to deliver meaningful assurance as we integrate new products into the environment.
• Review and manage the Information Asset Inventory assessments, assessing the technical control performance across our technology estate.
• Support training requirements across the organisation.
• Ownership of regular reporting for senior stakeholders.
• Support GRC in driving NIST maturity, taking ownership of assigned areas.

Technical

• Own the Data Loss Prevention controls, developing new controls and refining existing ones.
• Facilitate eDiscovery activities.
• Own InfoSec's DR Incident Response plans and testing.
• Support in management of Data Loss incidents.
• Maintain and develop Privilege Management controls.
• Support all technical workstreams - initial focus on IAM and Email and Communications projects, working closely with the project leads.
• Own, deliver and develop phishing simulations and training.

Risk Management

• Proactively identify, evaluate, and assess threats and risks that may impact the NAO's ability to deliver on its vision and strategy.
• Contribute to the maintenance of the Information Security Risk Register.
• Support the delivery of appropriate and proportionate risk treatments, in line with the NAO's risk appetite.