| Job description | •Role: Information Security Specialist
•Location: London or Newcastle
•Salary: London: Up to £70,000 per annum, Newcastle: Up to £61,00 per annum
•Type of contract: Full Time, permanent
•Location: Hybrid working. On-site at our London or Newcastle office 2 days per week minimum
Nationality Requirement:
• UK Nationals
• Nationals of Commonwealth countries who have the right to work in the UK
• Nationals from the EU, EEA or Switzerland with (or eligible for) status under the European Union Settlement Scheme (EUSS)
Please note, we are not able to sponsor work visas or accept temporary visas as we are looking to hire on a permanent basis. Please contact the HR Service desk (hrservicedesk@nao.org.uk) should you have any questions on your nationality eligibility.
Why are we recruiting?
In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investment aimed at enhancing the NAO’s security maturity our Information Security team is expanding. This is your chance to join a dynamic organisation with clear strategic objectives and help advance our data use and embrace new technologies securely.
We’re not just growing—we’re evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO’s digital future.
We’re on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you’ll find real scope to make an impact—both within InfoSec and across the wider organisation.
-Be part of a diverse and expanding team that thrives on challenge and innovation.
-Work in a complex, data-rich environment where your insights will shape national-level outcomes.
-Help embed security into every layer of our digital transformation—from strategy to code.
This is more than a job. It’s a chance to help define the future of security at the NAO and be part of a high performing, and fun team.
Who are the team?
Our team is inclusive, diverse, and agile, dedicated to helping the business understand, identify, and manage threats and risks that could affect the NAO’s vision and strategy.
The National Audit Office (NAO) is the UK’s main public sector audit body. Independent of government, we have responsibility for auditing the accounts of various public sector bodies, examining the propriety of government spending, assessing risks to financial control and accountability, and reviewing the economy, efficiency and effectiveness of programmes, projects and activities. We report directly to Parliament, through the Committee of Public Accounts of the House of Commons which uses our reports as the basis of its own investigations. We employ some ~1300 staff, most of whom are qualified accountants, trainees or technicians. They work in one of two main areas, financial audit or value for money (VFM) audit.
The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people have the opportunity to develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria.
The NAO supports flexible working and is happy to discuss this with you at application stage.
Relationships
Reporting to: Head of Information Security
Internal: Close working relationships with Info Sec peers, Digital Services, and development teams.
External: Microsoft and other key suppliers, vendors, and peers in similar organisations.
Resources Managed: None
How to apply
1. Apply online and create a profile on our careers page
2. Submit an up-to-date CV
3. Submit a cover letter setting out briefly why your suitable for the based on the key skills/competencies required (maximum 1,000 words)
Selection process
1. Monday 11 and Tuesday 19 August - Longlisted candidates will be invited to an initial telephone interview with either the Director or Head of Information Security
2. Thursday 4 and Friday 5 September- Following the initial telephone interview, shortlisted candidates will be invited to a panel interview |
|---|
| Responsibilities | What are the main responsibilities of this role?
This role will sit in a hybrid function, bridging the running and continual improvement of technical controls, procedural documentation, and compliance certification.
The Information Security Specialist is a new role, critical to supporting the rapid security maturity improvements and will develop over time gaining responsibilities as new or improved capabilities are delivered into the function.
This is a new role which will develop over time, with plenty of opportunities to be shaped by the individual in post. They will be involved in many new and diverse change and development programmes which will require an open and agile approach to delivering great, innovative security
Compliance and Process
o Management of the Cyber Essentials and CE+ certification process.
o Maintaining ISO27001:2022 compliance.
o Establish and run the review and improvement of the NAO’s Disaster Recovery plans.
o Ensuring our technical policies stay relevant and fit for purpose, and maintaining them in line with ISO27001 requirements, NCSC best practise, and alignment with HMG standards.
o Support in develop and implement a Product Assurance framework with the GRC team. Own the process to deliver meaningful assurance as we integrate new products into the environment.
o Reviewing and managing the Information Asset Inventory assessments, assessing the technical control performance across our technology estate.
o Supporting in training requirements across the organisation.
o Ownership of regular reporting for senior stakeholders.
o Supporting GRC in driving NIST maturity, taking ownership of assigned areas.
Technical
o Own the Data Loss Prevention controls developing new controls and refining existing.
o Facilitate eDiscovery activities.
o Own InfoSec’s DR Incident Response plans and testing
o Supporting in management of Data Loss Incidents
o Maintain and develop Privilege Management controls
o Support in all technical workstreams. Initial focus on IAM and Email and Communications projects, working closely with the project leads.
o Ownership, delivery and development of phishing simulations and training
Risk Management
o Proactively identify, evaluate, and assess threats and risks that may impact the NAO’s ability to deliver on its vision and strategy.
o Contribute to the maintenance of the Information Security Risk Register.
o Support the delivery of appropriate and proportionate risk treatments, in line with the NAO’s risk appetite. |
|---|
| Skills required | Key skills/competencies required:
Essential
• Stakeholder interfacing skills, and an ability to talk to technical colleagues, translating complex messages into the wider organisation.
• Experience working within a governance focussed organisation and making processes simpler.
• Proactive and positive attitude towards ongoing role focussed personal development.
• Understanding of key security principles, threats, controls, and risks
• Detailed knowledge of key threat actors affecting the NAO.
Desirable
• Significant experience working within or implementing ISO 27001:2022 ISMS
• Experience maintaining Cyber Essentials Plus
• Hold one or more of the following industry accreditations, or able to achieve within six months:
o CISSP, CISM, CISA, CRISC
o Comp TIA Sec+, Azure Cloud or Microsoft Security certifications. |
|---|
