Cyber Security Risk Manager

Job Description

Do you have excellent attention to detail and the confidence to advise and influence colleagues and stakeholders at all levels?

National Records of Scotland are looking for dynamic individuals to join the Cyber Security Team as a Cyber Security Risk Manager.

You will be responsible for managing governance, risk & compliance (GRC) processes in order to protect the confidentiality, integrity, and availability of information and information systems in NRS and across Scottish Government.

You will bring demonstrable experience in GRC, including (but not limited to): risk management, incident management and security assurance..

Responsibilities

Responsibilities

The Cyber Security Risk Manager will work within established technology and security risk management governance structures, usually under supervision to support, review and undertake straightforward risk management activities such as:

• Support the Technology Operational Risk Board and manage the associated procedures and reporting for IT Services
• Helping with the analysis and derivation of business-supporting security needs
• Undertaking Cyber Security related risk assessments, basic threat assessments and other risk management activities
• Have an understanding of the applicability of appropriate legislation and regulations
• Provide advice to address identified IT and Cyber Security related risks by applying a variety of security capabilities, which may include using published guidance, standards or experts as appropriate
• Provide straightforward advice to validate the effectiveness of risk mitigation measures, including an understanding of how to use different assurance activities (such as a pen test) and make recommendations for improvement
• Help risk or service owners to make decisions that are well informed by good and clear security advice, including contributing to reports or working within established reporting chains in a security team.
  
  Security and Information Risk Advisors support effective information security risk management by providing advice and guidance on the proportionate and effective specification, implementation, and operation of cyber security controls to protect the integrity, availability, authenticity, non-repudiation and confidentiality of Scottish Government information. They also provide guidance on the relevant compliance of information systems with legislation, regulation and relevant standards.
• Provide basic advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
• Obtain and act on vulnerability information and conducts security risk assessments and business impact analysis on basic information systems.
• Investigate breaches of security and recommend appropriate control improvements.
• Interpret information assurance and security policies and applies these in order to manage risks.
• Provide advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines.
• Use control testing information to support information assurance assessments.

Qualifications

Qualifications

No specific qualifications are required although relevant professional qualifications would be beneficial in the role.

Success profile

Success profiles are specific to each job and they include the mix of skills, experience and behaviours candidates will be assessed on.

Technical / Professional Skills:

• Analysis (Working)
• Communicating between the technical and non-technical (Working)
• Design secure systems (Working)
• Enabling and informing risk-based decisions (Working)
• Research and innovation (Awareness)
• Specific security technology and understanding (Awareness)
• Understanding security implications of transformation (Awareness)

You can find out more about the skills required here: Cyber Security Risk Manager - Cyber security: advisory - gov.scot

Experience

1. Significant experience in cyber risk management, including conducting risk assessments and threat assessments.
2. Knowledge of cyber security frameworks, with familiarity in frameworks such as NIST, ISO 27001, or CIS Controls.
3. Demonstrable experience with cyber security processes and technologies, including Security Information and Event Management (SIEM), Vulnerability Management, and Penetration Testing.
4. Strong communication skills and experience in conveying information to diverse audiences, including senior management, with the ability to explain technical issues in a non-technical manner.

Behaviours:

• Making effective decisions (Level 3)
• Communicating and influencing (Level 3)
• Working together (Level 3)

You can find out more about Success Profiles Behaviours, here: Success Profiles - Civil Service Behaviours (publishing.service.gov.uk)

How to apply

Apply online, providing a CV and Supporting Statement (of no more than 1500 words) which provides evidence of how you meet the skills, experience and behaviours listed in the Success Profile above. If invited for further assessment, this will consist of an interview and presentation.

Assessments are scheduled for w/c 22nd September 2025 however this may be subject to change.

Artificial Intelligence (AI) tools can be used to support your application, but all statements and examples provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, and presented as your own) applications will be withdrawn and internal candidates may be subject to disciplinary action.

Please see our candidate guidance for more information on acceptable and unacceptable uses of AI in recruitment.

About us

National Records of Scotland (NRS) is Scotland's record keeper. Our purpose is to collect, preserve and produce information about Scotland's people and history and make it available to inform current and future generations. We offer rewarding careers and employ people across Scotland in a wide range of professions and roles.

NRS is a Non-Ministerial Department of the Scottish Government & and our staff are part UK Civil Service, working for Ministers and senior stakeholders to deliver vital public services which improve the lives of the people of Scotland.

We offer a supportive and inclusive working environment along with a wide range of employee benefits. Find out more about what we offer.

As part of the UK Civil Service, we uphold the Civil Service Nationality Rules.

DDaT Pay Supplement

This post is part of the Scottish Government Digital, Data and Technology (DDAT) profession, as a member of the profession you will join the professional development system. This post currently attracts a £5,000.00 annual DDAT pay supplement, applicable after a 3-month competency qualifying period. The payment will be backdated to your start date in the role. Pay supplements are reviewed regularly and there is one currently underway. Changes will be communicated when the review is concluded.

Working pattern

Our standard hours are 35 hours per week. We offer a range of flexible and hybrid working options depending on the needs of the role. If you have specific questions about the role you are applying for, please contact us.

Security checks

Successful candidates must complete the Baseline Personnel Security Standard (BPSS), before they can be appointed. BPSS is comprised of four main pre-employment checks - Identity, Right to work, Employment History and a Criminal Record check (unspent convictions).

You can find out more about BPSS on the UK Government website, or read about the different levels of security checks in our Candidate Guide.

Equality statement

We are committed to equality and inclusion and we aim to recruit a diverse workforce that reflects the population of our nation.

Find out more about our commitment to diversity and how we offer and support recruitment adjustments for anyone who needs them.

Further information

Applicants must hold or be prepared to undergo Baseline Personnel Security Standard (BPSS) checks before commencing employment.

Additionally, this post requires the successful candidate to achieve National Security Vetting Security Check (SC) after commencing employment. Further information regarding National Security Vetting and SC clearance can be found here - United Kingdom Security Vetting: Applicant - GOV.UK

For meaningful checks to be carried out, individuals need to have lived in the UK for a sufficient period of time to enable appropriate checks to be carried out and produce a result which provides the required level of assurance. You should normally have been resident in the United Kingdom for the last 3 years if the role requires CTC clearance, 5 years for SC clearance and 10 years for DV. A lack of UK residency in itself is not necessarily a bar to a security clearance and applicants should contact the Vacancy Holder/Recruiting Manager listed in the advert for further advice.

Find out more about our organisation, what we offer staff members and how to apply on our Careers Website.

Read our Candidate Guide for further information on our recruitment and application processes.

For further information on this vacancy, please contact Cameron Webster at Cameron.Webster@nrscotland.gov.uk

Apply before: 4 September 2025 (23:59)