Information Security Manager: Governance, Risk and Compliance (GRC)

Why are we recruiting?

In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investment aimed at enhancing the NAO’s security maturity our Information Security team is expanding. This is your chance to join a dynamic organisation with clear strategic objectives and help advance our data use and embrace new technologies securely.

We’re not just growing—we’re evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO’s digital future.

We’re on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you’ll find real scope to make an impact—both within InfoSec and across the wider organisation.

• Be part of a diverse and expanding team that thrives on challenge and innovation.
• Work in a complex, data-rich environment where your insights will shape national-level outcomes.
• Help embed security into every layer of our digital transformation—from strategy to code.

This is more than a job. It’s a chance to help define the future of security at the NAO and be part of a high performing, and fun team.

Context and main purpose of the job:

Why are we recruiting for this role?

Integral to the NAO’s Information Security strategy is a focussed Governance, Risk and Compliance function dedicated to delivering the breadth of Information Security controls into a fast paced and agile organisation.

This specialist GRC role will run and develop our certified ISMS and its InfoSec policies, standards, and procedures, transforming the NAO’s security posture and risk profile, supporting our ambition of being an exemplar organisation.

Who are the team?

The Information Security Manager: GRC role sit within an inclusive, respectful, and agile team of information security professionals, responsible for enabling the business to better understand, identify and manage the threats and risks that impact the NAO’s ability to deliver on its vision and strategy.

What are the main responsibilities of this role?

The GRC Manager will be instrumental in guiding the development of the NAO’s information security services, will lead investigations, develop stakeholder relationships, and identify and deliver new initiatives to support in continual risk reduction.

The GRC manager will lead on the running and continual improvement of the NAO’s Information Security Management System ensuring that the annual certifications are maintained, the underlying systems are improved, and the associated controls deliver value to the organisation.

The successful candidate will be an organised, decisive, and persuasive professional, able to deliver new and develop existing information controls within a challenging environment.

They will have an excellent knowledge of security concepts and an understanding of how to implement them effectively. They will be responsible for collating and reporting key performance metrics and will understand how to articulate the “so what?” message to stakeholders, communicating effectively with all levels of users, delivering a high level of customer service.

This role will lead on Info Sec risk management and will be instrumental in helping the organisation understand its risk profile through thorough risk identification, quantification, prioritisation, and treatment.

They will be required to use their experience, initiative, creativity and research and problem-solving skills to resolve issues, implement new and develop existing controls and create thorough written documentation.

With the breadth of Information Security GRC to work across, the successful candidate will be a motivated self-starter, able to keep multiple plates spinning, and to prioritise and manage their time effectively.

Responsibilities

The Information Security Manager: GRC will be responsible for the following:

Leadership:

• Management of Information Security’s Governance, Risk and Compliance functions in their delivery of robust best practise controls within an exemplar organisation.
• Collaborate with and build relationships with key stakeholder groups, such as Information Security and Digital Services to establish a strong understanding of the organisation and its needs.
• Ability to see the bigger picture and bring new ideas and challenge the status quo.
• Leadership by example, demonstrating a positive can-do attitude that supports the team both professionally and the team culture.
• Ability to explain complex matters to a non-technical audience in a clear concise and engaging way.

GRC Management:

• The management and leadership of key security controls across the breadth of the organisation to ensure that security posture is effectively managed in line with enterprise risk appetite.
• Delivering great governance across the organisation’s Information Security functions, ensuring that senior stakeholders understand how effective the NAO’s information Security is.
• Manage and develop reporting requirements for Info Sec Management and other Senior Stakeholders
• Deliver meaningful supplier assurance controls, and reviewing third parties’ security across suppliers, partners, and clients.
• Lead and design processes for assessing the NAO’s compliance against policies and standards.
• Ensure that information processing activities meet with or exceed relevant security principles and practices.
• Define and lead a project on product security reviews, in line with relevant frameworks, ensuring that standardised security best practise and non-functional requirements enable the delivery of secure NAO products.

ISMS:

• Drive the maintenance and development of the NAO’s Information Security management systems.
• Developing existing and delivering new InfoSec policies, standards, and controls.
• Defining and co-ordinating an ongoing security awareness and training strategy.
• Supporting the maintenance and improvement of the Info Sec Business Continuity and Disaster Recover plans.
• Maintaining, retaining, and delivering substantive improvements to our ISO27001 and Cyber Essentials Plus certifications, with the full support of the Info Sec team, Digital Services, and the broader organisation.
• Contributing to defining and refining what great Info Sec looks like, embedding the use of best practice controls across the organisation.
• Ensure that NAO information assets are recorded, assessed, monitored, and appropriately protected.
• Evangelise information security as an SME, across the NAO.

Risk Management:

• Develop and lead processes on the identification and management of the NAO’s InfoSec risk and driving appropriate and pragmatic risk treatment solutions to conclusion.
• Ensuring that the NAO’s information security priorities, programs and controls are risk based.
• Management and development of the Information Security Risk Register and associated processes.
• Ensure that the wider organisation documents and treats Information Security risks in BC/DR plans.
• Manage and coordinate the delivery of appropriate and proportionate risk treatments in line with the NAO’s risk appetite.

Key skills/competencies required:

Essential:

• Analytical and problem-solving abilities, with attention to detail.
• Ability to work collaboratively within multidisciplinary teams, including colleagues in audit and technology.
• Proactive in promoting secure practices, continuous improvement, and organisational change.
• Substantial experience as an Information Security professional.
• Working towards, or able to obtain within six months, a relevant professional certification such as CISSP, CISM, CISA, or CRISC.
• Holds, or can obtain, SC Security Clearance.
• Comprehensive technical understanding of:
• ISO 27001
• Risk management methodologies
• Current IT security issues, especially those relevant to government
• Experience in an Information Security role with a focus on governance, risk, or compliance activities.

Desirable:

• Experience in data protection and GDPR.
• One or more of the following industry accreditations:
• ISO 27001 Lead Implementer/Lead Auditor
• GDPR Practitioner