Information Security Manager: Governance, Risk and Compliance (GRC)

Join to apply for the Information Security Manager: Governance, Risk and Compliance (GRC) role at UK National Audit Office

Information Security Manager: Governance, Risk and Compliance (GRC)

Join to apply for the Information Security Manager: Governance, Risk and Compliance (GRC) role at UK National Audit Office

Get AI-powered advice on this job and more exclusive features.

• Role: Information Security Manager: Governance, Risk and Compliance (GRC)
• Location: London or Newcastle
• Salary: London: Up to £80,000 per annum, Newcastle: Up to £ 70,000 per annum.
• Type of contract: Full Time, permanent
• Location: Hybrid working. On-site at our London or Newcastle office 2 days per week minimum

Nationality Requirement

• UK Nationals
• Nationals of Commonwealth countries who have the right to work in the UK
• Nationals from the EU, EEA or Switzerland with (or eligible for) status under the European Union Settlement Scheme (EUSS)

Please note, we are not able to sponsor work visas or accept temporary visas as we are looking to hire on a permanent basis. Please contact the HR Service desk (hrservicedesk@nao.org.uk) should you have any questions on your nationality eligibility.

Why are we recruiting?

In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investment aimed at enhancing the NAO’s security maturity our Information Security team is expanding. This is your chance to join a dynamic organisation with clear strategic objectives and help advance our data use and embrace new technologies securely.

We’re not just growing—we’re evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO’s digital future.

We’re on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you’ll find real scope to make an impact—both within InfoSec and across the wider organisation.

Be part of a diverse and expanding team that thrives on challenge and innovation.

• Work in a complex, data-rich environment where your insights will shape national-level outcomes.
• Help embed security into every layer of our digital transformation—from strategy to code.

This is more than a job. It’s a chance to help define the future of security at the NAO and be part of a high performing, and fun team.

Context And Main Purpose Of The Job

Why are we recruiting for this role?

Integral to the NAO’s Information Security strategy is a focussed Governance, Risk and Compliance function dedicated to delivering the breadth of Information Security controls into a fast paced and agile organisation.

This specialist GRC role will run and develop our certified ISMS and its InfoSec policies, standards, and procedures, transforming the NAO’s security posture and risk profile, supporting our ambition of being an exemplar organisation.

Who are the team?

The Information Security Manager: GRC role sit within an inclusive, respectful, and agile team of information security professionals, responsible for enabling the business to better understand, identify and manage the threats and risks that impact the NAO’s ability to deliver on its vision and strategy.

What are the main responsibilities of this role?

The GRC Manager will be instrumental in guiding the development of the NAO’s information security services, will lead investigations, develop stakeholder relationships, and identify and deliver new initiatives to support in continual risk reduction.

The GRC manager will lead on the running and continual improvement of the NAO’s Information Security Management System ensuring that the annual certifications are maintained, the underlying systems are improved, and the associated controls deliver value to the organisation.

The successful candidate will be an organised, decisive, and persuasive professional, able to deliver new and develop existing information controls within a challenging environment.

They will have an excellent knowledge of security concepts and an understanding of how to implement them effectively. They will be responsible for collating and reporting key performance metrics and will understand how to articulate the “so what?” message to stakeholders, communicating effectively with all levels of users, delivering a high level of customer service.

This role will lead on Info Sec risk management and will be instrumental in helping the organisation understand its risk profile through thorough risk identification, quantification, prioritisation, and treatment.

Relationships

Reporting to: Head of Information Security Assurance

Internal: Close working relationships with Info Sec peers, Digital Services, development teams and the broader organisation.

External: Microsoft and other key suppliers, vendors, and peers in similar organisations.

Resources Managed: None

The Information Security Manager: GRC will be responsible for the following:

Leadership

• Management of Information Security’s Governance, Risk and Compliance functions in their delivery of robust best practise controls within an exemplar organisation.
• Collaborate with and build relationships with key stakeholder groups, such as Information Security and Digital Services to establish a strong understanding of the organisation and its needs.
• Ability to see the bigger picture and bring new ideas and challenge the status quo.
• Leadership by example, demonstrating a positive can-do attitude that supports the team both professionally and the team culture.
• Ability to explain complex matters to a non-technical audience in a clear concise and engaging way.

GRC Management

• The management and leadership of key security controls across the breadth of the organisation to ensure that security posture is effectively managed in line with enterprise risk appetite.
• Delivering great governance across the organisation’s Information Security functions, ensuring that senior stakeholders understand how effective the NAO’s information Security is.
• Manage and develop reporting requirements for Info Sec Management and other Senior Stakeholders
• Deliver meaningful supplier assurance controls, and reviewing third parties’ security across suppliers, partners, and clients.
• Lead and design processes for assessing the NAO’s compliance against policies and standards.
• Ensure that information processing activities meet with or exceed relevant security principles and practices.
• Define and lead a project on product security reviews, in line with relevant frameworks, ensuring that standardised security best practise and non-functional requirements enable the delivery of secure NAO products.

ISMS

• Drive the maintenance and development of the NAO’s Information Security management systems.
• Developing existing and delivering new InfoSec policies, standards, and controls.
• Defining and co-ordinating an ongoing security awareness and training strategy.
• Supporting the maintenance and improvement of the Info Sec Business Continuity and Disaster Recover plans.
• Maintaining, retaining, and delivering substantive improvements to our ISO27001 and Cyber Essentials Plus certifications, with the full support of the Info Sec team, Digital Services, and the broader organisation.
• Contributing to defining and refining what great Info Sec looks like, embedding the use of best practice controls across the organisation.
• Ensure that NAO information assets are recorded, assessed, monitored, and appropriately protected.
• Evangelise information security as an SME, across the NAO.
• Develop and lead processes on the identification and management of the NAO’s InfoSec risk and driving appropriate and pragmatic risk treatment solutions to conclusion.
• Ensuring that the NAO’s information security priorities, programs and controls are risk based.
• Management and development of the Information Security Risk Register and associated processes.
• Ensure that the wider organisation documents and treats Information Security risks in BC/DR plans.
• Manage and coordinate the delivery of appropriate and proportionate risk treatments in line with the NAO’s risk appetite.
• Analytical and problem-solving abilities, with attention to detail.
• Ability to work collaboratively within multidisciplinary teams, including colleagues in audit and technology.
• Proactive in promoting secure practices, continuous improvement, and organisational change.
• Substantial experience as an Information Security professional.
• Working towards, or able to obtain within six months, a relevant professional certification such as CISSP, CISM, CISA, or CRISC.
• Holds, or can obtain, SC Security Clearance.
• ISO 27001
• Current IT security issues, especially those relevant to government
• Experience in an Information Security role with a focus on governance, risk, or compliance activities.
• Experience in data protection and GDPR.
• One or more of the following industry accreditations:

How to apply

• Apply online and create a profile on our careers page
• Submit a cover letter setting out briefly why your suitable for the based on the key skills/competencies required (maximum 1,000 words)

Selection process

• Thursday 7 and Thursday 14 August - Longlisted candidates will be invited to an initial telephone interview with either the Director or Head of Information Security
• Wednesday 27 and Thursday 28 August - Following the initial telephone interview, shortlisted candidates will be invited to a panel interview

Seniority level

• Seniority level

  Mid-Senior level

Employment type

• Employment type

  Full-time

Job function

• Job function

  Information Technology

• Industries

  Government Administration

Referrals increase your chances of interviewing at UK National Audit Office by 2x

Get notified about new Information Security Manager jobs in London Area, United Kingdom.

Stratford, England, United Kingdom 2 days ago

London, England, United Kingdom 2 days ago

Information Security Manager - SAAS/B2B/ISO/Devsecops/ - Southampton/London/Bristol

London, England, United Kingdom 1 week ago

London, England, United Kingdom 1 week ago

Business Development Director, Security Services, £90,000 OTE

London, England, United Kingdom 1 week ago

Technical Lead Manager, Android Frameworks

London, England, United Kingdom 3 days ago

MGS – Ministry of Defence Guard Service – Supervisor - Shift Worker - Whitehall

London, England, United Kingdom 1 week ago

London, England, United Kingdom 3 weeks ago

MGS - Ministry of Defence Guard Service – Supervisor - Shift worker - Northwood

Eastbury, England, United Kingdom 6 days ago

London, England, United Kingdom 2 days ago

London, England, United Kingdom 6 days ago

Associate/Vice President, Relationship Manager - Commodity Finance (Metals & Agri Team)

London, England, United Kingdom 5 days ago

Hampton, England, United Kingdom 2 weeks ago

London, England, United Kingdom 1 month ago

London, England, United Kingdom £60,000.00-£80,000.00 1 month ago

London, England, United Kingdom 1 month ago

Cyber Security Assistant Manager/Manager

London, England, United Kingdom 2 weeks ago

Information Security Manager: Security Operations

London, England, United Kingdom 3 days ago

Information Security and Compliance Manager

Greater London, England, United Kingdom 1 day ago

London, England, United Kingdom 2 minutes ago

London, England, United Kingdom 2 months ago

London, England, United Kingdom 1 week ago

London, England, United Kingdom 2 days ago

We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.