Information Security Specialist: GRC

• Role: Information Security Specialist: GRC

• Type of contract: Full Time, permanent

• Location: Hybrid working. On-site, London or Newcastle, minimum 2 days pw

• Salary: London c£68,000 Newcastle c£59,000 plus Civil Service employer pension contribution of 28.9%

Please note, we are not able to sponsor work visas or accept temporary visas as we are looking to hire on a permanent basis. Please contact the HR Service desk ) should you have any questions on your nationality eligibility.

In a nutshell - Who are we looking for

As a GRC Specialist at the NAO, you'll play a critical role in delivering and maintaining effective governance, risk, and compliance activities. This is a hands-on role for someone who takes initiative, communicates with confidence, and works seamlessly across technical and non-technical teams.

The successful candidate will be able to work both independently but will also contribute within team environments and will support the shared goals of the team both within technical and procedural control areas, and input into the continued development of this critical function.

Context and main purpose of the job:

Secure the Future. Shape the Cloud. Drive Innovation.

In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investments aimed at enhancing the NAO's security maturity, our Information Security team is expanding. This is your chance to join a dynamic organization with clear strategic objectives and help advance our data use and embrace new technologies securely.

We're not just growing—we're evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO's digital future.

We're on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you'll find real scope to make an impact—both within InfoSec and across the wider organisation.

•Be part of a diverse and expanding team that thrives on challenge and innovation.

•Work in a complex, data-rich environment where your insights will shape national-level outcomes.

•Help embed security into every layer of our digital transformation—from strategy to code.

This is more than a job. It's a chance to help define the future of security at the NAO and be part of a high performing, collaborative, and innovative team.

Why are we recruiting for this role?

We're strengthening our approach to governance, risk, and compliance (GRC) and are looking for a GRC Specialist to help embed and mature key practices across the organisation. This role will support the delivery of the GRC framework including risk management, supplier assurance, embedding security culture and awareness, and compliance processes ensuring GRC becomes an integrated part of how we operate at the NAO.

Who are the team?

The Security team plays a critical role in enabling the NAO to deliver its strategic objectives both safely and securely. Part of the wider Infosec team, the GRC Specialist sits within a high-performing, inclusive, and highly skilled team of information security professionals. The team is known for its collaborative, fun spirit, deep expertise, and strong commitment to enabling the business to better understand, identify, and manage the threats and risks that could impact the NAO's ability to deliver on its vision and strategic goals.

About the National Audit Office

The National Audit Office (NAO) is the UK's main public sector audit body. Independent of government, we have responsibility for auditing the accounts of various public sector bodies, examining the propriety of government spending, assessing risks to financial control and accountability, and reviewing the economy, efficiency and effectiveness of programmes, projects, and activities.

We report directly to Parliament, through the Committee of Public Accounts of the House of Commons which uses our reports as the basis of its own investigations. We employ some 900 staff, most of whom are qualified accountants, trainees, or technicians. They work in one of two main areas, financial audit, or value for money (VFM) audit.

The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people can develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria.

The NAO supports flexible working and is happy to discuss this with you at application stage.

Relationships:

Reporting to: Head of Information Security / Information Security Manager: GRC

Internal: Close working relationships with Infosec peers, Digital Services, Internal Communications, Procurement, development teams and the broader organisation.

External: NAO suppliers, vendors, and peers in similar organisations.

Resources Managed: None

The Role:

Governance

•Maintain and update security policies, procedures, and guidelines to ensure alignment with regulatory and business requirements.

•Report on risk and compliance status to relevant stakeholders.

•Support the development and management of a network of Security Champions to promote awareness and embed best practices.

•Foster a security-aware culture through effective communication and engagement strategies.

Risk Management

•Conduct risk assessments across systems, processes, and new and existing third parties, ensuring alignment with Infosec policies and frameworks.

•Maintain the risk register, ensuring risks are owned, have treatment plans, and are actioned in a timely manner.

•Improve and maintain risk dashboards to enhance visibility and reporting.

•Supporting the wider organisation with its treatment of Information Security risks across all change and BC/DR plans.

Compliance

•Drive continuous improvement of security awareness training and compliance initiatives.

•Support the management and maintenance of ISO/IEC 27001 certification and related compliance frameworks.

Product Assurance

•Deliver security-focused product assurance, ensuring standardised best practices and non-functional requirements are embedded in tools and services.

•Ensure projects are risk-assessed, have defined security requirements, and track mitigation activities.

•Conduct information asset inventory assessments to verify security controls and compliance alignment.

Supplier Assurance

•Manage and deliver on going cyclical supplier assurance schedules ensuring assessments are conducted in line with risk profile.

•Monitor supplier security posture and recommend appropriate technical and organisational controls to mitigate risk.

•Collaborate with business units and Procurement to advise on supplier risk, support onboarding, and manage remediation efforts.

Key skills/competencies required:

Essential:

•Minimum 3 years' experience in a governance, risk and compliance role, or similar information security role.

•SME in risk management, confident in providing guidance on the identification, assessment, and mitigation of information security risks across systems, processes, and third-party engagements.

•Experience with and strong knowledge of ISO/IEC 27001, NIST CSF 2.0, or Cyber Essentials/Plus, with up-to-date understanding of security best practices.

•Demonstrate a solid understanding of Governance, Risk, and Compliance (GRC) processes, including policy development, risk assessments, control monitoring, and regulatory compliance frameworks.

•Able to confidently communicate complex technical concepts in a clear, business-friendly manner, and collaborate effectively with both technical and non-technical stakeholders across the organisation.

•Self-motivated and curious, with a proactive mindset and a strong commitment to driving good security practices, continuous improvement, and meaningful organisational change.

•Strong team player who upholds team culture and values and collaborates effectively across multidisciplinary teams including both InfoSec, tech and non-technical functions.

•Current SC Security Clearance, or able to achieve SC clearance.

Desirable

•Familiarity with GRC platforms such as OneTrust, ServiceNow GRC, LogicGate, with experience supporting risk, compliance, and data privacy workflows.

•Understanding of GDPR and data protection principles.

•Ability to identify, suggest, and drive improvements in GRC and information security processes.

•Holding a relevant degree or professional certification, such as, CISSP, CISM, CISA, CRISC, CIA.

•Familiarity with Microsoft security stack is advantageous.

•Experience in or with public sector, big four audit firms or similar is advantageous.

The deadline for applications is 11.59pm 26 October 2025.