Design and lead security audits across complex government systems
combining automated scanning with manual testing, producing findings that are clearly framed around risk and remediation rather than just compliance status.
Drive continuous compliance monitoring against applicable standards and regulations
Cyber Essentials, the NCSC Cyber Assessment Framework, GovAssure, UK GDPR, and NIS Regulations
feeding posture data into governance and risk reporting rather than treating it as a point-in-time exercise.
Lead risk assessments and threat-modelling sessions, selecting methodologies (ISO 27005, NIST RMF, STRIDE, MITRE ATT&CK) that are proportionate to system criticality, and ensuring findings feed into programme governance decisions rather than sitting in security documentation alone.
Communicate security findings and risk clearly to a range of audiences
technical detail for engineering teams, risk-framed summaries for senior stakeholders
structuring reports around the decisions people need to make, not just the controls you've tested.
Embed security as a continuous engineering concern, supporting threat modelling and security reviews throughout delivery, challenging designs that create unnecessary risk, and mentoring colleagues on secure-by-default practices.
Support and assess supply-chain and third-party security, creating proportionate assurance processes aligned with recognised standards and helping clients identify and address gaps in how they manage vendor and software supply-chain risk.
Mentor and coach colleagues and client team members, pairing on complex assurance work, sharing knowledge openly across the practice, and actively contributing to the capability of everyone around you
not just delivering your own work well.
Contribute to the commercial and strategic health of engagements, staying alert to unmet client needs, managing scope within contracted boundaries, and surfacing opportunities or risks to account leadership as they arise.
Requirements
Hold one of the following — Certified Information Systems Auditor (CISA), Systems Security Certified Practitioner (SSCP) — or an equivalent audit and assurance practitioner credential.
Certified in Risk and Information Systems Control (CRISC).
Certified Information Systems Security Professional (CISSP).
Experience advising clients on UK government security frameworks — including GovAssure, the NCSC Cyber Assessment Framework, Cyber Essentials Plus, and the HMG Security Policy Framework — and how they interact in practice.
Experience leading risk assessments using structured methodologies (ISO 27005, NIST RMF, or FAIR) and embedding risk outputs into programme governance rather than treating them as standalone deliverables.
Demonstrated ability to design security controls and governance approaches for cloud environments, with an understanding of how compliance requirements apply in AWS, Azure, or GCP contexts.
Working knowledge of incident response planning — establishing policies, assessing team readiness, and mentoring others on preparedness — ideally in a government or regulated environment.
Experience conducting or leading supply-chain security assessments, including third-party risk and software provenance, with reference to recognised standards.
Familiarity with tools used for continuous compliance monitoring, automated controls testing, or cloud security posture management (for example, CSPM tooling, SIEM platforms, or vulnerability management tools).
Evidence of actively shaping your own development — a T-shaped specialism, seeking and acting on feedback, and sharing learning openly with colleagues and the wider practice.
Experience contributing reusable assets — playbooks, templates, tooling, or patterns — back into a practice or community rather than leaving knowledge within a single engagement or team.
Experience running or contributing to structured mentoring relationships, pairing sessions, or retrospectives in a way that measurably improved team capability or ways of working.
Experience co-designing solutions with clients and stakeholders — bringing them into the process rather than presenting conclusions for approval — and delivering value anchored to outcomes rather than outputs.
Experience conducting skills-based assessment of candidates, contributing to interview scripts, or calibrating assessment criteria to ensure fair and consistent evaluation.
Tech Stack
AWS
Azure
Cloud
Google Cloud Platform
Benefits
30 days Holiday
we offer 30 days of paid annual leave
Flexible Working Hours
we are flexible with what hours you work
Flexible Parental Leave
we offer flexible parental leave options
Remote Working
we offer part time remote working for all our staff
Paid counselling
we offer paid counselling as well as financial and legal advice