Security Governance Risk & Compliance Officer

Key areas of responsibility

• Advise programme and engineering teams on governance, risk, and compliance -  helping them identify security requirements.
• Work closely with customer stakeholders to push for security solutions that are both effective and realistic. 
• Own and develop risk management and assurance documentation and Secure by Design artefacts for new projects.
• Support the security aspects of bids and contracts and liaise with contracting authorities and accrediting bodies.
• Support compliance with UK defence and government requirements, including the MOD Cyber Security Model and Def Stan 05-138, the NCSC Cyber Assessment Framework, Secure by Design, and JSP 440 / Defence Security Policy Framework expectations.
• Track changes to relevant legislation, standards and guidance, including NCSC guidance, MOD requirements, ISO standards and UK GDPR / the Data Protection Act 2018.
• Help deliver security awareness and training, building a strong security culture.

Key skills, experience and behaviours

• Experience in a security governance, risk and compliance, information security, audit or assurance role.
• A sound understanding of security governance and compliance principles.
• Working knowledge of ISO 27001 and information security risk management, including risk assessment and treatment.
• Experience maintaining policies, controls and evidence, and supporting internal or external audits.
• Strong written skills, with the ability to produce clear policies, reports and risk documentation.
• Sound risk judgement and the ability to make proportionate, well-reasoned decisions.
• A methodical, detail-oriented approach, with the discipline to keep accurate records and evidence.
• Strong communication skills, with the ability to turn standards and guidance into clear actions.
• Confidence to challenge and advise constructively at all levels.
• Ability to work at pace, manage competing priorities, while maintaining quality and control.

• A degree, or equivalent experience, in cyber security, information assurance, risk management or a related discipline.
• One or more recognised certifications, such as CISMP, ISO 27001 Lead Auditor or Lead Implementer, CISSP, CISM, CISA or CRISC held or being worked towards.
• Familiarity with UK defence and government frameworks.
• Knowledge of NIST CSF or 800-53 and of UK GDPR / the Data Protection Act 2018.
• Experience working in a defence, government or other regulated or secure environment.

• Pragmatic: You apply controls proportionately and in a risk-based way, avoiding tick-box compliance.
• Collaborative: You build strong working relationships across teams and with external partners.
• Proactive thinker: You anticipate issues and actively shape how risks are managed, rather than only reacting.
• Resilient: You're comfortable in a fast-paced environment where requirements evolve as we learn more about the operational problem.
• Continuous improvement mindset: Keen to build specialist knowledge and keep pace with changing standards, threats and guidance.

Working at Rowden