Location
Bristol, Newcastle-upon-Tyne, Telford
About the job
Job summary
Discover a career in your hands at HMRC. Whether you're seeking purpose, growth, or a workplace that gives you a true sense of belonging, hear from some of our employees as they share their story about what it's really like to work at HMRC.
Visit our YouTube channel to watch the full series and come and discover your potential.
Within HMRC's Chief Digital & Information Group (CDIO), specifically in the Enterprise Cloud Services (ECS) team we are redefining and growing a team of outstanding people to improve its HMRC Cloud Centre of Excellence offering.
We are already a diverse team of 80+ individuals, creating a dynamic and inclusive working environment whose skills cover Architecture, Development, Service Design, Operation and Governance.
We are looking for someone who will be responsible for the security aspects for supporting the development and operations of HMRC's Cloud Environment.
This is a key role that will undertake and feed into governance and compliance activities of HMRC Cloud Services and delivery activities within the ECS Security and other processes.
You will work directly with the Security Lead and the Security Architect, Cyber Security Technical Services (CSTS) team, and across the ECS capability functions to ensure that security is built into and maintained within HMRC cloud services, including the identification, and management of our risks.
Travel to Telford is expected as part of this role, and 60% of your working time will need to be office based.
Job description
As the Cyber Security Risk Manager within HMRC's Enterprise Cloud Services (ECS), you'll be a central figure in driving security excellence. Acting as the first point of contact for all internal ECS security queries, advice, and guidance, you'll also lead vulnerability assessments across ECS products, ensuring risks are identified, communicated, and addressed effectively.
You'll play a hands-on role in shaping ECS security policies, supporting penetration testing, and guiding teams on secure service delivery. With a deep understanding of security and risk management, you'll use evidence, data, and experience to make well-informed decisions that protect HMRC's cloud infrastructure.
Key Responsibilities:
• Serve as the primary contact for ECS security advice, guidance, and support.
• Lead the review, assessment, and reporting of vulnerabilities in ECS products.
• Support penetration testing activities and advise on ECS service request risks.
• Develop and maintain ECS-specific security policies and procedures.
• Monitor compliance with governance controls and produce Risk Treatment Plans.
• Report and manage security incidents in line with HMRC and ECS procedures.
• Support internal and external audits
Person specification
We're looking for a motivated self-starter who thrives both independently and as part of a small team. You'll have a strong technical background in security and be able to mentor others, translating complex security concepts into clear guidance for a range of stakeholders.
Essential Criteria:
You must meet the following requirements to be considered:
• Experience working with cloud technologies, particularly AWS and Azure.
• Proven background in security governance, compliance, and audit practices.
• Familiarity with ISO 27001, Risk Management, and GDPR frameworks.
• Proficient in vulnerability scanning tools such as, but not limited to:
1. Microsoft Defender for Cloud.
2. Tenable.sc.
3. AWS Security Hub.
• Strong stakeholder management skills, with experience working across diverse teams.
Desirable Criteria:
• Knowledge of technical, procedural, physical, and personnel-based security controls.
• Experience in security monitoring, testing, and incident response.
• Familiarity with risk assessment methodologies and security management systems.
Desirable Qualifications (or willingness to work towards):
• AWS: Cloud Practitioner, Security Specialty.
• Azure: Fundamentals, Security Engineer.
• Security Frameworks: EU/ UK GDPR, ISO 27001, ISO 27005 Risk Manager.
• Certifications: CISMP (Certificate in Information Security Management Principles).
Desirable criteria will only be assessed in the event of a tied score.
Additional Security Information
Must already hold or be eligible to obtain Security Check (SC) clearance.
Behaviours
We'll assess you against these behaviours during the selection process:
4. Changing and Improving
5. Communicating and Influencing
6. Making Effective Decisions