At AQA, we're committed to advancing education and we're committed to our people. As the largest provider of academic qualifications in the UK, we mark over 10 million exam papers each year and it's our people who make this happen.
Group Systems Security Manager
23-month fixed-term contract
Manchester: £74,818 - £84,453
Milton Keynes: £77,903 - £87,936
Hybrid (2 days per week in the office)
Introduction
This key role will help shape group wide security at a pivotal time of growth, as AQA expands into digital exams and international markets. You'll play a key role in strengthening how we protect our systems and information while supporting innovation across a complex, modern technology estate. As threats continue to evolve, you'll apply sound judgement and a balanced, thoughtful approach to ensure security enables progress rather than slows it down. This is a chance to influence meaningful change, work with a wide range of teams and make a visible impact on an organisation with a clear educational purpose
Purpose of the role
You will operate within AQA's Enterprise Technology Security & Risk team to provide security consultancy, oversight and assurance across the Group. You will maintain and evolve the Information Security Management System (ISMS) and ensure solutions and services proportionately balance security needs with desired business outcomes, supporting AQA's mission to benefit learners of all abilities.
Key responsibilities
* Provide security consultancy and oversight across Enterprise Technology and the wider Group, ensuring solutions meet business and security requirements and align with ISO 27001.
* Own and evolve ISMS policies, standards and audits; lead incident response and supplier assurance; surface risks and drive mitigation and prevention.
* Partner with business areas to embed secure ways of working; plan and deliver periodic security testing and technology security roadmaps across systems and services.
What we are looking for
* A strong track record in providing information security, cyber security and data protection advice and guidance.
* A solid background in managing information security, cyber and data protection risks.
* Confident handling of security incidents, including events, weaknesses and breaches.
* A proven ability to deliver supplier and third party security assurance.
* Skilled in acting as a security SME within programmes or projects, with good working knowledge of ISO 27001.
What's in it for you
* 25 days' annual leave, rising to 30 with service, plus bank holidays and extra closure days at Christmas
* a 35-hour working week with flexible working arrangements
* an excellent contributory pension scheme (6%–11.5% depending on your contribution)
* life assurance, BUPA PMI, and health cash plan
* enhanced maternity and paternity schemes
Diversity and inclusion statement
At AQA, we are committed to fostering a workplace that celebrates diversity and promotes equity and inclusion. We believe that a diverse team brings richer perspectives and drives better outcomes. Our ED&I strategy ensures that everyone—regardless of religion, ethnicity, gender identity or expression, age, disability, sexual orientation, or background—is valued, respected, and empowered to thrive. We actively promote inclusive language, avoid stereotypes, and strive for representation across all dimensions of diversity. We welcome applications from individuals of all backgrounds and lived experiences.
Application process
To apply, submit your CV by following the link provided.
Application deadline: Sunday 1st March
First stage interviews will take place via MS Teams w/c 2nd March and second stage will take place in person w/c 9th March.
Recruitment Agencies
We have a preferred supplier list (PSL) in place.
Unsolicited CVs will be treated as a gift. We will not be subject to or liable under your terms and conditions for agency fees.
Full Job Description
Summary
Purpose:
As System Security Manager you will operate within the (Enterprise Technology) Security & Risk team working closely with the Head of Architecture & Security and the Enterprise Security Manager. You will lead on the delivery of a range of security related services, delivering consultative security guidance and support with the goal of ensuring that IT solutions and services meet key business and security requirements.
By providing a security consultancy support service to colleagues and business stakeholders you will deliver effective and pragmatic security related advice, guidance, direction and liaison across technology and business stakeholders shaping and guiding to deliver solutions to proportionately balance security needs and desired business outcomes.
Facilitating a security consultancy service and approach to positively influence and evolve the information technology landscape across Enterprise / Assessment technology and wider AQA Group, providing overarching security oversight and compliance assurance.
Supporting the delivery of effective security strategies within Enterprise Technology and engaging with key stakeholders across Assessment Technology and wider Group entities to ensure alignment and oversight of approaches, where appropriate taking ownership of and resolving (or escalating), related issues or concerns you identify.Landscape:
The Enterprise Technology Division sits within the Group Corporate Services Office, enabling the centralised delivery of core corporate services across the AQA Group. In addition, Enterprise Technology operates in close partnership with Assessment Technology, Programme Management and AQA Group subsidiaries, collectively delivering the full IT service portfolio of current operations to future change programmes.
Due to the nature of the role and function, stakeholder engagement with colleagues / teams within other AQA UK locations may be required.
Key relationships:
Key internal (AQA Education and AQA Assessment Services Limited) relationships
AQA Divisional Heads / Cx Levels
Enterprise Technology functions
AQA Assessment Technology architecture and development teams
AQA Education business functions
Relevant subsidiaries and functions across the AQA Group
Key external relationships
Third-party technology providers
Relevant third-party service providers / suppliers
Activities:
To maintain the required knowledge and expertise across the following domain areas of security to support the delivery of appropriately secure solutions:
Physical
Infrastructure (Endpoint / Network / Cloud)
Application
Data / Information
People / Human
Develop, take ownership of, and maintain policies, procedures, guidance and standards that make up the AQA Information Security Management System, evolving them in line with business drivers and goals to establish robust yet flexible and adaptive controls.
Support the Enterprise Security Manager in the implementation and periodic refreshes of the AQA security strategy, leading on specific areas as required and actively participating, contributing, controlling and managing relevant security communities, forums and design authorities.
Directly contribute to the definition and verification of and adherence to technical security standards covering areas such as application, infrastructure, data / information and physical security, access control, system resilience / reliability / recovery and storage / network security architectures etc.
Take ownership, work with, and support business stakeholders and Enterprise Technology colleagues in the design and delivery of appropriately scoped technical security policies, processes, and procedures, ensuring that they are disseminated across all relevant areas and understood by all stakeholders and audiences.
Undertake purposeful 'horizon scanning' ensuring that AQA is positioned well to be able to benefit from emerging security technologies, architectures and standards. Research and explore opportunities for solutions to meet AQA's business objectives and develop clear cost benefit analysis for the adoption of particular approaches.
Deliver and execute an effective timetable / schedule for the periodic security testing and auditing of systems and services. Regularly report across the IT security team and to senior management the timetable and outcomes of all security testing undertaken across AQA systems/services.
As part of the evolution of the IT strategy, establish and regularly review technology security roadmaps and associated systems life cycles ensuring that AQA is able to identify technology opportunities and manage technology and security related risks effectively.
Review all systems solutions implemented across Enterprise and Assessment Technology (and where relevant wider Group) areas of the business to ensure compliance with the IT strategy and related (Enterprise) security policies, quantifying and proposing mitigations to any risks identified through effective operation of related governance functions.
Ensure security architecture and standards maintained by security teams remain fully compliant with all statutory and regulatory legislation.
Manage delivery of scheduled periodic audits of suppliers to ensure compliance with / alignment to AQA cyber / information security, data protection and business continuity / IT disaster recovery principles, standards, governance and where applicable policies.
Deliver effective and timely advice and guidance to AQA staff and suppliers on all matters relating to cyber / information security, business continuity / IT disaster recovery and data protection acting as a security design authority for all relevant technical and operational system configuration and design changes, wherever necessary engaging with peers to ensure consistency of approach.
Provide support to the Head of Architecture & Security, the Enterprise Security Manager, and other senior managers in the assessment and compilation of departmental risks.
Guide and support peers and colleagues through transformational activities, ensuring that they continue to deliver the technical and professional standards required to ensure ongoing robust information, systems and network security is maintained and drive personal professional development to support cross skilling.
Ensure full compliance with all AQA policies and other legislative requirements, including but not limited to HSE / Equal Opportunities / Information & Cyber Security / Data Protection related legislation and policies.
Where business needs dictate, to undertake other responsibilities which are of a commensurate level and may be outside the terms of this role profile
To be successful in this role, you will need to know:
Proven senior security specialist with a strong track record of IT expertise and delivery across a number of practices within the IT industry.
Expert knowledge and understanding of Mainstream computing platforms and architectures, Operating systems, Databases, End user computing platforms, Networks and communications, Cloud computing delivery platforms (IaaS, PaaS & SaaS), Virtualisation, Integration services, architecture design standards, development methodologies.
Extensive experience of enterprise class organisations with cloud / mixed IT footprints and related modernisation of corporate architecture and application of appropriate governance.
Strong and proven expertise of operating with and within hybrid support functions - internal and external / 3rd party organisations.
Expert knowledge and understanding of implementing technical changes within legacy and modern IT estates.
Possess a broad understanding of and experience in working within programme and project management methodologies and governance.
Responsive to short-term challenges / priorities whilst holding to clear strategy and direction.
Direct experience of working and communicating effectively with peers, sponsors and business stakeholders at all levels both organisationally and across large scale programmes / IT developments.
Organises, plans and designs effectively whilst retaining focus on the bigger picture.
Ability to frame security trends and opportunities within AQA's strategic objectives.
Proven expertise in identifying and improving high level processes and ways of working.
Aptitude for sharing and embedding best practice.
Skills to build rapport and influence across a diverse range of internal and external stakeholders.
Conversant with and able to navigate major corporate structures including regulatory environment, financial management and budgeting, programme / project delivery, information / cyber security and risk management practices.
Excellent delivery credentials, with a flexible, pragmatic "can do" attitude and a resilient ability to deliver rapid and effective solutions within a dynamic environment.