This list contains only the countries for which job offers have been published in the selected language (e.g., in the French version, only job offers written in French are displayed, and in the English version, only those in English).
We help UK public sector organisations build and run digital services that are secure, trustworthy, and resilient. As a Senior Security Assurance Engineer in our Cyber practice, you'll take end-to-end ownership of security assurance work across complex government environments - designing audit approaches, leading risk assessments, and helping clients understand and improve their security posture in ways that are proportionate, practical, and grounded in how their services actually work.
Job Responsibility
Design and lead security audits across complex government systems - combining automated scanning with manual testing, producing findings that are clearly framed around risk and remediation rather than just compliance status
Drive continuous compliance monitoring against applicable standards and regulations - Cyber Essentials, the NCSC Cyber Assessment Framework, GovAssure, UK GDPR, and NIS Regulations - feeding posture data into governance and risk reporting rather than treating it as a point-in-time exercise
Lead risk assessments and threat-modelling sessions, selecting methodologies (ISO 27005, NIST RMF, STRIDE, MITRE ATT&CK) that are proportionate to system criticality, and ensuring findings feed into programme governance decisions rather than sitting in security documentation alone
Communicate security findings and risk clearly to a range of audiences - technical detail for engineering teams, risk-framed summaries for senior stakeholders - structuring reports around the decisions people need to make, not just the controls you've tested
Embed security as a continuous engineering concern, supporting threat modelling and security reviews throughout delivery, challenging designs that create unnecessary risk, and mentoring colleagues on secure-by-default practices
Support and assess supply-chain and third-party security, creating proportionate assurance processes aligned with recognised standards and helping clients identify and address gaps in how they manage vendor and software supply-chain risk
Mentor and coach colleagues and client team members, pairing on complex assurance work, sharing knowledge openly across the practice, and actively contributing to the capability of everyone around you - not just delivering your own work well
Contribute to the commercial and strategic health of engagements, staying alert to unmet client needs, managing scope within contracted boundaries, and surfacing opportunities or risks to account leadership as they arise
Requirements
Hold one of the following — Certified Information Systems Auditor (CISA), Systems Security Certified Practitioner (SSCP) — or an equivalent audit and assurance practitioner credential
Contextual judgement over formulaic approaches
A team-first mindset
Confidence communicating across boundaries
Genuine ownership
Nice to have
Certified in Risk and Information Systems Control (CRISC)
Certified Information Systems Security Professional (CISSP)
Experience advising clients on UK government security frameworks — including GovAssure, the NCSC Cyber Assessment Framework, Cyber Essentials Plus, and the HMG Security Policy Framework — and how they interact in practice
Experience leading risk assessments using structured methodologies (ISO 27005, NIST RMF, or FAIR) and embedding risk outputs into programme governance rather than treating them as standalone deliverables
Demonstrated ability to design security controls and governance approaches for cloud environments, with an understanding of how compliance requirements apply in AWS, Azure, or GCP contexts
Working knowledge of incident response planning — establishing policies, assessing team readiness, and mentoring others on preparedness — ideally in a government or regulated environment
Experience conducting or leading supply-chain security assessments, including third-party risk and software provenance, with reference to recognised standards
Familiarity with tools used for continuous compliance monitoring, automated controls testing, or cloud security posture management (for example, CSPM tooling, SIEM platforms, or vulnerability management tools)
Evidence of actively shaping your own development — a T-shaped specialism, seeking and acting on feedback, and sharing learning openly with colleagues and the wider practice
Experience contributing reusable assets — playbooks, templates, tooling, or patterns — back into a practice or community rather than leaving knowledge within a single engagement or team
Experience running or contributing to structured mentoring relationships, pairing sessions, or retrospectives in a way that measurably improved team capability or ways of working
Experience co-designing solutions with clients and stakeholders — bringing them into the process rather than presenting conclusions for approval — and delivering value anchored to outcomes rather than outputs
Experience conducting skills-based assessment of candidates, contributing to interview scripts, or calibrating assessment criteria to ensure fair and consistent evaluation
Made Tech sponsors attainment of recognised cyber certifications for staff in scope. If you don't yet hold the certifications listed above but are working toward them — or can demonstrate equivalent capability through experience — we'd still encourage you to apply