Role
This is a critical and versatile role within CAA Information Security function reporting to the Senior Information Security Consultant, responsible for ensuring that all business and technical change is designed, implemented, and operated securely in line with the organisation's Secure by Design principles and Information Security Risk Management process. The role acts as a key interface between the InfoSec function and the wider organisation, providing security assurance across projects, BAU and change activities. The postholder applies security requirements consistently, aligned to the NCSC Cyber Assessment Framework (CAF), ISO 27001, NIST 800-53, and other relevant standards. The role is technically hands‑on across an assigned portfolio of projects and change initiatives, contributing to the quality and consistency of the consultant function's output. Working closely with Architecture, Risk Management, Procurement, and Delivery teams, the postholder ensures that solutions are designed securely, risks are well understood, and mitigations are embedded throughout the project lifecycle. More complex or higher‑risk engagements are undertaken with guidance from the Lead Information Security Consultant. You will also be working in collaboration with the wider Information Security team in developing, implementing and monitoring a comprehensive enterprise‑wide information security programme, based on industry standards, to ensure the availability, integrity and confidentiality of information owned, controlled and processed by the CAA.
Core Accountabilities
- Deliver consistent, risk‑based security consultancy across an assigned portfolio of projects, BAU and change activities, aligned with CAF objectives.
- Manage workload across concurrent engagements, prioritising based on project criticality, complexity, and risk.
- Apply Secure by Design practices throughout project lifecycles, ensuring appropriate security requirements, architecture patterns, and controls are identified and implemented.
- Act as a point of contact for security‑related design or risk issues within assigned projects, escalating complex or higher‑risk matters to the Senior Information Security Consultant.
- Apply and provide feedback on the InfoSec consulting framework, templates, and guidance (BIA, RA, risk decision, assurance flow, etc.), ensuring outputs align with ISRM and organisational risk appetite.
- Contribute to the maturity of the CAA's Information Security Target Operating Model by following and helping refine repeatable, evidence‑based consulting processes.
- Support supplier and third‑party assurance activities within the ISRM workflow, helping ensure contract security clauses, due diligence, and testing are effectively managed.
- Work collaboratively with the wider InfoSec, Architecture, and SOC functions, applying feedback from incidents, vulnerabilities, and audits to improve the quality of security consultancy.
- Promote a culture of security awareness and proactive risk management across business areas, supporting stakeholders to make informed risk decisions.
About You
Essential
- Demonstrable experience providing hands‑on security assurance and design input for projects, covering infrastructure, applications, and cloud solutions.
- Ability to manage own workload across multiple concurrent engagements, balancing competing priorities to meet delivery timelines.
- Strong understanding of Secure by Design and risk‑based security principles, with the ability to translate them into practical guidance for business and technical teams.
- Knowledge of and experience applying control frameworks such as NCSC CAF, ISO 27001/27002, NIST 800‑53, CIS Controls, and OWASP.
- Proven experience reviewing solution or technical designs to identify security risks and recommend mitigations.
- Familiarity with public‑sector assurance approaches and risk governance.
- Demonstrable experience conducting both qualitative and quantitative risk assessments across technology, cyber security, operational, or enterprise risk domains.
- Excellent written and verbal communication skills; able to present complex security concepts to non‑technical audiences.
- Broad technical knowledge across modern IT domains including networking, cloud (Azure/M365 preferred), identity, and application security.
- Experience coordinating or interpreting security testing and vulnerability assessments within project delivery.
- Ability to engage and influence stakeholders and manage competing priorities in a fast‑moving environment.
Desirable
- Experience operating within a regulated, Aviation or government‑aligned organisation.
- Knowledge of evidence requirements and CAF mapping.
- Professional certifications such as CISSP, CISM, CRISC, or CISMP.
- Practical understanding of DevSecOps, automation, and cloud‑native security tooling.
- Experience contributing to the development or improvement of internal InfoSec frameworks or processes (e.g. ISRM, Secure by Design).
Additional Information
This role requires National Security Vetting, potentially SC clearance. Applicants must have 5 years residency in the UK to support a reasonable period of checks. If you do not meet these requirements, we may not be able to accept your application.
Equal Employment Opportunity
The CAA values high ethical standards and personal integrity among employees. We are a Disability Confident employer and guarantee an interview to candidates who meet the minimum requirements.
Information Security Consultant in Guildford employer: Civil Aviation Authority
The Civil Aviation Authority is an exceptional employer, offering a dynamic work environment that prioritises safety and regulatory compliance in the aviation sector. With a strong commitment to employee development, you will have access to unique growth opportunities, including domestic and international travel, all while enjoying the flexibility of a hybrid working model that promotes work-life balance.