Security and Information Risk Advisor

Overview

We are a flexible employer and will consider a variety of working patterns; compressed hours, term time working or part time working on a case-by-case basis, depending on the role and departmental requirements.

This will be a hybrid role with office attendance as required at either Meadowbank House (Edinburgh) or St Vincent Plaza (Glasgow). It is expected that you would attend the office regularly during your initial training and learning period.

About Registers of Scotland (RoS)

Registers of Scotland is a world-leading pioneer in land and property registration. We hold the answer to the question, "Who owns Scotland?" We are a modern, digital organisation and our success relies on building a diverse team of dedicated, skilled and motivated people.

The role

An experienced Security and Information Risk Advisor (SIRA) is required to play a pivotal role in strengthening and maturing our organisation’s cyber security posture. You will provide expert guidance on the identification, analysis, and treatment of information security risks, and support the continued development, operation, and improvement of our Information Security Management System (ISMS).

This is a key position within Information Security Risk and Assurance. In this role, you will offer technical information security expertise across both established and emerging services, ensuring compliance with Registers of Scotland (RoS) policies, standards, and relevant legislation and frameworks. Working collaboratively with technical and non-technical teams, you will help embed effective security controls, improve security outcomes, and foster awareness of threats and best practice.

You will also contribute to the continual enhancement of our policies, standards, processes, and controls, as well as support organisational reporting and assurance activities across on-premise and cloud environments.

On a typical day you will…

• Formulate strong relationships between the Information Security and Risk function and business teams, both technical and non-technical.
• Promote Information Security and Risk Services offered.
• Conduct technical assurance activities of systems, services, and products.
• Assist stakeholders in understanding and fulfilling their information security roles and responsibilities.
• Provide advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
• Obtain and act on vulnerability information and conduct security risk assessments and business impact analysis on complex information systems.
• Contribute to development of information security policy, standards and guidelines.
• Interpret information assurance and security policies and apply these in order to manage risks.
• Provide advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines.
• Use control testing information to support information assurance assessments.
• Collection and dissemination of relevant information and risk management information.
• Deliver sessions and workshops for the scoping, identification, and analysis of security risks to the confidentiality, integrity, and availability of information assets, and propose appropriate controls and actions for risk remediation.
• Observe instances of Non-Conformance, providing details of findings and the motivation for the issue.
• Undertake internal audit/assurance activities to observe and evaluate ISMS processes and Security Controls and provide internal stakeholders with reports that outline findings and areas for improvement of compliance.
• Deliver Supply Chain risk assessment and assurance activities for identified suppliers and 3rd parties that have access to RoS information.

This job is for you if you want…

• Work with purpose: we strive to provide the best public service and set the bar for land and property registration worldwide.
• Flexible and hybrid working: work when and where it’s best for you and your stakeholders, depending on the role and team requirements.
• Benefits: enjoy pay progression, pension contributions of up to 28.97%, up to a year’s parental leave, and 38 days annual holiday, increasing to 42 days with length of service.
• Investment in professional development: we invest in all our people so that they have the right skills to be productive and confident in their job.
• Diversity and Inclusion: We are an ‘Investor in People’ and a ‘Disability Confident’ employer. We are inclusive, stronger together, and committed to putting our people first.
• Positive work culture: RoS is an agile, digital organisation using leading-edge technology. Colleagues understand their role in achieving our strategy and have the autonomy to deliver.

Essential criteria - Your Skills and Attributes for Success

Experience/Technical: We will assess you against the following technical skills and experience during the application and assessment process:

• Certified Information Systems Security Professional (CISSP)
• Certified ISO 27001 Lead Implementer/Auditor of Management Systems (including Information Security and Business Continuity) Or equivalent qualifications

Experience

• Strong analytical and problem-solving skills, using techniques to analyse information within scope and resolve to maintain objectives.
• Able to facilitate engagement between non-technical and technical colleagues, providing mediation between stakeholders and promoting the realisation of common goals.
• Understands how an Information Security organisation operates and able to identify internal and external issues that may create risks.
• Able to support teams and Risk Owners with analysing risk through a variety of approaches, measuring impact using the agreed criteria and determining if escalation is required.

Behaviours

• Making Effective Decisions: Use evidence and knowledge to support accurate, expert decisions and advice. Carefully consider alternative options, implications and risks of decisions.
• Managing a Quality Service: Deliver service objectives with professional excellence, expertise and efficiency, taking account of diverse customer needs. Understand the objective of Information Security, Risk Management and mentor engaged teams and colleagues. Can articulate the distinction and relationships between Information Security Risk, Cyber Security, Security Controls, and Assurance.
• Communicating and influencing: Communicate purpose and direction with clarity, integrity and enthusiasm. Respect the needs, responses and opinions of others. Able to facilitate engagement between non-technical, technical, and non-information security colleagues. Able to mediate between stakeholders and promote the realisation of common goals.
• Changing and improving: Seek out opportunities to create effective change and suggest innovative ideas for improvement. Review ways of working, including seeking and providing feedback. Able to support the Head of Information Security, Risk and Assurance with improvements to the ISMS and ensuring that it meets the requirements of ISO/IEC 27001:2022 and the Cyber Assessment Framework.

Stage one - Application Process

To apply, click on 'Apply now' and complete the online application form. You will need to submit:

• A CV outlining your career history and how you meet the technical and experience criteria (max 4 pages).
• Responses to two questions addressing how you meet the bolded behaviour aspects (max 300 words per answer).

Please note: If a high volume of applications is received, an initial sift on Technical skills may be completed. Applications not accompanied by CVs or responses exceeding 300 words per behaviour will not be considered.

We recommend drafting responses in MS Word and pasting into the form. The system may time-out if inactive.

Applications and appointments are subject to a merit-based assessment process in line with Civil Service Recruitment Principles.

Stage two – assessment

If successful at the application stage, you will be invited to an in-person interview at our Meadowbank House office in Edinburgh, which will include:

• Behaviour-based interview
• A technical test where you will assume the role of a Security Analyst assessing an organisation

Feedback will only be provided if you progress to interview stage.

Reserve List

In the event that further posts are required, a reserve list of successful candidates will be kept for up to 12 months.

Nationality and immigration status

In general, only nationals from the countries listed are eligible for employment in the Civil Service. Detailed provisions on eligibility can be reviewed here.

Security

Successful candidates must undergo a Level 1 Disclosure check. Individuals working with government assets must complete baseline personnel security standard checks.

Equality, diversity and inclusion

We welcome applications from disabled candidates. We are committed to diversity and inclusion. See our EDI strategy. If you require adjustments to the recruitment process, contact talent@ros.gov.uk.

DDaT supplement

This post is part of the Digital, Data and Technology profession (DDAT) and attracts a pay supplement. The supplement may go up or down based on market activity.