Search
Header navigation
Security Architect – Cloud Risk and Controls

Security Architect – Cloud Risk and Controls

UK Health Security Agency
remoteHybrid
ExpiresExpires: Expiring in 5 days
Flexible
£70,797 - £85,436 per year

Job summary

We are seeking a seasoned Security Architect – Cloud Risk and Controls to lead the development and implementation of cloud governance, risk, and security frameworks. This pivotal role is responsible for aligning cloud operations with regulatory, security, and risk management requirements while enabling secure and scalable service delivery.

Acting as both a subject matter expert and strategic advisor, you will partner with architects, engineers, and delivery teams to ensure cloud services meet required compliance postures and risk tolerances.

You will embed security and assurance into technical delivery lifecycles while shaping the future of cloud governance in line with GDS, NCSC, and wider public sector expectations.

Job description

In this role you will

  • Architect and maintain the Cloud Control Framework to govern platform and service-level security.
  • Map control implementations to compliance standards such as ISO 27001, DSPT, CAF, and CIS.
  • Collaborate with architects and engineers to embed security controls and risk mitigations into design.
  • Lead technical control reviews, threat assessments, and compliance validation activities.
  • Design and maintain governance processes for testing, monitoring, and reporting on control effectiveness.
  • Act as the primary security and risk contact for auditors and regulatory reviews.
  • Guide cloud teams through control implementation, remediation plans, and control assurance.
  • Develop dashboards and metrics to monitor risk posture, maturity, and compliance status.
  • Maintain control documentation and provide training and communication across technical teams.
  • Enable safe innovation by embedding proportionate and agile security practices.

*Please note that this list is not exhaustive*

Person specification

As the Security Architect – Cloud Risk and Controls, you will play a central role in building and embedding cloud security, governance, and assurance across all cloud environments. This includes owning and evolving control frameworks, interpreting regulatory expectations, and enabling secure digital delivery.

Key Responsibilities

  • Architect a scalable Cloud Control Framework aligned to the organisation’s cloud strategy and GDS service standards.
  • Establish implementation roadmaps for control maturity and track technical alignment over time.
  • Conduct cloud-specific risk assessments, influence design decisions, and ensure shared responsibility is well understood.
  • Act as a liaison between engineering, audit, and governance stakeholders to resolve control gaps.
  • Perform security impact reviews for new cloud services, designs, and deployments.
  • Maintain a centralised risk register, control library, and assurance evidence portfolio.
  • Lead internal audit readiness, compliance walkthroughs, and responses to external assurance activity.
  • Contribute to governance bodies such as architecture boards, change control, and cloud steering groups.
  • Develop key performance indicators (KPIs) and dashboards to visualise control coverage and effectiveness.
  • Coach and upskill engineers and product teams on secure architecture and operational risk.

Working Relationships

You will work closely with the Cloud Centre of Excellence, platform engineers, enterprise architects, delivery teams, information governance, and external assurance partners.

Additional Clauses

  • The role aligns with the GDaD Security Architecture capability framework.
  • Post holder may be required to undergo SC clearance depending on access requirements.
  • Occasional travel will be required for stakeholder workshops and assessments.

Essential criteria

  • Extensive and proven experience in IT security architecture, risk management, or GRC in cloud environments.
  • A degree (Level 6 or equivalent experience) in Cyber Security, Computer Science, Information Systems, or a related technical field
  • Expertise in public cloud platforms (AWS / Azure) and cloud-native security services.
  • In-depth knowledge of regulatory requirements and compliance frameworks (e.g., NCSC CAF, ISO 27001, DSPT, CIS).
  • Demonstrated experience designing and implementing technical controls in cloud environments.
  • Familiarity with security architecture standards, risk assessments, and threat modelling.
  • Experience interfacing with auditors and responding to assurance activities.
  • Ability to develop dashboards and metrics to track risk and compliance status.
  • Excellent communication skills with the ability to explain security concepts to technical and non-technical audiences.
  • Proven track record working across multidisciplinary teams to embed secure-by-design principles.
  • Strong documentation skills and the ability to maintain clear and auditable control records.

Desirable criteria:

  • Security or GRC certifications such as CISSP, CISM, CRISC, or CCSK.
  • Experience in the public sector or within GDS-aligned digital service delivery.
  • Knowledge of automated compliance tooling (e.g., AWS Config, Azure Policy, Prisma, Sentinel).
  • Understanding of Zero Trust architecture principles.
  • Familiarity with secure software development lifecycle (SSDLC) practices.
  • Background in technical governance or security assurance reviews.
  • Experience with service and operational risk registers in a cloud environment.
  • Knowledge of NIST 800-53 or ENISA guidance.
  • Experience contributing to risk remediation and incident response processes.
  • Involvement in cross-government security forums or communities of practice.

Benefits

Alongside your salary of £70,797, UK Health Security Agency contributes £20,509 towards you being a member of the Civil Service Defined Benefit Pension scheme. Find out what benefits a Civil Service Pension provides.

We pride ourselves as being an employer of choice, promoting equality of opportunity to actively encourage applications from everyone, including groups currently underrepresented in our workforce. UKHSA's ethos is to be an inclusive organisation for all our staff and stakeholders. To create, nurture and sustain an inclusive culture, where differences drive innovative solutions to meet the needs of our workforce and wider communities. We do this through celebrating and protecting differences by removing barriers and promoting equity and equality of opportunity for all.

  • Learning and development tailored to your role
  • An environment with flexible working options
  • A culture encouraging inclusion and diversity
  • A Civil Service pension with an employer contribution of 28.97%

Things you need to know

Artificial intelligence

Artificial intelligence can be a useful tool to support your application, however, all examples and statements provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, as your own) applications may be withdrawn and internal candidates may be subject to disciplinary action. Please see our candidate guidance (opens in a new window) for more information on appropriate and inappropriate use.

Selection process details

Stage 1: Application & Sift

This vacancy is using Competency.

At sift stage you will be assessed against the Essential Criteria listed in the job advert.

You will be required to complete an:

  • Application form (‘Employer/ Activity history’ section on the application)
  • Up to 1000-word Statement of Suitability

Healthjobs UK has a word limit of 1500, but your statement of suitability must be no more than 1000 word count.

This should outline how your skills, experience, and knowledge, provide evidence of your suitability for the role.

You will receive a joint score for your application form and statement. (The application form is the kind of information you would put into your C.V –please be advised you will not be able to upload your CV. Please complete the application form in as much detail as possible). Please do not email us your CV.

Longlisting: In the event of a large number of applications we may longlist into 3 piles of:

  • Meets all essential criteria
  • Meets some essential criteria
  • Meets no essential criteria

Only those who meet ALL essential criteria will be taken through to next stage

Shortlisting: If we receive a large number of applications an initial sift against the lead criteria below will be conducted:

  • Architect and maintain the Cloud Control Framework to govern platform and service-level security.
  • Map control implementations to compliance standards such as ISO 27001, DSPT, CAF, and CIS.
  • Collaborate with architects and engineers to embed security controls and risk mitigations into design.

Desirable criteria may be used in the event of a large number of applications/large amount of successful candidates.

If you are successful at this stage, you will progress to interview & assessment.

Please note feedback will not be provided at this stage.

Stage 2: Interview (Competency profiles)

You will be invited to a face to face interview. In exceptional circumstances, we may be able to offer a remote interview.

This vacancy is being assessed using competency framework. During the interview we will assess against the below:

  • Knowledge
  • Experience
  • Skills and Abilities

You will be asked to prepare and present a 5–10 minute presentation. The subject of this will be as follows

1. Designing a Cloud Control Framework

Present your approach to designing and implementing a Cloud Control Framework for a multi-cloud environment (AWS and Azure). Explain how you would align controls with frameworks such as ISO 27001, NCSC CAF, DSPT, and CIS, while enabling agile delivery and innovation.

2. Embedding Security and Risk Management into Cloud Delivery

Describe how you would embed proportionate security controls and risk management within agile cloud delivery teams. Include how you would balance assurance, delivery velocity, and user needs.

3. Managing Cloud Risk and Assurance

Using a recent or hypothetical example, outline how you would identify, assess, and mitigate cloud-related risks. Explain how you would communicate these risks to both technical and non-technical stakeholders and maintain auditable evidence for assurance.

4. Driving Continuous Improvement and Maturity

Present how you would measure and report on the maturity of cloud risk and control capabilities over time. Include your approach to developing dashboards, KPIs, or metrics to evidence improvements in compliance posture and control effectiveness.

4. Collaboration and Governance

Outline how you would work with engineering, architecture, governance, and audit teams to build a shared understanding of “secure by design.” Describe how you would handle conflicts between delivery priorities and compliance requirements.

Once this job has closed, the job advert will no longer be available. You may want to save a copy for your records.

Eligibility Criteria

External: Open to all external applicants (anyone) from outside the Civil Service (including internal applicants).

Salary Information

If you are successful at interview, and are moving from another government department, NHS, or Local Authority, the relevant starting salary principles for level transfers or promotions will apply. Otherwise, roles are offered at the pay scale minimum for the grade, but in exceptional circumstances there may be flexibility if you are able to demonstrate you are already in receipt of an existing, higher salary. Pay increases are through the relevant annual pay award for the role and terms.

Please be aware that the salary is based on the office location

Grade 6

  • £70,797-£81,450 (National)
  • £72,950- £83,443 (Outer London)
  • £75,104- £85,436 (Inner London)

You may be entitled to a Market Pay Supplement (MPS) of up to £15,000

Location

This role is being offered as hybrid working based at any of our Core HQ’s. We offer great flexible working opportunities at UKHSA and operate using a hybrid working model where business needs allow. This provides us with greater flexibility about how and where we work, to get the best from our workforce. As a hybrid worker, you will be expected to spend a minimum of 60% of your contractual working hours (approximately 3 days a week pro rata, (averaged over a month) working at one of UKHSA's core HQ’s (Birmingham, Leeds, Liverpool, and London)

Our core HQ offices are modern and newly refurbished with excellent city centre transport link and benefit from benefit from co-location with other government departments such as the Department for Health and Social Care (DHSC).

Security Clearance Level Requirement

All successful candidates must meet the basic security requirements before they can be appointed.

The level of security needed is:

Successful candidates for this role must pass an enhanced disclosure and barring security check before they can be appointed. Successful candidates must meet the security requirements before they can be appointed. The level of security needed is Security Clearance (SC).

For meaningful National Security Vetting checks to be carried out individuals need to have lived in the UK for a sufficient period of time. You should normally have been resident in the United Kingdom for the last 5 years as the role requires a Security Check (SC) UK residency less than the outlined periods may not necessarily bar you from gaining national security vetting and applicants should contact the Vacancy Holder / Recruiting Manager listed in the advert for further advice.

Future location

UKHSA is investing in a new state-of-the-art National Biosecurity Centre in Harlow, Essex, which will eventually bring together teams currently based at Canary Wharf, Colindale and Porton Down. For more details, please see: Huge biosecurity centre investment to boost pandemic protection - GOV.UK.

The new facilities will start becoming operational in the mid-2030s, with full completion by 2038. Staff will move in phases as facilities become available. If you're appointed to a role currently based at Canary Wharf, Colindale or Porton Down, please note that we'll continue investing in these sites for the next decade. As we get closer to the transition, we'll provide full information about relocation support available to staff.

Reasonable Adjustments

The Civil Service is committed to making sure that our selection methods are fair to everyone. To help you during the recruitment process, we will consider any reasonable adjustments that could help you. An adjustment is a change to the recruitment process or an adjustment at work. This is separate to the Disability Confident Scheme. If you need an adjustment to be made at any point during the recruitment process you should contact the recruitment team in confidence as soon as possible to discuss your needs.

You can find out more information about reasonable adjustments across the Civil Service here: https://www.civil-service-careers.gov.uk/reasonable-adjustments/

International Police check

If you have spent more than 6 months abroad over the last 3 years you may need an International Police Check. This would not necessarily have to be in a single block, and it could be time accrued over that period.

Internal Fraud check

If successful for this role as one aspect of pre-employment screening, applicant’s personal details – name, national insurance number and date of birth - will be checked against the Cabinet Office Internal Fraud Hub and anyone included on the database will be refused employment unless they can show exceptional circumstances. Currently this is only for External candidates to the Civil Service.

Careers website

Please visit our careers site for more information https://gov.uk/ukhsa/careers



Feedback will only be provided if you attend an interview or assessment.

Security

Successful candidates must undergo a criminal record check.Successful candidates must meet the security requirements before they can be appointed. The level of security needed is security check (opens in a new window).

See our vetting charter (opens in a new window).People working with government assets must complete baseline personnel security standard (opens in new window) checks.

Nationality requirements

This job is broadly open to the following groups:

  • UK nationals
  • nationals of the Republic of Ireland
  • nationals of Commonwealth countries who have the right to work in the UK
  • nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities with settled or pre-settled status under the European Union Settlement Scheme (EUSS) (opens in a new window)
  • nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities who have made a valid application for settled or pre-settled status under the European Union Settlement Scheme (EUSS)
  • individuals with limited leave to remain or indefinite leave to remain who were eligible to apply for EUSS on or before 31 December 2020
  • Turkish nationals, and certain family members of Turkish nationals, who have accrued the right to work in the Civil Service
Further information on nationality requirements (opens in a new window)

Working for the Civil Service

The Civil Service Code (opens in a new window) sets out the standards of behaviour expected of civil servants.

We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles (opens in a new window).The Civil Service embraces diversity and promotes equal opportunities. As such, we run a Disability Confident Scheme (DCS) for candidates with disabilities who meet the minimum selection criteria.

Diversity and Inclusion

The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see theCivil Service People Plan (opens in a new window) and the Civil Service Diversity and Inclusion Strategy (opens in a new window).

Apply and further information

Once this job has closed, the job advert will no longer be available. You may want to save a copy for your records.

Contact point for applicants

Job contact :

Recruitment team

Further information

The law requires that selection for appointment to the Civil Service is on merit on the basis of fair and open competition as outlined in the Civil Service Commission's Recruitment Principles.

If you feel your application has not been treated in accordance with the Recruitment Principles, and you wish to make a complaint, in the first instance, you should contact UKHSA Public Accountability Unit via email: Complaints@ukhsa.gov.uk

If you are not satisfied with the response you receive from the Department, you can contact the Civil Service Commission: Visit the Civil Service Commission website: https://civilservicecommission.independent.gov.uk

Salary range

  • £70,797 - £85,436 per year