Security Incident Manager

Job summary

About us

CISD is responsible for ensuring the Department’s digital services and data are secure. Joining our team will mean you will help to safeguard children and ensure their education and care is delivered effectively by building ways of working and systems
that adapt to evolutions in technology, methodology and threat.

We are seeking an experienced Security Incident Manager to lead the response to cyber security incidents across our organisation. You will be responsible for identifying, managing, and coordinating the response to major security threats, including ransomware, phishing, data breaches, insider threats, and other critical events.

This is a hands-on and strategic role requiring technical expertise, crisis leadership, and cross-functional coordination across IT, legal, compliance, HR, communications, and senior management.

Primary Purpose

The primary purpose of the Security Incident Manager role is to manage and co-ordinate the department's response to internal cyber and information security incidents. All internal security incidents should be managed using Service Now and should align with the Government Security Groups security incident types. Security Incident Managers are responsible for documenting and responding to all sector cyber security incidents which are reported to the department. Tooling for documenting and reporting should be the designated PowerBi dashboard.

Secondary Purpose

The secondary role Terms of Reference serve to detail additional responsibilities over and above those of the standard primary function. Secondary functions should be classed as secondary in terms of operational importance, with the primary role being the priority as standard.

Management and Reporting Chain:

The Security Incident Manager reports the G7 Security Incident Lead for both task and line management purposes. Escalation route / oversight is provided at G6 level by the Head of Security Operations, to provide output requirements of the Chief Information Security Officer [CISO].

Job description

Key Responsibilities of the Role:

Incident Management

• Act as the primary incident handler for all significant cyber security incidents.
• Lead the incident response lifecycle: detection, triage, containment, eradication, recovery, and post-incident review.
• Establish and lead Gold/Silver/Bronze incident command structures where required.
• Maintain an up-to-date incident playbook and escalation procedures.

Threat Detection & Response Coordination

• Collaborate with Security Operations Centre [SOC] analysts, threat intelligence teams, and IT to assess severity, scope, and impact of incidents.
• Oversee and document forensic investigations in coordination with internal and external experts.
• Ensure accurate logging, tracking, and evidence collection in line with legal and regulatory requirements.

Stakeholder Engagement & Communications

• Coordinate internal and external communications during incidents, including legal, compliance, HR, and comms teams.
• Provide regular updates to senior leadership (e.g. CISO, Rapid Response and Emergency Panning [RREP] etc) during major incidents.
• Liaise with external parties such as National Cyber Security Centre [NCSC], Government Cyber Co-ordination Centre [GC3], other government departments and external agencies.

Continuous Improvement & Readiness

• Run tabletop exercises and simulations to test the incident response plans and playbooks.
• Conduct root cause analysis and produce detailed post-incident reports and lessons learned.
• Identify gaps in detection, tooling, process, or governance and recommend improvements.
• Keep up to date with emerging threats, vulnerabilities, and incident response trends.

Person specification

Essential Criteria:

• Demonstrate experience handling major cyber security incidents.
• Strong understanding of incident response lifecycle.
• Proven ability to act as the primary incident handler for significant cyber security incidents.
• Excellent communication skills for co-ordinating internal and external communications during an incident.
• Experience in developing and maintain playbooks.
• Experience running tabletop exercises and simulations to test incident response plans.

Desirable Criteria:

• Formal training in incident response.
• Experience establishing and leading Gold/Silver/Bronze command structures during major incidents.
• Experience liaising with external bodies such as NCSC, GC3, other government departments and external agencies.

Desirable criteria will only be assessed at interview, in the event of a tie break situation, to make an informed decision.

Behaviours

We'll assess you against these behaviours during the selection process:

• Seeing the Big Picture
• Communicating and Influencing
• Working Together

Benefits

Alongside your salary of £42,806, Department for Education contributes £12,400 towards you being a member of the Civil Service Defined Benefit Pension scheme. Find out what benefits a Civil Service Pension provides.

Applicants currently holding a permanent post in the Civil Service should note that, if successful, their salary on appointment would be determined by the Department’s transfer / promotion policies.

As a member of the DfE, you will be entitled to join the highly competitive Civil Service Pension Scheme, which many experts agree is one of the most generous in the UK.

You will have 25 days leave, increasing by 1 day every year to a maximum of 30 days after five years’ service. In addition, all staff receive the King’s Birthday privilege holiday and 8 days’ bank and public holidays.

We offer flexible working arrangements, such as job sharing, term-time working, flexi-time and compressed hours.

Most DfE employees will be working a hybrid pattern, spending at least 60% of their time in an office or work setting. Changes to these working arrangements are available in exceptional circumstances but must be agreed with the line manager and in line with the requirements of the role.

Travel to your primary office location will not be paid for by DfE, but travel to an office which is not your main location will be covered.

As an organisation, which exists to support education and lifelong learning, we offer our staff excellent professional development opportunities.

Things you need to know

Artificial intelligence

Artificial intelligence can be a useful tool to support your application, however, all examples and statements provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, as your own) applications may be withdrawn and internal candidates may be subject to disciplinary action. Please see our candidate guidance (opens in a new window) for more information on appropriate and inappropriate use.

Selection process details

This vacancy is using Success Profiles (opens in a new window), and will assess your Behaviours, Strengths and Experience.

Step 1 - Online Application - CV and Personal Statement

At application stage, we will assess Experience. Candidates will be sifted through their CV and a personal statement.

• Your CV should include details of your past employment history, including the dates that the roles were held. You should also include any relevant qualifications, skills and experience gained from those roles.
• Your personal statement (no longer than 750 words) should demonstrate how your experience meets the essential criteria of the role (listed in the person specification section above).

The sift will be restricted to just assessing personal statements in the event of a large volume of applications.

More guidance on personal statements can be found here – completing your application

Step 2 – Interview

If successful at sift, candidates will be assessed via interview. The interview will involve two types of questions – Strength-based and Behaviours.

Strengths are a way for Hiring Managers to understand what motivates you and what you enjoy doing, which helps the panel to understand your areas of strength. Evidence shows that people do better work when a job aligns well with what they enjoy and find motivating. We don’t advertise which strengths we are going to assess you on as we want to be able to assess your first, natural response to the questions.

Behaviours are the actions and activities that people do which result in effective performance in a job. We want to get an understanding of the actions and activities that you have done (or would do) that result in effective performance.

We will assess you against the following behaviours during the selection process:

• Seeing the big picture
• Communicating and Influencing
• Working Together

For more information on the selection process, including guidance on how to write a personal statement, answer behaviour and strength-based interview questions, and the STAR approach click here: Top tips for acing the application.

Sift and interview dates to be confirmed

Other Information

Interviews may be via Microsoft teams or face to face; the vacancy manager will confirm prior to the Interview.

In your application, please don’t include personal information that identifies you.

This means we can recruit based on your knowledge and skills, and not background, gender or ethnicity - it's called name blind recruitment (opens in a new window).

Please ensure that you remove from your application, all references to your:

• name/title
• educational institutions
• age
• gender
• email address
• postal address
• phone number
• nationality/immigration status

We reserve the right to raise the minimum pass mark in the event of a high volume or strong field of candidates.

Please be aware that this role can only be worked in the UK from the location options provided and not from overseas.

The government is committed to supporting apprenticeships, enabling people to learn and progress in a role whilst earning. We want to monitor the number of people who have completed apprenticeships who are now applying to progress further in their career and are asking this question to all candidates, on all vacancies. You will be asked a question as part of the application process about any previous apprenticeships you have completed. Your response to this question will not affect your application and it is not a requirement of the role to have completed a previous apprenticeship.

If successful and transferring from another Government Department a criminal record check maybe carried out.

In order to process applications without delay, we will be sending a Criminal Record Check to Disclosure and Barring Service on your behalf. However, we recognise in exceptional circumstance some candidates will want to send their completed forms direct. If you will be doing this, please advise Department of Education of your intention by emailing Pre-Employment.Checks.DFE@education.gov.uk stating the job reference number in the subject heading.

Department for Education do not cover the cost of travel to your interview/assessment unless otherwise stated.

A reserve list may be held for a period of 6 months from which further appointments can be made.

Candidates will be posted in merit order based upon location preference. Where more than one location is advertised you will be asked to state your preferred location.

New entrants are expected to join on the minimum of the pay band.

Applicants who are successful at interview will be, as part of pre-employment screening subject to a check on the Internal Fraud Database (IFD). This check will provide information about employees who have been dismissed for fraud or dishonesty offences. This check also applies to employees who resign or otherwise leave before being dismissed for fraud or dishonesty had their employment continued. Any applicant’s details held on the IFD will be refused employment.

Terms and conditions of candidates transferring from ALBs and NDPBs

Bodies that are not accredited by the Civil Service Commission and are not able to advertise at Across Government on Civil Service jobs will be treated as external new starters and will come into DfE on modernised terms and conditions with a salary at the band minimum.

Bodies that are accredited by the Civil Service Commission but do not have civil service status will be offered modernised terms and will not have continuous service recognised for leave or sickness benefits. Salaries should be offered at band minimum, but there is some flexibility where this would cause a detriment to the individual.

Bodies that are accredited by the Civil Service Commission and do have Civil Service status will be treated as OGD transfers. Staff appointed on lateral transfer will move on to pre-modernised DfE terms (unless they were on modernised terms in their previous organisation). Staff appointed on promotion will move on to modernised DfE terms. Staff will transfer over on their existing salary (on lateral transfer) and any pay above the DfE pay band maximum will be paid as a mark time allowance. Staff moving on promotion will have their salaries calculated using the principles set out in the attached OGD transfer supplementary information.

Reasonable adjustment

If a person with disabilities is put at a substantial disadvantage compared to a non-disabled person, we have a duty to make reasonable changes to our processes. If you need a change to be made so that you can make your application, you should:

Contact Department of Education via centralrecruitment.operations@education.gov.uk soon as possible before the closing date to discuss your needs.

Complete the “Assistance required” section in the “Additional requirements” page of your application form to tell us what changes or help you might need further on in the recruitment process. For instance, you may need wheelchair access at interview, or if you’re deaf, a Language Service Professional.

Please refer to the attached ‘Reasonable Adjustments Guide 05_2025 – accessible version’ at the bottom of the advert, for further information.

Childcare Vouchers

Any move to Department for Education (DfE) will mean you will no longer be able to carry on claiming childcare vouchers. This includes moves between government departments. You may however be eligible for other government schemes, including Tax-Free Childcare. Determine your eligibility at https://www.childcarechoices.gov.uk/

Feedback will only be provided if you attend an interview or assessment.

Security

Successful candidates must undergo a criminal record check.Successful candidates must meet the security requirements before they can be appointed. The level of security needed is security check (opens in a new window).

See our vetting charter (opens in a new window).People working with government assets must complete baseline personnel security standard (opens in new window) checks.

Nationality requirements

This job is broadly open to the following groups:

• UK nationals
• nationals of the Republic of Ireland
• nationals of Commonwealth countries who have the right to work in the UK
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities with settled or pre-settled status under the European Union Settlement Scheme (EUSS) (opens in a new window)
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities who have made a valid application for settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• individuals with limited leave to remain or indefinite leave to remain who were eligible to apply for EUSS on or before 31 December 2020
• Turkish nationals, and certain family members of Turkish nationals, who have accrued the right to work in the Civil Service

Further information on nationality requirements (opens in a new window)

Working for the Civil Service

The Civil Service Code (opens in a new window) sets out the standards of behaviour expected of civil servants.

We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles (opens in a new window).The Civil Service embraces diversity and promotes equal opportunities. As such, we run a Disability Confident Scheme (DCS) for candidates with disabilities who meet the minimum selection criteria.The Civil Service also offers a Redeployment Interview Scheme to civil servants who are at risk of redundancy, and who meet the minimum requirements for the advertised vacancy.

Diversity and Inclusion

The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see theCivil Service People Plan (opens in a new window) and the Civil Service Diversity and Inclusion Strategy (opens in a new window).

Apply and further information

This vacancy is part of the Great Place to Work for Veterans (opens in a new window) initiative.Once this job has closed, the job advert will no longer be available. You may want to save a copy for your records.

Contact point for applicants

Job contact :

• Name : Anna Brotherton
• Email : Anna.brotherton@education.gov.uk

Recruitment team

• Email : Centralrecruitment.operations@education.gov.uk

Further information

The Department for Education’s recruitment processes are underpinned by the Civil Service Commissioners Recruitment Principles, which outlines that selection for appointment is made on merit based on fair and open competition. You have the right to complain if you feel a department has breached the requirement of the Recruitment Principles. In the first instance, you should raise the matter directly with the department concerned via CentralRecruitment.Operations@education.gov.uk. If you are not satisfied with the response, you may bring your complaint to the Commission. For further information on bringing a complaint to the Civil Service Commission please visit their web pages

Attachments

DFE Terms & Conditions - accessible version Opens in new window (pdf, 215kB)Reasonable Adjustments guide 05_2025 - accessible version (1) Opens in new window (pdf, 723kB)OGD Transfer Supplementary information - accessible version Opens in new window (pdf, 327kB)