Governance, Risk & Compliance GRC Lead

Location: Fully Remote - UK Wide Department: Technology – IT Security and Service Management Contract Type: Permanent Salary: £55,000 - £65,000

We are seeking a highly experienced and motivated GRC Lead to join our Cyber Security team. This role is critical in shaping and delivering our information assurance strategy, ensuring that cyber security risks are effectively managed across the organisation.

As a senior member of the team, you will lead a small group of risk and security professionals, drive the implementation of Secure by Design principles, and oversee compliance with key frameworks such as DSPT, CAF, and DORA. You will also play a key role in stakeholder engagement, presenting confidently to senior leadership and translating complex technical requirements into actionable governance strategies.

With a significant project pipeline launching in 2026, this is a unique opportunity to influence the future of cyber security governance in a regulated environment.

• Own and evolve the Information Security Assurance Framework and programme.
• Lead themed reviews to assess the effectiveness of security controls.
• Manage the organisation’s technology risk management programme, ensuring risks are identified, assessed, and remediated within appetite.
• Oversee Secure by Design initiatives, aligning business and technical changes with security requirements and government standards.
• Drive compliance with frameworks including DSPT, CAF, ISO 27001, and GDPR.
• Lead the security culture, education, and awareness programme across the organisation.
• Collaborate with external bodies to mature cyber security practices across the health and social care sector.
• Present findings, risks, and recommendations to senior stakeholders and leadership teams.
• Ensure timely and accurate submission of compliance documentation, including NHS audits and DSPT submissions.

• Minimum 5 years’ experience in information security, with a focus on governance, risk, and compliance.
• Proven ability to lead teams and manage complex programmes in regulated environments.
• Strong understanding of cyber security frameworks and regulations (DSPT, ISO 27001, CAF, GDPR, DORA).
• Experience authoring governance documentation (policies, standards, reports).
• Familiarity with Microsoft-based technologies, including IdAM, networks, applications, and cloud environments.
• Excellent communication and presentation skills, with the ability to engage technical and non-technical audiences.
• Demonstrated ability to translate security frameworks across sectors and align them with organisational goals.

• Certifications such as CISSP, CISM, CRISC, or ISO 27001 Lead Implementer.
• Experience with tools like OneTrust, Varonis, or similar GRC platforms.

• Generous annual leave: 27 days starting leave (rising to 32.5 days with service) plus bank holidays.
• Flexible working options: including home, office, and hybrid working, as well as compressed hours and part-time arrangements.
• Public sector pension scheme or Nest pension scheme (depending on eligibility).
• Comprehensive training and development: access to in-house learning, study support, and career progression opportunities.
• Health and wellbeing support: including a 24-hour employee assistance programme
• Family-friendly policies
• Travel and shopping discounts