Security Incident Manager

We are seeking an experienced Security Incident Manager to lead the response to cyber security incidents across our organisation. You will be responsible for identifying, managing, and coordinating the response to major security threats, including ransomware, phishing, data breaches, insider threats, and other critical events.

This is a hands-on and strategic role requiring technical expertise, crisis leadership, and cross-functional coordination across IT, legal, compliance, HR, communications, and senior management.

Primary Purpose

The primary purpose of the Security Incident Manager role is to manage and co-ordinate the department's response to internal cyber and information security incidents. All internal security incidents should be managed using Service Now and should align with the Government Security Groups security incident types. Security Incident Managers are responsible for documenting and responding to all sector cyber security incidents which are reported to the department. Tooling for documenting and reporting should be the designated PowerBi dashboard.

Secondary Purpose

The secondary role Terms of Reference serve to detail additional responsibilities over and above those of the standard primary function. Secondary functions should be classed as secondary in terms of operational importance, with the primary role being the priority as standard.

Management and Reporting Chain:

The Security Incident Manager reports the G7 Security Incident Lead for both task and line management purposes. Escalation route / oversight is provided at G6 level by the Head of Security Operations, to provide output requirements of the Chief Information Security Officer [CISO]., Incident Management

• Act as the primary incident handler for all significant cyber security incidents.
• Lead the incident response lifecycle: detection, triage, containment, eradication, recovery, and post-incident review.
• Establish and lead Gold/Silver/Bronze incident command structures where required.
• Maintain an up-to-date incident playbook and escalation procedures.

Threat Detection & Response Coordination

• Collaborate with Security Operations Centre [SOC] analysts, threat intelligence teams, and IT to assess severity, scope, and impact of incidents.
• Oversee and document forensic investigations in coordination with internal and external experts.
• Ensure accurate logging, tracking, and evidence collection in line with legal and regulatory requirements.

Stakeholder Engagement & Communications

• Coordinate internal and external communications during incidents, including legal, compliance, HR, and comms teams.
• Provide regular updates to senior leadership (e.g. CISO, Rapid Response and Emergency Panning [RREP] etc) during major incidents.
• Liaise with external parties such as National Cyber Security Centre [NCSC], Government Cyber Co-ordination Centre [GC3], other government departments and external agencies.

Continuous Improvement & Readiness

• Run tabletop exercises and simulations to test the incident response plans and playbooks.
• Conduct root cause analysis and produce detailed post-incident reports and lessons learned.
• Identify gaps in detection, tooling, process, or governance and recommend improvements.
• Keep up to date with emerging threats, vulnerabilities, and incident response trends., We'll assess you against these behaviours during the selection process:
• Seeing the Big Picture
• Communicating and Influencing
• Working Together, At application stage, we will assess Experience. Candidates will be sifted through their CV and a personal statement.
• Your CV should include details of your past employment history, including the dates that the roles were held. You should also include any relevant qualifications, skills and experience gained from those roles.
• Your personal statement (no longer than 750 words) should demonstrate how your experience meets the essential criteria of the role (listed in the person specification section above).

The sift will be restricted to just assessing personal statements in the event of a large volume of applications.

More guidance on personal statements can be found here – completing your application

Step 2 – Interview

If successful at sift, candidates will be assessed via interview. The interview will involve two types of questions – Strength-based and Behaviours.

Strengths are a way for Hiring Managers to understand what motivates you and what you enjoy doing, which helps the panel to understand your areas of strength. Evidence shows that people do better work when a job aligns well with what they enjoy and find motivating. We don’t advertise which strengths we are going to assess you on as we want to be able to assess your first, natural response to the questions.

Behaviours are the actions and activities that people do which result in effective performance in a job. We want to get an understanding of the actions and activities that you have done (or would do) that result in effective performance.

We will assess you against the following behaviours during the selection process:

• Seeing the big picture
• Communicating and Influencing
• Working Together, Please ensure that you remove from your application, all references to your:
• name/title
• educational institutions
• age
• gender
• email address
• postal address
• phone number
• nationality/immigration status

We reserve the right to raise the minimum pass mark in the event of a high volume or strong field of candidates.

Please be aware that this role can only be worked in the UK from the location options provided and not from overseas.

The government is committed to supporting apprenticeships, enabling people to learn and progress in a role whilst earning. We want to monitor the number of people who have completed apprenticeships who are now applying to progress further in their career and are asking this question to all candidates, on all vacancies. You will be asked a question as part of the application process about any previous apprenticeships you have completed. Your response to this question will not affect your application and it is not a requirement of the role to have completed a previous apprenticeship.

If successful and transferring from another Government Department a criminal record check maybe carried out., Any move to Department for Education (DfE) will mean you will no longer be able to carry on claiming childcare vouchers. This includes moves between government departments. You may however be eligible for other government schemes, including Tax-Free Childcare. Determine your eligibility at https://www.childcarechoices.gov.uk/ Feedback will only be provided if you attend an interview or assessment.

Security

Successful candidates must undergo a criminal record check. Successful candidates must meet the security requirements before they can be appointed. The level of security needed is security check .

See our vetting charter . People working with government assets must complete baseline personnel security standard (opens in new window) checks., * UK nationals

• nationals of the Republic of Ireland
• nationals of Commonwealth countries who have the right to work in the UK
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities with settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities who have made a valid application for settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• individuals with limited leave to remain or indefinite leave to remain who were eligible to apply for EUSS on or before 31 December 2020
• Turkish nationals, and certain family members of Turkish nationals, who have accrued the right to work in the Civil Service

Do you have experience in ServiceNow?, * Demonstrate experience handling major cyber security incidents.

• Strong understanding of incident response lifecycle.
• Proven ability to act as the primary incident handler for significant cyber security incidents.
• Excellent communication skills for co-ordinating internal and external communications during an incident.
• Experience in developing and maintain playbooks.
• Experience running tabletop exercises and simulations to test incident response plans., * Formal training in incident response.
• Experience establishing and leading Gold/Silver/Bronze command structures during major incidents.
• Experience liaising with external bodies such as NCSC, GC3, other government departments and external agencies.

Alongside your salary of £42,806, Department for Education contributes £12,400 towards you being a member of the Civil Service Defined Benefit Pension scheme. Find out what benefits a Civil Service Pension provides.

Applicants currently holding a permanent post in the Civil Service should note that, if successful, their salary on appointment would be determined by the Department’s transfer / promotion policies.

As a member of the DfE, you will be entitled to join the highly competitive Civil Service Pension Scheme, which many experts agree is one of the most generous in the UK.

You will have 25 days leave, increasing by 1 day every year to a maximum of 30 days after five years’ service. In addition, all staff receive the King’s Birthday privilege holiday and 8 days’ bank and public holidays.

We offer flexible working arrangements, such as job sharing, term-time working, flexi-time and compressed hours.

Most DfE employees will be working a hybrid pattern, spending at least 60% of their time in an office or work setting. Changes to these working arrangements are available in exceptional circumstances but must be agreed with the line manager and in line with the requirements of the role.

Travel to your primary office location will not be paid for by DfE, but travel to an office which is not your main location will be covered.

As an organisation, which exists to support education and lifelong learning, we offer our staff excellent professional development opportunities., In order to process applications without delay, we will be sending a Criminal Record Check to Disclosure and Barring Service on your behalf. However, we recognise in exceptional circumstance some candidates will want to send their completed forms direct. If you will be doing this, please advise Department of Education of your intention by emailing Pre-Employment.Checks.DFE@education.gov.uk stating the job reference number in the subject heading.

Department for Education do not cover the cost of travel to your interview/assessment unless otherwise stated.

A reserve list may be held for a period of 6 months from which further appointments can be made.

Candidates will be posted in merit order based upon location preference. Where more than one location is advertised you will be asked to state your preferred location.

New entrants are expected to join on the minimum of the pay band.

Applicants who are successful at interview will be, as part of pre-employment screening subject to a check on the Internal Fraud Database (IFD). This check will provide information about employees who have been dismissed for fraud or dishonesty offences. This check also applies to employees who resign or otherwise leave before being dismissed for fraud or dishonesty had their employment continued. Any applicant’s details held on the IFD will be refused employment.

Terms and conditions of candidates transferring from ALBs and NDPBs

Bodies that are not accredited by the Civil Service Commission and are not able to advertise at Across Government on Civil Service jobs will be treated as external new starters and will come into DfE on modernised terms and conditions with a salary at the band minimum.

Bodies that are accredited by the Civil Service Commission but do not have civil service status will be offered modernised terms and will not have continuous service recognised for leave or sickness benefits. Salaries should be offered at band minimum, but there is some flexibility where this would cause a detriment to the individual.

Bodies that are accredited by the Civil Service Commission and do have Civil Service status will be treated as OGD transfers. Staff appointed on lateral transfer will move on to pre-modernised DfE terms (unless they were on modernised terms in their previous organisation). Staff appointed on promotion will move on to modernised DfE terms. Staff will transfer over on their existing salary (on lateral transfer) and any pay above the DfE pay band maximum will be paid as a mark time allowance. Staff moving on promotion will have their salaries calculated using the principles set out in the attached OGD transfer supplementary information.

Reasonable adjustment

If a person with disabilities is put at a substantial disadvantage compared to a non-disabled person, we have a duty to make reasonable changes to our processes. If you need a change to be made so that you can make your application, you should

CISD is responsible for ensuring the Department’s digital services and data are secure. Joining our team will mean you will help to safeguard children and ensure their education and care is delivered effectively by building ways of working and systems