Security Architect - Cloud Risk and Controls
Role details
Job location
Tech stack
Job description
We are seeking a seasoned Security Architect - Cloud Risk and Controls to lead the development and implementation of cloud governance, risk, and security frameworks. This pivotal role is responsible for aligning cloud operations with regulatory, security, and risk management requirements while enabling secure and scalable service delivery.
Acting as both a subject matter expert and strategic advisor, you will partner with architects, engineers, and delivery teams to ensure cloud services meet required compliance postures and risk tolerances.
You will embed security and assurance into technical delivery lifecycles while shaping the future of cloud governance in line with GDS, NCSC, and wider public sector expectations.
In this role you will
Architect and maintain the Cloud Control Framework to govern platform and service-level security. Map control implementations to compliance standards such as ISO 27001, DSPT, CAF, and CIS. Collaborate with architects and engineers to embed security controls and risk mitigations into design. Lead technical control reviews, threat assessments, and compliance validation activities. Design and maintain governance processes for testing, monitoring, and reporting on control effectiveness. Act as the primary security and risk contact for auditors and regulatory reviews. Guide cloud teams through control implementation, remediation plans, and control assurance. Develop dashboards and metrics to monitor risk posture, maturity, and compliance status. Maintain control documentation and provide training and communication across technical teams. Enable safe innovation by embedding proportionate and agile security practices.
- Please note that this list is not exhaustive*
We pride ourselves as being an employer of choice, where Everyone Matters promoting equality of opportunity to actively encourage applications from everyone, including groups currently underrepresented in our workforce.
UKHSA ethos is to be an inclusive organisation for all our staff and stakeholders. To create, nurture and sustain an inclusive culture, where differences drive innovative solutions to meet the needs of our workforce and wider communities. We do this through celebrating and protecting differences by removing barriers and promoting equity and equality of opportunity for all.
Please visit our careers site for more information https://gov.uk/ukhsa/careers
As the Security Architect - Cloud Risk and Controls, you will play a central role in building and embedding cloud security, governance, and assurance across all cloud environments. This includes owning and evolving control frameworks, interpreting regulatory expectations, and enabling secure digital delivery., Architect a scalable Cloud Control Framework aligned to the organisation's cloud strategy and GDS service standards. Establish implementation roadmaps for control maturity and track technical alignment over time. Conduct cloud-specific risk assessments, influence design decisions, and ensure shared responsibility is well understood. Act as a liaison between engineering, audit, and governance stakeholders to resolve control gaps. Perform security impact reviews for new cloud services, designs, and deployments. Maintain a centralised risk register, control library, and assurance evidence portfolio. Lead internal audit readiness, compliance walkthroughs, and responses to external assurance activity. Contribute to governance bodies such as architecture boards, change control, and cloud steering groups. Develop key performance indicators (KPIs) and dashboards to visualise control coverage and effectiveness. Coach and upskill engineers and product teams on secure architecture and operational risk.
Working Relationships
You will work closely with the Cloud Centre of Excellence, platform engineers, enterprise architects, delivery teams, information governance, and external assurance partners.
Additional Clauses
The role aligns with the GDaD Security Architecture capability framework. Post holder may be required to undergo SC clearance depending on access requirements. Occasional travel will be required for stakeholder workshops and assessments., You will be asked to prepare and present a 5-10 minute presentation. The subject of this will be as follows:
- Designing a Cloud Control Framework
Present your approach to designing and implementing a Cloud Control Framework for a multi-cloud environment (AWS and Azure). Explain how you would align controls with frameworks such as ISO 27001, NCSC CAF, DSPT, and CIS, while enabling agile delivery and innovation.
- Embedding Security and Risk Management into Cloud Delivery
Describe how you would embed proportionate security controls and risk management within agile cloud delivery teams. Include how you would balance assurance, delivery velocity, and user needs.
- Managing Cloud Risk and Assurance
Using a recent or hypothetical example, outline how you would identify, assess, and mitigate cloud-related risks. Explain how you would communicate these risks to both technical and non-technical stakeholders and maintain auditable evidence for assurance.
- Driving Continuous Improvement and Maturity
Present how you would measure and report on the maturity of cloud risk and control capabilities over time. Include your approach to developing dashboards, KPIs, or metrics to evidence improvements in compliance posture and control effectiveness.
- Collaboration and Governance
Outline how you would work with engineering, architecture, governance, and audit teams to build a shared understanding of "secure by design." Describe how you would handle conflicts between delivery priorities and compliance requirements.
Requirements
Do you have experience in Software development?, Extensive and proven experience in IT security architecture, risk management, or GRC in cloud environments. A degree (Level 6 or equivalent experience) in Cyber Security, Computer Science, Information Systems, or a related technical field Expertise in public cloud platforms (AWS / Azure) and cloud-native security services. In-depth knowledge of regulatory requirements and compliance frameworks (e.g., NCSC CAF, ISO 27001, DSPT, CIS). Demonstrated experience designing and implementing technical controls in cloud environments. Familiarity with security architecture standards, risk assessments, and threat modelling. Experience interfacing with auditors and responding to assurance activities. Ability to develop dashboards and metrics to track risk and compliance status. Excellent communication skills with the ability to explain security concepts to technical and non-technical audiences. Proven track record working across multidisciplinary teams to embed secure-by-design principles. Strong documentation skills and the ability to maintain clear and auditable control records.
Desirable criteria: Security or GRC certifications such as CISSP, CISM, CRISC, or CCSK. Experience in the public sector or within GDS-aligned digital service delivery. Knowledge of automated compliance tooling (e.g., AWS Config, Azure Policy, Prisma, Sentinel). Understanding of Zero Trust architecture principles. Familiarity with secure software development lifecycle (SSDLC) practices. Background in technical governance or security assurance reviews. Experience with service and operational risk registers in a cloud environment. Knowledge of NIST 800-53 or ENISA guidance. Experience contributing to risk remediation and incident response processes. Involvement in cross-government security forums or communities of practice., Extensive and proven experience in IT security architecture, risk management, or GRC in cloud environments. A degree (Level 6 or equivalent experience) in Cyber Security, Computer Science, Information Systems, or a related technical field Expertise in public cloud platforms (AWS / Azure) and cloud-native security services.
Benefits & conditions
If you are successful at interview, and are moving from another government department, NHS, or Local Authority, the relevant starting salary principles for level transfers or promotions will apply. Otherwise, roles are offered at the pay scale minimum for the grade, but in exceptional circumstances there may be flexibility if you are able to demonstrate you are already in receipt of an existing, higher salary. Pay increases are through the relevant annual pay award for the role and terms.
Please be aware that the salary is based on the office location
Grade 6
£70,797-£81,450 (National) £72,950- £83,443 (Outer London) £75,104- £85,436 (Inner London)
You may be entitled to a Market Pay Supplement (MPS) of up to £15,000
