NHS England

Health & Care System Cyber Security Compliance Lead - Joint Cyber Unit

The closing date is 08 October 2025

Apply for this job

Job summary

The Joint Cyber Unit (JCU) is a collaboration between the Department of Health and Social Care (DHSC) and NHS England (NHSE). The JCU is embedded within the Digital Policy Unit (DPU), a unit comprising both DHSC staff and NHSE staff intended to design, plan and build a digitally enabled, data driven and safe health and social care system with ministers and the NHS.

The purpose of the JCU is to provide strategic leadership in cyber security across the health and care sector, assure the cyber security of the sector, act as system stewards to improve cyber resilience across the health and care system and to provide advice which empowers health and care staff to share information appropriately and securely to deliver care.

The JCU is comprised of two divisions:

  • Governance, Risk and Compliance - cyber and information governance, system engagement, system compliance, system supply chain, system risk management and internal JCU business operations.
  • Strategy and Policy - development and implementation of national strategy, policy and regulation.

The purpose of the Compliance and Engagement team is to monitor performance and assess the cyber security compliance of organisations across the Health and Care landscape, identifying where organisations need more support through providing evidence-based confidence in the effectiveness of cyber security controls, processes and systems.

Main duties of the job

  • Evaluating compliance against statutory, regulatory and NHS requirements such asData Security and Protection Toolkit (DSPT), Network and Information Systems (NIS) Regulations and national security policies.
  • Engaging with the NHSE regional cyber leads to understand drivers, blockers and emerging incidents related to cyber security.
  • Developing strategies and supports Board level decision making by presenting findings aligned to business risk and impact.
  • Developing strategies to support remediation work across the health and care system supporting organisations to improve their cyber security maturity.
  • Monitoring performance of organisations across Health and Care, identifying organisations where more support is needed and unblocks access to further support through funding, national services, regulation or engagement.
  • Analysing and reporting on compliance performance across the system identifying trends and common areas of weakness across the system.

About us

The NHS England board have set out the top-level purpose for the new organisation to lead the NHS in England to deliver high-quality services for all, which will inform the detailed design work and we will achieve this purpose by:

  • Enabling local systems and providers to improve the health of their people and patients and reduce health inequalities.
  • Making the NHS a great place to work, where our people can make a difference and achieve their potential.
  • Working collaboratively to ensure our healthcare workforce has the right knowledge, skills, values and behaviours to deliver accessible, compassionate care
  • Optimising the use of digital technology, research, and innovation
  • Delivering value for money.

If you would like to know more or require further information, please visithttps://www.england.nhs.uk/.

Colleagues with a contractual office base are expected to spend, on average, at least 40% of their time working in-person.

Staff recruited from outside the NHS will usually be appointed at the bottom of the pay band.

If you are successful at interview, we will run an Inter Authority Transfer (IAT) in the Electronic Staff Record system (ESR). This transfer gathers valuable information from a previous or current NHS employer to support the onboarding process, including; statutory and mandatory competency status, Continuous Service Dates (CSD), and annual leave entitlement. You will have the opportunity throughout the recruitment process to inform us if you do not consent.

Details

Date posted

24 September 2025

Pay scheme

Agenda for change

Band

Band 8c

Salary

£100,054.50 to £115,286.60 a year (inclusive of 30% RRP): exclusive of London Weighting

Contract

Fixed term

Duration

11 months

Working pattern

Full-time

Reference number

990-TD-DPU-16847-E

Job locations

Wellington Place/ Wellington House

Leeds / London

LS1 4AP


Job description

Job responsibilities

As a Health and Care System Cyber Security Compliance Lead within the Joint Cyber Unit, the post holder will work as part of a dynamic team in delivering an effective service supporting cyber security risk reduction across the health and care system.

The post holder will lead the provision of an efficient, effective, and high quality professional and well-coordinated system wide Health and Care cyber security compliance service capable of meeting all statutory, regulatory and NHS requirements ensuring alignment with the activity of the organisation.

The post holder will be responsible for:

  • Provide team leadership and subject matter expertise in security compliance.
  • Oversee team workload and capacity, collaborating with other leaders to align resources and priorities.
  • Lead the delivery of a responsive, high quality cyber security compliance service.
  • Drive remediation of cross-cutting security issues through the design and continuous delivery of security improvement plans.
  • Partner with regional stakeholders to strengthen cyber maturity and organisational resilience.
  • Coordinate cyber security compliance activities across a diverse stakeholder base to drive meaningful security improvement and maintain clear lines of communication.
  • Scope and assess the security posture of Health and Care Organisations taking an evidence based approach
  • Develop and manage security compliance metrics to inform evidence based decision making
  • Lead compliance activities aligned with key frameworks and legislation such as: NCSC CAF, NIS Regulations, and the DSPT.
  • Providing cyber security expertise supporting the development, implementation, and monitoring of the compliance service.
  • Providing comprehensive compliance plans and progress reports to the relevant Boards as per the agreed reporting schedule and on an ad hoc basis as required
  • Working closely with other leads and sponsor directors to ensure interdependencies across all compliance areas are considered and actions aligned
  • Managing the day-to-day activities of the compliance service as well as contribute specialist knowledge to develop effective strategy and operational policies
  • Engaging with key strategic regional and national policy makers to inform development of strategy and policies
  • Identifying examples of national and international best practice and to ensure that benefits from relevant innovations in healthcare are realised
  • Developing and champion new initiatives or projects as necessary
  • Ensuring that the team members work cohesively within the team and with other programmes.
  • Providing leadership, direction, and support to ensure a consistent approach through programme management to delivering organisational objectives.

The post of Health and Care System Cyber Compliance Lead has been awarded a Recruitment and Retention Premia (RRP) in response to current labour market conditions. In recognition of this, the role attracts an additional monthly RRP payment equal to 30% per annum.

Please be aware that RRP is non-contractual and subject to review.

Please note that the reason for the fixed term of this contract iscovering vacancy.

National Security Vetting

Important: Please be aware there are residency requirements you need to meet:

All NHS England Cyber Security personnel must hold SC level as a minimum.

To meet National Security Vetting requirements, SC clearances require 5 years continuous UK residency. In certain cases, this can be reduced to three years continuous UK residency, with additional overseas checks for the previous two years.

Candidates who were posted abroad for service with HM Government, Armed Forces or within a UK government role - will still be considered.

Please make sure you meet these requirements before applying for this role. You dont need to have SC already, however, failure to achieve the requirements for SC after offer, will result in the job offer being withdrawn.

For further advice please check https://www.gov.uk/government/publications/united-kingdom-security-vetting-clearance-levels/national-security-vetting-clearance-levels#security-check-sc.

For further information on National Security Vetting please check National security vetting: clearance levels - GOV.UK, information on the Security Vetting and Clearances Intranet page or contact england.securityvetting@nhs.net.

You can find further details about the role, including key responsibilities and accountabilities, alongside the organisational structure and person specification in the attached Job Description and other supporting documents.

Secondments

Applicants from within the NHS will be offered on a secondment basis only, agreement should be obtained from their employer prior to submitting the application.

Role Title

The job title advertised is for the purposes of advertising, the successful candidate(s) will be hired with the job title of Cyber Operations and Engagement Lead until a formal change can be made.

Job description

Job responsibilities

As a Health and Care System Cyber Security Compliance Lead within the Joint Cyber Unit, the post holder will work as part of a dynamic team in delivering an effective service supporting cyber security risk reduction across the health and care system.

The post holder will lead the provision of an efficient, effective, and high quality professional and well-coordinated system wide Health and Care cyber security compliance service capable of meeting all statutory, regulatory and NHS requirements ensuring alignment with the activity of the organisation.

The post holder will be responsible for:

  • Provide team leadership and subject matter expertise in security compliance.
  • Oversee team workload and capacity, collaborating with other leaders to align resources and priorities.
  • Lead the delivery of a responsive, high quality cyber security compliance service.
  • Drive remediation of cross-cutting security issues through the design and continuous delivery of security improvement plans.
  • Partner with regional stakeholders to strengthen cyber maturity and organisational resilience.
  • Coordinate cyber security compliance activities across a diverse stakeholder base to drive meaningful security improvement and maintain clear lines of communication.
  • Scope and assess the security posture of Health and Care Organisations taking an evidence based approach
  • Develop and manage security compliance metrics to inform evidence based decision making
  • Lead compliance activities aligned with key frameworks and legislation such as: NCSC CAF, NIS Regulations, and the DSPT.
  • Providing cyber security expertise supporting the development, implementation, and monitoring of the compliance service.
  • Providing comprehensive compliance plans and progress reports to the relevant Boards as per the agreed reporting schedule and on an ad hoc basis as required
  • Working closely with other leads and sponsor directors to ensure interdependencies across all compliance areas are considered and actions aligned
  • Managing the day-to-day activities of the compliance service as well as contribute specialist knowledge to develop effective strategy and operational policies
  • Engaging with key strategic regional and national policy makers to inform development of strategy and policies
  • Identifying examples of national and international best practice and to ensure that benefits from relevant innovations in healthcare are realised
  • Developing and champion new initiatives or projects as necessary
  • Ensuring that the team members work cohesively within the team and with other programmes.
  • Providing leadership, direction, and support to ensure a consistent approach through programme management to delivering organisational objectives.

The post of Health and Care System Cyber Compliance Lead has been awarded a Recruitment and Retention Premia (RRP) in response to current labour market conditions. In recognition of this, the role attracts an additional monthly RRP payment equal to 30% per annum.

Please be aware that RRP is non-contractual and subject to review.

Please note that the reason for the fixed term of this contract iscovering vacancy.

National Security Vetting

Important: Please be aware there are residency requirements you need to meet:

All NHS England Cyber Security personnel must hold SC level as a minimum.

To meet National Security Vetting requirements, SC clearances require 5 years continuous UK residency. In certain cases, this can be reduced to three years continuous UK residency, with additional overseas checks for the previous two years.

Candidates who were posted abroad for service with HM Government, Armed Forces or within a UK government role - will still be considered.

Please make sure you meet these requirements before applying for this role. You dont need to have SC already, however, failure to achieve the requirements for SC after offer, will result in the job offer being withdrawn.

For further advice please check https://www.gov.uk/government/publications/united-kingdom-security-vetting-clearance-levels/national-security-vetting-clearance-levels#security-check-sc.

For further information on National Security Vetting please check National security vetting: clearance levels - GOV.UK, information on the Security Vetting and Clearances Intranet page or contact england.securityvetting@nhs.net.

You can find further details about the role, including key responsibilities and accountabilities, alongside the organisational structure and person specification in the attached Job Description and other supporting documents.

Secondments

Applicants from within the NHS will be offered on a secondment basis only, agreement should be obtained from their employer prior to submitting the application.

Role Title

The job title advertised is for the purposes of advertising, the successful candidate(s) will be hired with the job title of Cyber Operations and Engagement Lead until a formal change can be made.

Person Specification

Qualifications

Essential

  • CISSP/CISA/CISM/CRISC or equivalent qualification from a recognised security focussed professional body

Experience

Essential

  • Extensive knowledge and experience of the strategies, frameworks, controls and processes used to encourage good cyber hygiene
  • Extensive knowledge and experience of the processes, tools and techniques of information security management, ability to deploy and monitor information security systems, as well as detect, resolve and prevent violations of IT security, to protect organisational data.
  • Extensive knowledge and experience of techniques, roles, and responsibilities in providing technical or business guidance to clients, both internal and external; ability to apply this knowledge appropriately to diverse situations.

Desirable

  • The post holder will have a strong track record in strategic and operational delivery within the NHS and social care, with in-depth knowledge, skills and experience in programme and project management.
  • Experience leading change projects and programmes in health and/or social care environments.

Skills

Essential

  • Provide and receive highly complex, sensitive and contentious information, negotiate with senior stakeholders on difficult and controversial issues, and present complex and sensitive information to large and influential groups.
  • Negotiate on difficult and very complex and detailed issues.
  • Highly developed team management, co-ordination, and motivation skills as well as excellent listening and negotiation skills.

Desirable

  • Ability to analyse complex facts and situations and develop a range of options.
Person Specification

Qualifications

Essential

  • CISSP/CISA/CISM/CRISC or equivalent qualification from a recognised security focussed professional body

Experience

Essential

  • Extensive knowledge and experience of the strategies, frameworks, controls and processes used to encourage good cyber hygiene
  • Extensive knowledge and experience of the processes, tools and techniques of information security management, ability to deploy and monitor information security systems, as well as detect, resolve and prevent violations of IT security, to protect organisational data.
  • Extensive knowledge and experience of techniques, roles, and responsibilities in providing technical or business guidance to clients, both internal and external; ability to apply this knowledge appropriately to diverse situations.

Desirable

  • The post holder will have a strong track record in strategic and operational delivery within the NHS and social care, with in-depth knowledge, skills and experience in programme and project management.
  • Experience leading change projects and programmes in health and/or social care environments.

Skills

Essential

  • Provide and receive highly complex, sensitive and contentious information, negotiate with senior stakeholders on difficult and controversial issues, and present complex and sensitive information to large and influential groups.
  • Negotiate on difficult and very complex and detailed issues.
  • Highly developed team management, co-ordination, and motivation skills as well as excellent listening and negotiation skills.

Desirable

  • Ability to analyse complex facts and situations and develop a range of options.

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

UK Registration

Applicants must have current UK professional registration. For further information please see NHS Careers website (opens in a new window).

Additional information

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

UK Registration

Applicants must have current UK professional registration. For further information please see NHS Careers website (opens in a new window).

Employer details

Employer name

NHS England

Address

Wellington Place/ Wellington House

Leeds / London

LS1 4AP


Employer's website

https://www.england.nhs.uk/about/working-for/ (Opens in a new tab)

Employer details

Employer name

NHS England

Address

Wellington Place/ Wellington House

Leeds / London

LS1 4AP


Employer's website

https://www.england.nhs.uk/about/working-for/ (Opens in a new tab)

Employer contact details

For questions about the job, contact:

Head of Cyber Security Compliance and Engagement

Sarah Murphy

england.cyber@nhs.net

Details

Date posted

24 September 2025

Pay scheme

Agenda for change

Band

Band 8c

Salary

£100,054.50 to £115,286.60 a year (inclusive of 30% RRP): exclusive of London Weighting

Contract

Fixed term

Duration

11 months

Working pattern

Full-time

Reference number

990-TD-DPU-16847-E

Job locations

Wellington Place/ Wellington House

Leeds / London

LS1 4AP


Supporting documents

Privacy notice

NHS England's privacy notice (opens in a new tab)