OFFICIAL
Head of Information Security Policy and Guidance
Grade 7
Role Purpose
Acting under delegated authority from the Chief Information Security Officer, you will be the formal owner of the Ministry of Justice Information Security Policy Framework. You will provide strategic leadership for how information security policy is defined, structured and maintained across the department, ensuring we have a coherent, authoritative and proportionate set of security policies, standards and guidance that clearly define required security outcomes, reflect our security risk appetite and enable secure delivery across a complex operational environment.
You will translate strategic security objectives, risk insight and cross-government requirements into practical, accessible policy that can be understood and applied across the Ministry of Justice’s large and diverse organisation. You will also act as the department’s senior point of reference for the interpretation and application of security policy, advising colleagues and leaders where clarification or judgement is required.
Leading a small team of specialist technical writers, you will set direction, standards and governance for the department’s security policy estate, working closely with security specialists across and beyond the department to ensure published policy, standards and guidance reflect domain expertise, current good practice and the realities of operational delivery.
As part of the Deputy CISO’s leadership team, you will work in close partnership with the Head of Information Security Awareness, Culture and Education to ensure security expectations are clearly defined in policy and effectively translated into practice across the organisation. Together these roles ensure the Ministry of Justice maintains both a clear and authoritative security policy framework and the organisational capability required to understand and apply it in practice.
Key Responsibilities
Strategic Leadership
Own the MoJ Information Security Policy Framework, ensuring it remains current, coherent and aligned to:
MoJ risk appetite
Cross-government policy and standards
Legal and regulatory requirements
Act as the department’s authoritative voice on information security policy interpretation and application.
Anticipate emerging risks, technology changes and government direction, ensuring policy evolves proactively.
Provide strategic leadership for how security policy is structured, communicated and maintained across the department.
Represent the Deputy CISO in forums and other engagements as required.
Policy Development & Governance
Lead the development, review and maintenance of all information security policies, standards and supporting guidance.
Work closely with specialists from across the department to understand and translate their expertise, requirements and operational needs into clear, authoritative policy, standards and guidance.
Maintain a prioritised policy, guidance and standards roadmap aligned to business needs, risk, assurance findings and cross-government direction. Regularly update the portfolio to consolidate and simplify existing material, to reduce the burden on users.
Establish and operate robust governance covering approval, review cycles and retirement of outdated material.
Build confidence across the organisation that security policy provides clear, proportionate and risk-based direction for operational delivery.
Work closely with the Awareness, Culture and Education team to:
Test policy usability and comprehension
Identify areas of confusion or friction
Ensure guidance supports safe, real-world decision-making
Use feedback from operational teams and assurance activities to continuously improve the effectiveness of security policy and guidance.
Team Leadership
Provide leadership, mentoring and professional development to build capability within your team of technical authors and policy specialists.
Set and maintain clear standards for plain-English, user-centric security policy development, to ensure consistency of tone, structure and intent across all security documentation.
Collaborate with colleagues across other MoJ security teams, in particular colleagues from physical, personnel, data protection and information services teams to help ensure strong alignment and mutual reinforcement of all our work.
Stakeholder Engagement & Influence
Build and maintain strong relationships with:
Digital, Technology and Data teams
Cross department security teams
Agencies and arms-length bodies
Act as a trusted advisor, helping stakeholders understand what policy requires, why it matters, and how to interpret it.
Navigate differing operational contexts across a large, diverse department while maintaining consistency.
Influence senior stakeholders and operational leaders to ensure that security policy is understood, applied consistently and supports secure delivery of departmental services.
Essential Skills & Experience
Proven experience leading security, technology or risk policy in a large, complex organisation.
Strong understanding of how security policy interacts with risk appetite, assurance and operational delivery.
Strong leadership and stakeholder management experience.
Exceptional communication skills, with the ability to make complex policy clear and accessible to a range of different stakeholders, including senior audiences.
Desirable
Experience acting as a formal policy owner or decision authority, including resolving contested interpretations of policies.
Understanding of how information security frameworks and standards such as Cyber Assessment framework (CAF), GovAssure and ISO27001 map to security policy.
Experience of cross-government security policy or central government frameworks.
Background in information security, cyber security, technology risk or assurance.
Experience applying user-centred design or accessibility principles to policy.
Civil Service Behaviours
Essential
Seeing the Big Picture
Communicating and Influencing
Managing a Quality Service
Working Together
Making Effective Decisions
Desirable
Changing and Improving
Delivering at Pace
OFFICIAL