Information Assurance and Security: Information assurance and data protection

Find out about the job roles that comprise the information assurance and data protection job family practice.

This document is part of a collection

Head of information assurance and data protection

Role summary

The Head of Information Assurance and Risk is responsible policy advice on data protection, and guidance and advice on the security and protection of personal data and the management of information assets. They provide strategic direction, anticipate challenges, drive performance and build the capability required in the specialism.

Typical role level expectations

  • Initiate and influence relationships with and between key stakeholders, in taking forward all aspects of security in data protection and information assurance, acting as a primary point of contact for senior stakeholders and influencers.
  • Develop data protection and information assurance policy, standards and guidelines appropriate to business, technology and legal requirements and in accordance with best professional and industry practice.
  • Deliver policy advice to Ministers and manage relationship with lead UK Government for data protection.
  • Operate as a focus for data protection and information assurance expertise for the organisation and the wider central government community, providing authoritative advice and guidance on the application and operation of all types of security controls.
  • Oversee the work of the data protection and information assurance function.  This includes project and task definition and prioritisation, quality management and budgetary control, and management tasks such as recruitment and training.

Entry route

Internal: Suitable for an individual from the Digital, Data and Technology Profession from roles in information assurance, information governance, and cyber defence

External: Suitable for an individual qualified or with extensive experience in relevant field

Skills required to be a head of security and information risk

  • Communicating between the technical and non-technical. Is able to communicate effectively across organisational, technical and political boundaries, understanding the context. Makes complex and technical information and language simple and accessible for non-technical audiences. Is able to advocate and communicate what a team does to create trust and authenticity, and can respond to challenge.
  • Enabling and informing risk-based decisions. Capable of making and guiding effective decisions on risk, explaining clearly how the decision has been reached. Able to make decisions proportionate to the level of technical complexity and risk.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Legal and regulatory environment and compliance. Legal and regulatory environment and compliance refers to an organisation’s adherence to laws, regulations, guidelines and specifications relevant to its business processes. It consists of a blend of compliance requirements and assurance capabilities. Principles of the skill include understanding the legal and regulatory environment within which the business operates, ensuring that information security governance arrangements are appropriate, and ensuring that the organisation complies with legal and regulatory requirements.
  • Planning. Able to take a continuous approach to planning, forecasting, estimating, managing uncertainty, metrics and measurements, contingency planning and roadmapping. Able to communicate the plan, planning assumptions and progress to a range of stakeholders. Maintains the cadence of delivery and manages the relationships between different people within and across teams.
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.
  • Relationship management. Identifies, analyses, manages and monitors relationships with and between stakeholders. Clarifies mutual needs and commitments through consultation and consideration of impacts. For example, the coordination of all promotional activities to one or more customers to achieve satisfaction for the customer and an acceptable return for the supplier; assistance to the customer to ensure that maximum benefit is gained from products and services supplied.
  • Strategic thinking. Able to have an overall perspective on business issues, events, activities and an understanding of their wider implications and long-term impact. This could include determining patterns, standards, policies, roadmaps and vision statements. Can focus on outcomes rather than solutions and activities.

Skills needed for this role

  • Communicating between the technical and non-technical (Relevant skill level: expert). At this level you:
    • Are able to mediate and mend relationships, communicating with stakeholders at all levels.
    • Are able to manage stakeholders’ expectations and facilitate discussions across high risk or complex topics, or under constrained timescales.
    • Are able to speak and represent the community to large audiences inside and outside of government.
  • Enabling and informing risk-based decisions (Relevant skill level: practitioner). At this level you:
    • Work with higher impact or more complex risks.
    • Advise on the impact of these and whether this is within risk tolerance.
    • Are able to apply different risk methodologies in proportion to the risk in question.
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspect and report on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Legal and regulatory environment and compliance (Relevant skill level: expert). At this level you:
    • Lead the application of major legislation and regulations relevant to security, to ensure security is a business enabler
    • Champion opportunities that regulation and compliance can provide to an organisation at senior manager or board level
    • Promote regulation and compliance within the security function
    • Advise on the development of new legislation and regulation
    • Lobby external authorities, e.g. for niche regulation
  • Planning (Relevant skill level: practitioner). At this level you:
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Relationship management (Relevant skill level: expert). At this level you:
    • Determine the strategic vision and direction.
    • Positively influence key senior stakeholders.
    • Provide an arbitration function.
  • Strategic thinking (Relevant skill level: expert). At this level you:
    • Lead the design and implementation of strategy, directing the evaluation of strategies and policies to ensure business requirements are being met.


Back to top