Cybersecurity & Compliance Specialist

Salvone Technology Solutions is the technology arm of one of the leading UK healthcare providers across hospitals, residential homes, supported living, and nursing services.

We design and operate the platforms, ERP, integrations, analytics, and workforce systems; that power operations, compliance, and care delivery across the group.

Our environment moves regulated, often clinical, data between systems on behalf of the people in our care.

As our client base and platform estate grow, so does the bar for how we protect that data.

We are hiring a Cybersecurity & Compliance Specialist to be the hands-on engine of our security and compliance programme.

You will own the day-to-day security posture of our estate and drive the certifications and data-protection obligations our clients and regulators expect — ISO 27001, Cyber Essentials Plus, the NHS Data Security and Protection Toolkit (DSPT), the NHS Digital Technology Assessment Criteria (DTAC), and UK GDPR / Data Protection Act 2018.

This is a hands-on specialist role.

You will work closely with the development and enterprise applications team, with focus on the security and compliance layer that sits across all of it.

*Security operations & posture*

· Run vulnerability management end-to-end: scanning, triage, remediation tracking, and verification with the infrastructure team.

· Oversee patch compliance and hardening baselines across cloud, servers, and endpoints.

· Monitor security events and alerts through our SIEM (Wazuh), investigate anomalies, and tune detection.

· Maintain endpoint protection coverage and review logs for early signs of compromise.

· Track and reduce security debt with clear owners and dates.

*Compliance & certifications*

· Drive the ISO 27001 programme day-to-day: maintain the ISMS, implement and evidence controls, and prepare for internal and external audits.

· Deliver Cyber Essentials Plus and the NHS DSPT submission, keeping evidence current year-round rather than scrambling at deadline.

· Assemble and maintain NHS DTAC assessment packs for our platforms — clinical safety, data protection, technical security, interoperability, and usability.

· Maintain a single, audit-ready control and evidence library; run and improve compliance tooling (e.g.

Vanta, Drata) where adopted.

*Data protection (UK GDPR / DPA 2018)*

· Maintain the Record of Processing Activities (ROPA) and data-retention schedules.

· Run Data Protection Impact Assessments (DPIAs) for new systems and data flows.

· Operate the data-subject-request and breach processes, including ICO notification timelines.

· Support our obligations as a data processor to our clients — security questionnaires, contracts, and assurance.

*Identity, access & resilience*

· Run quarterly access reviews and enforce least privilege across systems.

· Apply a security lens to joiner / mover / leaver and to secrets hygiene, partnering with infrastructure on MFA and conditional-access posture.

· Maintain incident-response runbooks, run tabletop drills, and lead post-incident reviews.

· Verify backups and recovery from a security standpoint — tested, not assumed.

*Vendor security & awareness*

· Complete inbound client security questionnaires and run outbound supplier security reviews.

· Run security-awareness training and phishing simulations, and write policies people will actually follow.

· 2–4 years in a cybersecurity, GRC, or security-focused IT role.

· Hands-on contribution to at least one compliance framework — ISO 27001, Cyber Essentials, SOC 2, or NHS DSPT.

· Working knowledge of UK GDPR / Data Protection Act 2018 (or an equivalent data-protection regime) in practice, not just theory.

· Familiarity with cloud security (AWS preferred): IAM, security groups, GuardDuty, Config, and logging.

· Microsoft 365 / Entra ID security: conditional access, MFA, and Secure Score.

· Exposure to vulnerability management and SIEM tooling (Wazuh, Sentinel, Splunk, or similar).

· Scripting for automation: Python, Bash, or PowerShell.

· Strong documentation discipline.

If it isn’t written down, it didn’t happen.

· Clear written and spoken English; able to write a policy someone will actually read.

· ISO 27001 Lead Implementer or Lead Auditor certification; Cyber Essentials assessor experience.

· NHS DTAC, DSPT, or clinical-safety exposure (DCB0129 / DCB0160).

· Security certifications: CompTIA Security+, SSCP, AZ-500, AWS Security Specialty, CEH, or working towards CISSP.

· Compliance automation tooling (Vanta, Drata, or similar).

· Experience in a regulated industry — healthcare, finance, or public sector.

· Penetration-testing fundamentals and a solid grasp of OWASP.

· Container and image scanning; zero-trust networking (Tailscale or similar).

· Healthcare integration or data context (HL7, FHIR, Mirth).

Beyond the checklist, we value people who are methodical, evidence-driven, and pragmatic about risk.

The ideal candidate treats compliance as something you build into operations, not bolt on at audit time.

· Ownership mentality: you see a gap, you log it, you close it, and you evidence it.

· Pragmatism: you can tell a real risk from a theoretical one and prioritise accordingly.

· Documentation discipline: policies, runbooks, and evidence kept current as a matter of habit.

· Calm under pressure: some of what we protect runs 24/7 in clinical settings.