Incident Response Principal Analyst

Location: National*

Closing Date: 28 May 2026

Interviews: w/c 15 June

Grade: Grade 7

(MoJ candidates who are on a specialist grade, will be able to retain this grade on lateral transfer)

Salary**: National: £58,511 - £73,450 which may include an allowance up to £14,939: London: £63,343 - £78,225 which may include an allowance up to (£14,882)

Working pattern: Full-time, Part-time, Flexible working

Contract Type: Permanent

Number of vacancies: 2

Vacancy number: 17499

*We offer a hybrid working model, allowing for a balance between remote work and time spent in your local office. Office locations can be found ON THIS MAP

Please note that unless you are an existing member of staff at Justice Digital, Data and Science, the only London location being recruited to is 10 South Colonnade, E14 4PU. We are no longer recruiting to 102 Petty France, SW1H 9AJ.

The Role

Please note this role requires you to pass Security Check clearance. Please click on the link for details.

We’re recruiting for two Principal Analysts – Detect and Respond here at Justice Digital, Data and Science to be part of our warm and collaborative Security Operation Centre (SOC) area.

This role aligns against Monitoring Principal / Response Principal from the Government Security Profession Framework

The Security Operations Centre (SOC) at the Ministry of Justice (MOJ) is seeking highly motivated and experienced Principal Analysts -Response to provide leadership and direction to our incident response.

The MOJ SOC is consolidating significant development to its people, processes and technology and is now responsible for protecting a significantly increased number of MOJ and HMCTS IT services. These roles will be a key part of the leadership team with a specific focus on cyber incident management.

You will play a critical role in safeguarding the MoJ’s IT infrastructure, assets, and data by leading the SOC’s response to cyber incidents. In addition to ensuring that the team responds to incidents effectively you will lead the ongoing continuous improvement, building on lessons learned and best practice. You will help to improve and develop SOC processes to maximise efficiency and effectiveness and aligned with best practices.

You’ll receive a range of excellent benefits when you join our department, including:

• A generous employer pension contribution of 28.97% through the Civil Service Pension Scheme.
• 25 days of annual leave, (increasing to 30 days once you have reached 5 years of service), plus 8 bank holidays and a privilege day for the King’s birthday.
• Flexible working arrangements including hybrid working, working part time or compressed hours. Designed to support a positive work–life balance.
• Employees are allocated 10% of their working time for personal and professional development.
• A £1k per person learning budget is in place to support all our people, with access to best-in-class conferences and seminars, accreditation with professional bodies, fully funded vocational programmes and e-learning platforms.
• Compassionate maternity, adoption, and shared parental leave policies, with up to 26 weeks leave at full pay, 13 weeks with partial pay, and 13 weeks further leave. And maternity support/paternity leave at full pay for 2 weeks, too!

You can find more details of the Benefits we offer here. To help picture your life at MoJ Justice Digital, Data and Science please take a look at our blog.

Key Responsibilities:

• Lead SOC incident response
• Lead and mentor Security Analysts to support effective incident management.
• Oversee the investigation and escalation of security incidents according to established procedures.
• Represent the SOC on Major Incident Bridge Calls, directing SOC effort as required.
• Identify and drive implementation of necessary adjustments to MOJ cyber incident response strategies and processes.
• Drive development and maintenance of SOC playbooks and procedures for efficient incident response.
• Identify and use metrics to analyse trends and generate security reports. Identify risks and areas for improvement.
• Support fostering a collaborative and high-performing team environment, providing coaching and development opportunities for more junior team members.
• Develop goals and performance metrics for incident response in line with business needs.

If this feels like an exciting challenge, something you are enthusiastic about, and want to join our team please read on and apply!

Person Specification

Essential

• Proven experience leading and mentoring a security analyst team
• Proven experience managing cyber security incidents
• Substantial experience in a Security Operations Centre (SOC) environment
• Strong understanding of security best practices, frameworks (MITRE ATT&CK, etc.), and incident response methodologies
• Excellent analytical, problem-solving, and decision-making skills.
• Effective communication and collaboration skills.
• Ability to work effectively under pressure and manage multiple tasks simultaneously.
• Strong understanding of security risk and how it is applied to incident management.

Willingness to be assessed against the requirements for SC clearance

We welcome the unique contribution diverse applicants bring and do not discriminate based on culture, ethnicity, race, nationality or national origin, age, sex, gender identity or expression, religion or belief, disability status, sexual orientation, educational or social background or any other factor.

Our values are Purpose, Humanity Openness and Together. Find out more here about how we celebrate diversity and an inclusive culture in our workplace.

The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan and the Civil Service D&I Strategy.

Salary Information**

Base salary for this role is from National: £58,511 - £65,329 | London: £63,343 - £70,725

• New entrants to the Civil Service joining the MoJ are expected to start at the minimum of the pay band.
• Existing Civil Servants moving on a level transfer will retain their current base salary or move to the minimum of the pay band for the role, whichever is higher.
• Existing Civil Servants who are promoted will either move to the bottom of the new grade’s pay band or receive a 10% uplift, whichever provides the greater increase.
• Candidates may also be eligible for a non‑pensionable Government Digital & Data Allowance of up to £14,882 per year (London) or £14,939 (National). This is a temporary allowance, reviewed annually and may be retained, amended, or withdrawn.

The final offer will reflect the skills and experience you demonstrate during the assessment process.

How to Apply

In Justice Digital, Data and Science, we recruit using a combination of the Government Security Profession Framework and Success Profiles Frameworks. We shall assess a combination of your Experience, Technical skills and Behaviours during the assessment process.

Stage 1 - Application and sift:

To apply for this position, you must submit the following as part of your application

• A CV detailing your career history (including any relevant qualifications). Your CV will be assessed against the essential criteria outlined within the Person Specification of this advert.

• A Personal Statement (no more than 750 words) which should outline your experience and skills, giving clear examples of work undertaken. It should specifically address the following 8 criteria listed below, using a separate paragraph for each.

• Proven experience leading and mentoring a security analyst team.
• Proven experience managing cyber security incidents.
• Substantial experience in a Security Operations Centre (SOC) environment
• Strong understanding of security best practices, frameworks (MITRE ATT&CK, etc.), and incident response methodologies.
• Excellent analytical, problem-solving, and decision-making skills
• Effective communication and collaboration skills.
• Ability to work effectively under pressure and manage multiple tasks simultaneously.
• Strong understanding or security risk and how it is applied to incident management.

A diverse sift panel will review the information in your CV and Personal Statement to assess the sift criteria specified above. We operate an anonymous shortlisting process. Please ensure your CV and Personal Statement do not include your name or any other identifying details.

Should we receive a high volume of applications, a pre-sift based on Proven experience in a Security Operations Centre (SOC) environment will be conducted before the sift.

Please access the following link for guidance on how to apply - Application Guidance

Stage 2 - Interviews:

Successful candidates who meet the required standard will then be invited to a panel interview held via Microsoft Teams. At interview stage, you will be assessed against the following Success Profile elements - Experience, Technical and the following Behaviours:

• Leadership
• Making effective decisions
• Delivering at pace

• Appointments are made strictly in merit order. In the event that two or more candidates receive identical interview scores Proven experience managing cyber security incidents will be applied as the primary lead criterion to determine the final merit order.

Should you be unsuccessful in the role that you have applied for but demonstrate the capability for a role at a lower level, we reserve the right to discuss this opportunity with you and offer you the position without needing a further application.

A reserve list may be held for up to 12 months, from which further appointments may be made.

Use of Artificial Intelligence

Artificial Intelligence can be a useful tool to support your application, however, all examples and statements provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, as your own) applications may be withdrawn and internal candidates may be subject to disciplinary action. Please see our candidate guidance for more information on appropriate and inappropriate use.

Terms & Conditions

Please review our Terms and Conditions which set out how we recruit and provide further information related to the role and salary arrangements.

If you have any questions, please feel free to contact digitalanddatarecruitment@justice.gov.uk