Awarded to BNSCyber

Start date: Wednesday 29 September 2021
Value: £96,105
Company size: SME
Disclosure Scotland

Security Architect

18 Incomplete applications

18 SME, 0 large

19 Completed applications

17 SME, 2 large

Important dates

Thursday 29 July 2021
Deadline for asking questions
Thursday 5 August 2021 at 11:59pm GMT
Closing date for applications
Thursday 12 August 2021 at 11:59pm GMT


Specialist role
Technical Architect
Off-payroll (IR35) determination
Supply of resource: the off-payroll rules will apply to any workers engaged through a qualifying intermediary, such as their own limited company
Summary of the work
Disclosure Scotland provides criminal record checking services to individuals and organisations to support safer recruitment and protect vulnerable groups. We are currently undergoing a digital transformation . This is a rare opportunity to help transform the way we provides this critical public service.
Latest start date
Monday 6 September 2021
Expected contract length
Contract will be let in 6 month increments, up to 23 months.
Organisation the work is for
Disclosure Scotland
Maximum day rate
We expect rates to be submitted in line with current market rates.

About the work

Early market engagement
Who the specialist will work with
The existing team is comprised of contract and Civil Service resources. The specialist will be expected to be embedded into the Digital team as well as working with the other members of the business.
What the specialist will work on
•Design security-controls in cloud-based web-applications and cloud-infrastructure to support business objectives
•Work with stakeholders in an agile environment to refine security-control implementations
•Educate and upskill colleagues in best practices
•Assist in defining and executing security best practices in engineering and software design
•Contributes to security architecture policy, standards and design
•Advises stakeholders and suppliers on compliance with IT security policy and controls
•Contributes to IT service level definitions
•Contributes to Cyber Assurance maturity assessments, or other audit/compliance activities
•Supports development of business cases for investment to improve IT security controls
•Ensure compliance with Codes of Connection/Memorandums of Understanding

Work setup

Address where the work will take place
Work remotely for now, when office opens, work will be at the below address and specialist may have to attend this office address as required. It is likely a large proportion of the week will be remote working.

1 Pacific Quay
G51 1DZ
Working arrangements
• The specialist will be working remotely to start. Once the Scottish Government confirms the return to office based working, it is expected we will return to the office on a part time basis/as required.
• The specialist will be expected to attend meetings using MS Teams or once office working resumes, face to face.
• Make use of collaborative tooling (Slack, MS Teams, Miro, Confluence and Jira).
• The specialist will be pro-active
Security clearance
Must have BPSS clearance to begin work and willing to go through SC Clearance.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of working with agile engineering teams and designing security controls for cloud-based web applications – ideally with Java and AWS
  • Experience of working with demanding security standards – ideally to standards that comply with Home Office NPRIMT controls
  • Experience of creating security-controls, with working-knowledge, to advise on cloud implementations (Azure, AWS, GCP etc…)
  • Some understanding of application architectures, patterns and the ability to interpret technical designs
  • Strong knowledge of government and industry data/cyber security legislation, policy, patterns, standards (including but not limited to ISO27001, CSA STAR and NIS Directive) and guidance.
  • Experience of reviewing system architectures to: identify single points of vulnerability and common architectural flaws
  • Experience of identifying security issues relating to configuration of components in an architecture*
  • *validate and explain how common attack methods are mitigated by the design
  • *and identify areas where detailed technical analysis will be required to understand important nuances that could have significant security implications.
  • Strong knowledge of Government and industry risk management techniques
  • Demonstrable experience in interpreting and applying this knowledge in an agile way, working with development teams to deliver digital Cloud services.
Nice-to-have skills and experience

How suppliers will be evaluated

All suppliers will be asked to provide a work history.

How many specialists to evaluate
Cultural fit criteria
  • Be transparent and collaborative whilst working
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Challenge the status quo
  • Be comfortable standing up for their discipline
  • Be comfortable with working with clients with both high and low technical expertise
Additional assessment methods
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is there any Incumbent?
No, this is a new role.
2. IR35 Status?
The role is outside IR35.

The DOS system only provides the one option to put on adverts that we can't edit so we have used the HM Revenue determination tool to confirm status.

If you require a copy of the HM Revenue and Customs summary showing this before contract award, please email

The DOS system only provides the one option to put on adverts that we can't edit so we have used the HM Revenue determination tool to confirm status.
3. Could you please provide breakdown of further stages with dates? When exactly the final decision would be made?
The advert closes 12th August.
Sift of applications will be 13th to 20th August, notifications issued 20th-23rd August for next stage of chats with leads of area.

These chat will be held w/c 30th August, outcomes by end of that week.

Due to time to get clearance, it is expected that the successful candidate will start 4-5 weeks after this.

If we can speed any of these steps up, we will, it is dependant on the number of applications received.