GRC Consultant

Job Description

Purpose : Maintain and continuously improve the organization’s policies / standards, risk register, control testing program, and audit readiness across security, privacy, and compliance domains.

About the Role

You will own the governance, risk, and compliance lifecycle - translating regulatory and framework requirements (e.g., NIST, CIS, ISO, UAE PDPL) into actionable controls, verifying effectiveness through testing, and driving remediation with control owners. You’ll also prepare the organization for internal / external audits and provide executive-level reporting on posture and residual risk.

• Policy, Standards & Procedures
  • Maintain an enterprise Information Security Policy and supporting standards / procedures.
  • Establish a document control process (versioning, approvals, review cadence) and a single source of truth for policy artifacts.
  • Align policies to NIST CSF / 800-53, CIS Controls, ISO 27001 criteria, and UAE PDPL obligations; ensure traceability from requirement → control → evidence.
• Risk Management
  • Design and run the risk management program: methodology, taxonomy, impact / likelihood scales, and KRIs.
  • Conduct risk assessments (systems, vendors, projects / changes), maintain the risk register, and track remediation to closure with accountable owners.
  • Facilitate DPIAs / PIAs where personal data is involved; advise on mitigation measures and lawful basis (PDPL-aligned).
• Controls & Assurance
  • Define and maintain the control library mapped to frameworks and regulations (NIST, CIS, ISO, PDPL).
  • Plan and execute control testing (design & operating effectiveness), sampling, and evidence collection.
  • Run continuous control monitoring where feasible; create control narratives and test scripts; raise and track issues / findings.
• Compliance & Privacy
  • Build and maintain a compliance calendar (e.g., policy reviews, attestations, training, vendor recertifications, audit milestones).
  • Coordinate with Legal / Privacy / DPO on UAE PDPL readiness (e.g., Records of Processing, DSAR workflow, consent & notice, retention / minimization).
  • Prepare and deliver compliance dashboards and board-level reports on risk, controls, and outstanding actions.
• Audit Readiness & Support
  • Lead pre-audit readiness (gap assessments, mock audits, evidence readiness) and support internal / external audits (SOC 2, customer audits, regulators).
  • Manage audit evidence lifecycle : request tracking, secure storage, labeling, and reuse across audits.
  • Drive corrective action plans and verify remediation of findings.
• Third-Party & Change Governance
  • Operate the third-party risk management (TPRM) process : inherent risk scoping, due diligence, contract clauses, and periodic reassessments.
  • Embed risk & control checks into change / project lifecycles (e.g., architecture reviews, security sign-off, go-live readiness).
• Awareness, Guidance & Enablement
  • Deliver targeted compliance / security training (role-based, control owner enablement).
  • Provide consultative guidance to engineering / business teams to build-compliance-in, not bolt-on.
• Tooling & Automation
  • Configure and manage GRC tooling for control workflows, evidence, and reporting.

• 5+ years in GRC, information security risk, or IT audit (regulated industries preferred : finance, healthcare, telco, gov / public sector, critical infrastructure).
• Demonstrable experience with NIST CSF / 800-53 and CIS Controls, plus one or more of SOC 2, ISO 27001, PCI DSS, or regional regulations.
• Strong understanding of UAE PDPL principles and practical compliance activities (RoPA, DPIA, DSAR handling, consent / notice, breach readiness).
• Hands-on experience building risk registers, control libraries, and test scripts, and running end-to-end audit cycles.
• Excellent stakeholder management, from technical SMEs to senior leadership; clear, concise writing for policies and reports.

• Bachelor’s in Information Security, Computer Science, or related field (or equivalent experience).
• One or more : CISA, CISM, CRISC, ISO 27001 Lead Implementer / Lead Auditor, CIPM / CIPP-E / M, CGEIT.

As an employee of IFZA, you can expect :

• 24 working days as annual leave
• Annual flight home
• Life insurance plan
• Medical insurance plan (with the option to upgrade at your own cost)
• Bonus scheme (in relevant departments)