Specialist - Information Security GRC

Information Security Risk & Compliance Specialist will be responsible for ensuring the organization's adherence to Information security protocols, Vendor risk management, and regulatory compliance requirements. This role will involve collaborating with internal teams, external vendors, and regulatory bodies to mitigate risks, manage compliance audits, and maintain the security posture of the company’s IT infrastructure and third-party relationships.

Responsibilities

Vendor Risk Management

• Establish the end-to-end risk Information Security Vendor Risk management framework for Space42 to understand the risk environment to operate within the agreed risk appetite.
• Manage and assess the risks associated with third-party vendors, ensuring that vendor practices comply with security and compliance standards.
• Conduct vendor risk assessments, including evaluating vendors' security posture, compliance status, and data protection policies.
• Develop and maintain a vendor risk management program to identify, assess, and mitigate risks related to third-party partnerships.
• Collaborate with procurement and legal teams to ensure that all third-party contracts include necessary security and compliance clauses.
• Monitor ongoing vendor relationships to ensure continuous compliance with security standards.

Compliance Management

• Implements the compliance framework that is aligned with legal requirements, corporate policies, local and international standards that affect the business environment where Space42 operates.
• Ensures compliance with Intellectual Property Rights (e.g. software license agreements) and export control requirements.
• Ensure compliance with relevant industry regulations and standards such as ISO 27001, ISO 27701, UAE IA, KSA CRF, PCI-DSS etc.
• Plans and conducts internal periodic audits to verify and report effectiveness of the implementation of the Information Security Regulation.
• Conducts periodic reviews or audits to verify Cloud Service Provider’s (CSPs) compliance with the applicable security policies and contractual requirements.
• Logs, maintains and periodically reviews logical and physical access control lists on a regular basis.
• Support the preparation and coordination of regulatory audits and assessments.
• Develop compliance management processes.
• Conducts periodic reviews to verify compliance of the implemented control framework.
• Conduct periodic security awareness surveys/tests to measure the security training effectiveness and the awareness level of all employees and applicable external parties (e.g. social engineering assessment or phishing assessments).
• Develop security training and awareness processes for various kinds of audiences.
• Develop, implement and assess security awareness campaigns that educate users on information security policies and cover business operations security risk and focus on reducing possible risks.
• Document and report compliance status, findings, and remediation efforts to senior management.

Qualifications

• Bachelor’s degree in information security, Information Technology or related field.
• 4+ Years of proven experience in information security, vendor risk management, and regulatory compliance.
• Strong knowledge of security frameworks/standards (e.g., NIST, ISO 27001) and regulatory requirements (e.g., UAE IA, KSA CRF, GDPR, UAE PDPL etc.).
• Relevant certifications such as ISO 27001 LA/LI, CISSP, CISA, CISM, CRISC, or equivalent are highly preferred.
• Experience conducting risk assessments and audits.
• Excellent communication skills, with the ability to interact with both technical and non-technical stakeholders.
• Excellent data analytical skills.