GRC Expert

We are seeking a GRC Expert with 4+ years of hands‑on experience to support the operation of our GRC department. This role requires a strong background in international certification frameworks (ISO 27001, SOC 2), comprehensive risk‑management experience, and specific expertise in identity and access management (IAM) governance.

• Leverage our automated compliance platform (Vanta) to streamline evidence collection, manage audits, and ensure continuous compliance.
• Prepare and execute external audits for ISO 27001 and SOC 2 (Type 1 & 2) certifications.
• Manage compliance with local Saudi regulations, specifically NCA ECC and SAMA cybersecurity frameworks.
• Map internal controls to regulatory requirements (Custom Frameworks) and automate evidence collection.
• Monitor compliance posture daily, ensuring all automated tests in Vanta are passing and remediating gaps promptly.
• Oversee the IAM lifecycle from a governance perspective, ensuring “Least Privilege” and “Need‑to‑Know” principles.
• Execute Quarterly Access Reviews (User Access Reviews) campaigns within Vanta.
• Manage IdP integrations (Okta, Azure AD, Google Workspace) to ensure 100 % MFA adoption and timely offboarding of terminated users.
• Review and approve privileged access requests and ensure proper documentation of business needs.
• Maintain the organizational Risk Register and conduct periodic risk assessments.
• Perform Third‑Party Risk Management (TPRM) assessments for vendors.
• Review and update information‑security policies and procedures annually or as needed.
• Coordinate internal audits and pre‑assessments to ensure readiness for external certification bodies.
• Assist in responding to client security questionnaires and maintain the Vanta Trust Center.

• Minimum 4 years of dedicated experience in GRC, Information Security, or IT Audit.
• Deep understanding of ISO 27001 and SOC 2 controls.
• Familiarity with NCA ECC and SAMA regulations.
• Experience with automated GRC platforms.
• Solid understanding of IAM concepts (RBAC, SSO, MFA, PAM).
• Proficiency in risk‑assessment methodologies (ISO 27005, NIST SP 800‑30).
• Holding at least one relevant certification is preferred (e.g., CISA, CISM, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor).
• Excellent communication skills in English (Arabic is a plus).
• Ability to work independently and manage multiple audit timelines simultaneously.
• Strong analytical and problem‑solving skills.

Competitive package – salary, equity options, and performance incentives.
Flexible & remote – work from anywhere with an outcomes‑first culture.
Growth‑focused environment where your ideas ship, your voice counts, and your growth matters.
Global impact – build products that protect critical systems and data.