Manager -Cybersecurity GRC-Saudi National

The cybersecurity GRC manager helps run the governance, risk, and compliance program across AEW and AEW-served companies. The role is expected to drive policy lifecycle, assessments, audits, exceptions, third-party risk, and regulatory alignment. Role is expected to coordinate remediation with AEW Digital Services / IT and counterparts at serviced entities.

• Maintain AEW’s cybersecurity policy / standard / procedure library; run annual review cycle; map to ECC-2 : 2024 and other applicable NCA controls (OTCC / CSCC / OSMACC) and relevant international baselines (e.g., ISO 27001).
• Publish and track mandatory control exceptions with end dates and risk acceptance.

• Plan and run internal assessments for AEW and serviced entities; prepare for external inspections; maintain evidence library.
• Use the NCA ECC-2 Assessment & Compliance Tool when applicable; produce gap analyses and remediation plans.

• Maintain the cyber risk register; facilitate business-owned risk decisions; integrate with enterprise risk.
• Run control design / effectiveness reviews ahead of audits.

• Ensure enforcement of third party cybersecurity controls in line with ECC-2 : 2024 "third-party and cloud computing" domain.
• Coordinate with Procurement and Legal.

• Define compliance-focused awareness training plan and track completion.

• Provide monthly KPI packs to the Head of Digital Services and Cybersecurity Steering Committee.

• Bachelor’s degree. 3–7 years in cybersecurity GRC or audit.
• Proven work with NCA frameworks (ECC-2 : 2024; plus OTCC / CSCC / OSMACC as applicable to entity scope).
• Strong policy writing, audit, and risk facilitation skills; Arabic and English business proficiency.
• Preferred : ISO / IEC 27001 LA / LI, CISM, CRISC (or equivalent).

Regular travel within Saudi Arabia and other relevant countries as required by the business.