GRC Expert

We are seeking a GRC Expert with 4+ years of hands-on experience to support the operation of our GRC department. This role requires a strong background in international certification frameworks (ISO 27001, SOC 2), comprehensive Risk Management experience, and specific expertise in Identity and Access Management (IAM) governance. You will be instrumental in leveraging our automated compliance platform (Vanta) to streamline evidence collection, manage audits, and ensure continuous compliance.

• Lead the preparation and execution of external audits for ISO 27001 and SOC 2 (Type 1 & 2) certifications.
• Manage compliance with local Saudi regulations, specifically NCA ECC and SAMA cybersecurity frameworks.
• Utilize the Vanta platform to map internal controls to regulatory requirements (Custom Frameworks) and automate evidence collection.
• Monitor compliance posture daily, ensuring all automated tests in Vanta are passing and remediating gaps promptly.

• Oversee the IAM lifecycle from a governance perspective, ensuring "Least Privilege" and "Need-to-Know" principles are enforced.
• Manage and execute Quarterly Access Reviews (User Access Reviews) campaigns within Vanta.
• Monitor Identity Provider (IdP) integrations (e.g., Okta, Azure AD, Google Workspace) to ensure 100% MFA adoption and timely offboarding of terminated users.
• Review and approve privileged access requests and ensure proper documentation of business needs.

• Maintain and update the organizational Risk Register.
• Conduct periodic risk assessments, identifying threats and vulnerabilities, and tracking risk treatment plans to closure.
• Perform Third-Party Risk Management (TPRM) assessments for new and existing vendors.

• Review and update information security policies and procedures annually or as needed.
• Coordinate internal audits and pre-assessments to ensure readiness for external certification bodies.
• Assist in responding to client security questionnaires and maintaining the Vanta Trust Center.

• Minimum of 4 years of dedicated experience in GRC, Information Security, or IT Audit.
• Deep understanding of ISO 27001 and SOC 2 controls.
• Familiarity with NCA ECC and SAMA regulations.
• Experience with automated GRC platforms.
• Solid understanding of IAM concepts (RBAC, SSO, MFA, PAM).
• Proficiency in risk assessment methodologies (e.g., ISO 27005, NIST SP 800-30).

• Holding at least one relevant certification is preferred (e.g., CISA, CISM, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor).

• Excellent communication skills in English (Arabic is a strong plus).
• Ability to work independently and manage multiple audit timelines simultaneously.
• Strong analytical and problem-solving skills.

💰 Competitive Package – Salary + equity options + performance incentives
🧘 Flexible & Remote – Work from anywhere with an outcomes-first culture
🤝 Team of Experts – Work with designers, engineers, and security pros solving real-world problems
🚀 Growth-Focused – Your ideas ship, your voice counts, your growth matters
🌍 Global Impact – Build products that protect critical systems and data