Senior GRC Analyst – Governance, Risk & Compliance

About the role

We are seeking a Senior GRC Analyst to lead the design, implementation and continuous improvement of governance, risk and compliance frameworks across the enterprise. The role will partner with IT, Legal, Internal Audit and business units to ensure alignment with regulatory standards and business objectives.

Key responsibilities

• Design, implement and evolve GRC frameworks, processes and tools to support enterprise‑wide risk and compliance objectives.
• Develop, review and enforce information security policies, standards and procedures in line with business goals and regulatory requirements.
• Own end‑to‑end risk assessment processes, including third‑party, operational and technology risk, and drive remediation plans.
• Collaborate with cross‑functional teams to ensure compliance with ISO 27001, NIST CSF, SAMA, NCA and other relevant standards.
• Manage documentation lifecycle of controls, risks and compliance evidence to maintain audit readiness.
• Lead internal and external audit engagements, coordinate evidence collection and drive findings to closure.
• Define and monitor KRIs/KPIs for security controls, producing executive dashboards and risk reports.
• Track regulatory and industry changes, assess impact and update policies or controls accordingly.
• Contribute to security awareness and training initiatives, mentoring junior team members.
• Serve as subject‑matter expert on GRC matters, advising management on risk‑based decisions.

Required profile

• Bachelor’s degree in Information Security, Computer Science, Risk Management or related field (Master’s a plus).
• 3–6 years of progressive GRC or IT risk management experience, with at least 1–2 years at a mid‑to‑senior level.
• Hands‑on expertise in ISO 27001, NIST frameworks (CSF or 800‑53) and risk assessment methodologies such as FAIR or OCTAVE.
• Proven experience leading audit engagements and managing remediation lifecycles.
• Strong communication skills for presenting risk findings to senior leadership.
• Experience in Saudi Arabia or the broader Middle East and familiarity with local regulations (NCA, SAMA, CST, PDPL) preferred.
• Relevant certifications (ISO 27001 Lead Implementer/Auditor, CISM, CRISC, CISA, CISSP, GRCP, GRCA) highly preferred.

Required skills

• ISO 27001 implementation and auditing
• NIST CSF / NIST 800‑53
• FAIR and OCTAVE risk assessment methodologies
• GRC platforms such as ServiceNow GRC, Archer, MetricStream
• Audit management and remediation tracking
• Regulatory compliance mapping (SAMA, NCA, PDPL)