Senior GRC Analyst

Key ResponsibilitiesDesign, implement, and continuously improve GRC frameworks, processes, and tools to support enterprise-wide risk and compliance objectives.Lead the development, review, and enforcement of information security policies, standards, and procedures, ensuring alignment with business goals and regulatory requirements.Own and execute the end-to-end risk assessment process, including third-party risk, operational risk, and technology risk, while recommending and tracking remediation plans.Partner with cross-functional teams (IT, Legal, Internal Audit, Business Units) to ensure compliance with ISO 27001, NIST CSF, SAMA, NCA, and other relevant standards.Manage the documentation lifecycle of controls, risks, and compliance evidence, ensuring audit readiness at all times.Lead or co-lead internal and external audits, including scoping, evidence collection, stakeholder coordination, and driving findings to closure with corrective action plans.Define and monitor key risk and performance indicators (KRIs/KPIs) for security controls, producing executive-level dashboards and risk reports.Proactively track regulatory and industry changes (local and international), assess their impact, and drive necessary policy or control updates.Lead or significantly contribute to security awareness and training initiatives, mentoring junior team members and fostering a risk-aware culture.Serve as a subject matter expert (SME) on GRC matters, advising management and project teams on risk-based decision making.RequirementsBachelor’s degree in Information Security, Computer Science, Risk Management, or a related field. A Master’s degree is a plus.3–6 years of progressive experience in GRC, Information Security, or IT Risk Management, with at least 1–2 years operating at a mid-to-senior level.Deep, hands-on expertise in ISO 27001, NIST (preferably NIST CSF or 800-53), and common risk assessment methodologies (e.g., FAIR, OCTAVE, or qualitative/quantitative methods).Proven experience leading audit engagements (internal or external) and managing remediation lifecycles independently.Strong ability to translate complex regulatory and security requirements into practical, business-friendly controls and processes.Exceptional written and verbal communication skills, including the ability to present risk findings to senior leadership and non-technical stakeholders.Advanced analytical and problem-solving skills, with high attention to detail and a proactive, ownership mindset.Experience working in Saudi Arabia or the broader Middle East region, with familiarity of local regulations (e.g., NCA, SAMA, CST, PDPL) strongly preferred.Relevant certifications are highly preferred, such as:ISO 27001 Lead Implementer or Lead AuditorCISM, CRISC, CISA, or CISSPGRC-specific certifications (e.g., GRCP, GRCA) are a plus.Preferred Attributes (Nice to Have)Experience with GRC platforms (e.g., ServiceNow GRC, Archer, MetricStream, or similar).Prior experience mentoring or guiding junior analysts or interns.Ability to write and test business continuity, disaster recovery, or incident response plans from a compliance perspective.