Job Description

Overview

The cybersecurity GRC manager helps run the governance, risk, and compliance program across AEW and AEW-served companies. The role is expected to drive policy lifecycle, assessments, audits, exceptions, third-party risk, and regulatory alignment. Role is expected to coordinate remediation with AEW Digital Services/IT and counterparts at serviced entities.

Key Responsibilities

Governance & Policy

Maintain AEW's cybersecurity policy/standard/procedure library; run annual review cycle; map to ECC-2:2024 and other applicable NCA controls (OTCC/CSCC/OSMACC) and relevant international baselines (e.g., ISO 27001). Publish and track mandatory control exceptions with end dates and risk acceptance.

Compliance & Assurance

Plan and run internal assessments for AEW and serviced entities; prepare for external inspections; maintain evidence library. Use the NCA ECC-2 Assessment & Compliance Tool when applicable; produce gap analyses and remediation plans.

Risk Management

Maintain the cyber risk register; facilitate business-owned risk decisions; integrate with enterprise risk. Run control design/effectiveness reviews ahead of audits.

Third-Party & Cloud

Ensure enforcement of third party cybersecurity controls in line with ECC-2:2024 "third-party and cloud computing" domain. Coordinate with Procurement and Legal.

Awareness & Training

Define compliance-focused awareness training plan and track completion.

Reporting & Governance

Provide monthly KPI packs to the Head of Digital Services and Cybersecurity Steering Committee.

Qualifications & Skill Sets

Bachelor's degree. 3-7 years in cybersecurity GRC or audit. Proven work with NCA frameworks (ECC-2:2024; plus OTCC/CSCC/OSMACC as applicable to entity scope). Strong policy writing, audit, and risk facilitation skills; Arabic and English business proficiency. Preferred: ISO/IEC 27001 LA/LI, CISM, CRISC (or equivalent).

Travel

Regular travel within Saudi Arabia and other relevant countries as required by the business.