Governance · Risk · Compliance
Study notes, advisory engagements, GRC tooling, audit work, and AI governance research. Focused on Saudi Arabian, Gulf, Indian, and international regulatory frameworks.
| # | Section | What it contains |
|---|---|---|
| 1 | Study Notes | 11-module GRC curriculum + TryHackMe governance notes |
| 2 | Advisory Portfolio | 5 client engagements across India & Saudi Arabia, GRC Analyst → Auditor |
| 3 | GRC Tooling | PDPL PII scanner, IAM audit engine, Islamic fintech GRC framework |
| 4 | AI Governance | AI-GRC research paper + interactive compliance checker for Saudi/Gulf |
| Domain | Frameworks |
|---|---|
| Information Security | ISO/IEC 27001:2022 |
| Cybersecurity | NIST CSF, NCA ECC-1:2018, NCA ECC-2:2024 |
| Financial Sector | SAMA CSF, CMA |
| Privacy | GDPR, India DPDP Act 2023, Saudi PDPL |
| Trust & Compliance | SOC 2 (TSC) |
| AI Governance | ISO/IEC 42001:2023, NIST AI RMF, SDAIA AI Ethics, EU AI Act |
| Islamic Finance | AAOIFI Shariah Standards |
| Risk | ISO 31000, NIST SP 800-30, OCTAVE, FAIR |
An 11-module GRC curriculum written from the perspective of a practising GRC Analyst — not theory for its own sake, but how frameworks, regulations, and risk methodology actually work in real organizational environments.
| Module | Topic | Domain |
|---|---|---|
| 0 | GRC Core Concepts & Terminology — governance structures, risk lifecycle, control types, CIA triad, what a GRC Analyst does day to day | Foundation |
| 1 | ISO 27001 — mandatory clauses, Annex A controls, risk assessment, Statement of Applicability, certification and audit process | Information Security |
| 2 | NIST CSF — six core functions (Govern, Identify, Protect, Detect, Respond, Recover), implementation tiers, gap analysis usage | Cybersecurity |
| 3 | SOC 2 — five Trust Service Criteria, Type 1 vs Type 2 distinction, audit process, what auditors actually test | Trust & Compliance |
| 4 | GDPR + India DPDP Act — principles, lawful bases, eight data subject rights, DPDP Act 2023, direct comparison of where the two laws align and diverge | Privacy |
| 5 | NCA ECC — Saudi mandatory cybersecurity baseline, five domains, 114 controls, maturity model, relation to ISO 27001 | Saudi Cybersecurity |
| 6 | SAMA CSF — Saudi financial sector framework, four domains, maturity model, annual self-assessment cycle, interaction with NCA ECC | Saudi Banking Security |
| 7 | Saudi PDPL — principles, lawful bases, data subject rights, breach notification, Privacy Officer role, comparison with GDPR | Saudi Privacy |
| 8 | ISO 42001 — AI management system standard, AI-specific risk (bias, fairness, model drift, human oversight), what AI governance work looks like in practice | AI Governance |
| 9 | Risk Assessment Methods — qualitative vs quantitative, ALE/SLE/ARO formulas, NIST SP 800-30, ISO 31000, OCTAVE, FAIR, building a risk matrix, running an assessment end to end | Risk |
| 10 | GRC Tools — enterprise platforms (Archer, ServiceNow GRC, MetricStream), compliance automation (Vanta, Drata, Sprinto, Secureframe), agentic AI shift in compliance tooling (2025–2026) | Practical Skills |
Structured study notes from the TryHackMe Governance & Regulation room covering governance frameworks, documentation hierarchy (policies → standards → procedures → guidelines → baselines), and the regulatory landscape across GDPR, HIPAA, and PCI-DSS.
resolute-compliance-advisory — GRC Advisory Portfolio
Five client engagements delivered through Resolute Compliance Advisory LLP across two years, demonstrating full progression from GRC Analyst (implementation) to GRC Auditor (independent assurance). All client names anonymised. Engagements span Indian and Saudi regulatory frameworks.
| Engagement | Industry | Frameworks | Role | Key Finding |
|---|---|---|---|---|
| Brightpath | IT Services, Bengaluru | ISO 27001:2022 + SOC 2 | GRC Analyst | 37.6% ISO conformance (35/93 controls); former employee credentials live — Critical risk |
| Medlink | Healthtech, Mumbai | ISO 27001:2022 + GDPR + India DPDP Act | GRC Analyst | 49.5% ISO conformance; hardcoded AWS credentials in production — Critical risk; no GDPR Article 28 DPAs |
| Projects 3, 4, 3C | Saudi sectors (insurance, healthcare) | NCA ECC-1:2018, NCA ECC-2:2024, SAMA CSF | GRC Auditor | Independent audit and assurance across Saudi NCA regulatory framework |
Deliverables per engagement include: engagement letter, gap assessment report, Statement of Applicability, risk register, remediation roadmap with Gantt chart and dashboard, executive summary — all formatted as client-facing professional documents.
pdpl-pii-scanner — Saudi PDPL Compliance Tool
Python tool that scans CSV and Excel files for Saudi PII, classifies every finding into PDPL's legal tiers, risk-scores each one, checks for governance gaps, and produces redacted copies. Output: bilingual EN/AR interactive HTML dashboard + CSV/console reports.
Detects 8 PII types across PDPL's three legal tiers:
| PII Type | PDPL Tier | Obligation |
|---|---|---|
| National ID, Iqama, mobile, passport, email, address | Personal Data | Standard consent and protection obligations |
| IBAN / bank account | Credit Data (Article 24) | Enhanced protections for financial data |
| Health/medical, religious/political affiliation | Sensitive Data (Article 1(11)) | Explicit consent + DPIA required |
Detection uses layered confidence scoring (High/Medium/Low) across regex pattern matching, validation rules, and column name hints — not a flat yes/no. Also flags governance gaps: missing consent tracking and cross-border transfer signals. Built on PDPL Article 1 defined terms and SDAIA public guidance. Live demo
iam-risk-assurance — IAM Audit Engagement
SQL-based IAM audit for Najm Financial Services Co. (~400 staff, Riyadh) — SAMA-regulated, subject to NCA ECC mandatory controls. July–November 2025. Seven checks across the full IAM lifecycle, 203 findings, overall IAM compliance score of 62% against a SAMA CSF target of ≥85%.
203 findings: 23 critical · 47 high · 89 medium · 34 low. Most serious issues: orphaned accounts on critical systems for staff terminated months earlier; SoD conflicts in the Core Banking System allowing the same user to initiate and approve transactions; privileged accounts with no MFA on critical infrastructure. Audit database and all SQL detection queries built from scratch. Bilingual EN/AR dashboard with RTL toggle. Formal report delivered in both languages. Live dashboard
al-mizan — Shariah & Regulatory GRC for Islamic Fintech
Most Islamic finance and fintech organisations run two disconnected compliance reviews — one for SAMA/CMA regulation, one for Shariah board approval. Al-Mizan runs both in a single unified workflow. Built for the Saudi Vision 2030 market.
Three modules in one interactive bilingual dashboard:
- Governance — maturity self-assessment scored simultaneously against regulatory governance requirements and Shariah governance principles
- Risk — Gharar Risk Matrix scoring each product category for uncertainty/ambiguity risk per AAOIFI Standard No. 31, with mitigation guidance per product type
- Compliance — dual-aspect audit checklist covering SAMA/CMA statutory requirements and Shariah board approval requirements in a single pass
Frameworks: SAMA CSF, CMA, Saudi PDPL, AAOIFI Shariah Standards. Fully interactive bilingual EN/AR with RTL layout switching. Self-contained, no server needed. Live dashboard
aigrc-imf — AI-GRC Integrated Management Framework
Organisations across regulated Gulf industries are deploying AI in GRC functions — fraud detection, compliance monitoring, risk scoring, regulatory reporting — at a pace that has outrun the governance architectures meant to control them. The documented consequences: algorithmic bias in credit decisions, privacy violations under Saudi PDPL, adversarial manipulation of compliance models, and accountability gaps when AI-generated determinations go unchecked.
This repository contains two outputs:
Academic paper — proposes the AI-GRC Integrated Management Framework (AI-GRC IMF), a five-phase lifecycle governance model grounded in ISO/IEC 27001:2022 and ISO/IEC 42001:2023, cross-referenced against Saudi PDPL, SDAIA AI Ethics Principles, NCA ECC-1:2018, SAMA CSF, NIST AI RMF, and the EU AI Act.
Interactive compliance checker — organisations self-assess their AI systems against the AI-GRC IMF's five phases and receive a personalised AI-generated remediation report mapped to Saudi regulatory obligations. Open index.html in any browser — no installation, no server.
Frameworks: ISO/IEC 27001:2022, ISO/IEC 42001:2023, Saudi PDPL, SDAIA AI Ethics, NCA ECC-1:2018, SAMA CSF, NIST AI RMF, EU AI Act. Live dashboard
aigrc-audit-suite — AI GRC Audit Suite
Work in progress — details will be added on completion.
Actively maintained — connect on GitHub
