As an Information Security GRC Analyst, you will play a key role in developing, implementing, and maintaining the organization’s information security governance, risk, and compliance (GRC) program. You will collaborate with Legal, Engineering, Product, and Operations teams to ensure that security policies, risk management processes, and compliance initiatives are aligned with regulatory requirements (e.g., CMA, ADGM, FRA), contractual obligations, and industry frameworks such as NIST CSF, ISO 27001, and PCI DSS.
Develop, implement, and maintain information security policies, standards, and procedures aligned with regulatory requirements (e.g., CMA, ADGM, FRA) and industry standards (e.g., NIST CSF, ISO 27001, PCI DSS).
Maintain control mappings across multiple frameworks and ensure traceability between risks, controls, and policies.
Drive audit readiness efforts, including documentation and evidence collection for external audits, third-party assessments, and regulatory inspections.
Collaborate with Legal and engineering teams to ensure compliance with data protection regulations (e.g., GDPR, Local Data Protection Law), and lead DPIA governance.
Oversee the policy exception and risk acceptance process, ensuring proper approvals and alignment with the organization’s risk appetite.
Support the delivery and tracking of company-wide security awareness and compliance training programs.
Administer or support the GRC platform used to manage risks, controls, audits, and vendor assessments.
Conduct and document enterprise-wide security risk assessments across business functions, systems, and third parties.
Evaluate and prioritize risks using structured methodologies such as NIST RMF..
Maintain the enterprise risk register, ensuring accurate status updates, ownership assignment, and timely follow-ups.
Prepare and present risk dashboards and remediation progress reports to senior leadership and security governance committees.
Support the alignment of business continuity and disaster recovery planning with enterprise risk management requirements.
Define and track GRC metrics (e.g., risk remediation SLAs, control effectiveness, vendor risk posture) to measure program maturity and drive continuous improvement.
Manage the third-party security risk lifecycle, including initial due diligence, contract review for security clauses, and periodic reassessments.
Review third-party security attestations (e.g., SOC 2 reports, ISO 27001 certificates) and assess their impact on the organization’s risk posture.
Coordinate with Procurement and Legal to enforce vendor compliance with security expectations and contractual obligations.
Monitor regulatory updates and work with stakeholders to ensure third-party risk practices remain aligned with legal and regulatory changes.
Bachelor’s degree in Information Security, Risk Management, or a related field; equivalent professional experience accepted.
1+ years of experience in Information Security GRC, audit, or risk management roles.
Good understanding of industry frameworks and regulations, including ISO 27001, NIST CSF, PCI DSS, GDPR, and local regulatory frameworks.
Experience supporting external audits and internal control assessments.
Familiarity with risk assessment methodologies and third-party risk management processes.
Experience using GRC platforms such as Vanta, Drata, or Sprinto is a plus.
Strong written and verbal communication skills with the ability to present to both technical and executive audiences.
Preferred certifications: CISA, CRISC, ISO 27001 Lead Implementer/Auditor, or equivalent.
Nice to have:
Thndr was founded with a powerful vision: to democratize investing in the Middle East and North Africa by putting financial power in the pockets of everyday people. Through smart technology and human-centered design, we're giving anyone with a smartphone easy access to preserve and grow their wealth while promoting local investment opportunities that propel our regional economies.
Before Thndr, only a very small percentage of people had access to investing due to
High barriers to entry - minimum account balances, brick-and-mortar onboarding, and low financial literacy
Irrelevant experiences - platforms designed for traders and financial experts, alienating the majority
Fragmented offerings - investment products scattered across multiple platforms
Limited information accessibility - lack of organized, accessible information for retail investors
Our impact has been swift and significant:
3 million app downloads
$8.8 billion in annualized traded value
#1 platform in terms of traded value (30% of market orders & 11% of retail traded value)
84% of our users are investing for the first time
65% of our users come from outside capital cities, previously underserved by financial institutions
We're building the connectivity and information gateway that links investors with a wide range of investments, focusing on self-directed investing and local products that empower individuals to build wealth confidently and intelligently.
While we're proud of our achievements, we're just getting started. Over the coming years, we're transitioning Thndr from an exciting startup to a consistently growing business that will remain strong, competitive, and expanding.
Joining Thndr means becoming part of a mission that requires passion, bold risks, and hard work—all focused on giving everyone an equal opportunity to generate and grow their wealth.
At Thndr, we’re looking for people invigorated by our mission, not just those who simply check off all the boxes. We’re looking for people that are hungry to become agents of change and that understand the huge responsibility associated with dealing with people’s money.