SAMA & IA
Saudi Central Bank & Insurance Authority — banks, insurers & fintech
PCI SSC Qualified Security Assessor — Riyadh · Melbourne
We certify compliance as a PCI SSC Qualified Security Assessor — and we build SAMA, NCA, PCI DSS and PDPL programs engineered to stand before any regulator.
QSA
PCI SSC approved Qualified Security Assessor for PCI DSS
0+ yrs
Combined consulting experience with enterprises and governments
0+
Regulatory frameworks audited, from SAMA CSF to PCI DSS and PDPL
0 markets
Saudi Arabia, UAE, Qatar, Bahrain, and Australia
Index of services
Each engagement begins with a gap assessment and ends with audit-ready assurance — structured like the standards themselves.
Saudi Central Bank & Insurance Authority — banks, insurers & fintech
National cybersecurity & telecom regulators
PCI DSS certification and SDAIA’s PDPL
Offensive assurance for your controls

Our footprint
Established in the UK in 2010. Registered in Australia. On the ground in the Kingdom — an international practice with its focus on Saudi Arabia.
Working principle
Compliance is not a certificate on a wall — it is a cycle. We embed the PDCA discipline into every engagement, breaking frameworks into stages your teams can plan, implement, measure, and continuously improve.
01
Plan
Gap assessment against the framework; scoped roadmap with owners and dates.
02
Do
Policies, controls, and processes implemented alongside your teams.
03
Check
Internal audit, testing, and evidence review before the regulator looks.
04
Act
Remediation, tuning, and preparation for the next cycle of the standard.

Why GRC360
01
Led by consultants with decades across banking, government, and enterprise — trusted by large organisations to deliver when it matters.
02
Fees that are competitive and in line with our skills and experience. Scoped engagements, no surprises.
03
A 100% success rate delivering on time and within budget — we exceed client expectations, not just meet them.
The journal
Data Protection · 23 Nov 2025
How to correctly apply vital, actual, and legitimate interest under the Saudi PDPL when processing personal data without consent, with practical worked examples.
Data Protection · 11 Jul 2024
Understand when the Saudi PDPL requires a Data Protection Officer, the criteria under Article 30, and the value a DPO brings beyond compliance obligations.
Data Protection · 11 Jul 2024
A practical six-step guide to appointing a Data Protection Officer under the Saudi PDPL, from assessing data processing activities to communicating the appointment.
Start the conversation
We'll bring the map.
Contact us — info@grc360.net