GRC360

About us

Built for the audit that matters.

GRC 360 Pty. Ltd. is a professional consultancy and audit firm with a specialised focus in information security and data protection — trusted where compliance has to be right the first time.

Who we are

GRC360 exists to make standards and regulations easy to comply with — and easy to get certified against. Established in the United Kingdom in 2010 — before most of the frameworks we now audit existed — we are a PCI SSC approved Qualified Security Assessor (QSA), and our consultants collectively bring more than a century of experience working with large enterprises, financial institutions, and governments.

Our work spans the frameworks that define modern compliance in our markets: theSAMA framework family, the NCA's national cybersecurity controls, the CST regulatory framework, PCI DSS, and Saudi Arabia's PDPL — alongside penetration testing and security assurance that put controls to the test.

How we work

Compliance, done honestly, is a cycle — not a certificate. Every engagement follows the discipline we would expect as auditors ourselves: a defensible gap assessment, a roadmap with owners and dates, controls implemented alongside your teams, andevidence engineered from day one so that what we build survives independent scrutiny.

That assessor's perspective is our difference. We know what the person on the other side of the table will ask for, because we sit on that side of the table too.

Where we operate

Our consultants serve clients across Saudi Arabia and the wider Gulf — including the UAE, Qatar, and Bahrain — and in Australia, with engagements delivered on-site and remotely. Wherever a regulator sets the bar, we work where our clients and their supervisors are.

What we stand on

Three principles, no exceptions.

Evidence over assertion

A control that cannot be demonstrated does not exist. Everything we implement is built to be proven — to a regulator, an assessor, or a court.

Local rules, first-hand

Frameworks are read in their own jurisdiction. We work inside the Kingdom’s regulatory ecosystem daily and follow every revision as it lands.

Compliance as a cycle

Plan, do, check, act — then again. We build programs that keep their maturity between audits, not ones that peak on inspection day.

Coverage

Where the regulators are, we are.

Talk to the consultants your auditors would hire.

Request a proposal →