Global GRC Program & Compliance

Purpose, Scope & Applicability

This webpage outlines Corent Technology’s GRC framework, capturing governance structures, risk management processes, compliance controls, and operational practices. It serves the following purposes:

• Purpose: To demonstrate Corent’s adherence to global GRC standards, while enabling regional alignment with country-specific requirements such as Saudi regulatory frameworks.

• Scope: Applies to all Corent Technology operations, including product development, IT infrastructure, cloud services, administrative processes, and financial functions.

• Applicability: The report is applicable to internal stakeholders, external auditors, regulators, and clients requiring assurance of Corent’s governance and compliance posture.

Organizational Context & Governance Structure

Corent Technology operates with a layered governance model to ensure effective oversight across business and compliance functions.

Governance Committee

The Governance Committee provides oversight of organizational governance, financial controls, and administrative processes. It reviews SOPs, approves major policies, and monitors statutory compliance. Meetings are conducted regularly and may also be convened on an ad hoc basis to address emerging needs.

Steering Committee

The Steering Committee functions as a subset of the Governance Committee, with a sharper focus on information security and compliance matters. It ensures policies, risk assessments, audit findings, and continual improvement initiatives are reviewed and approved at the highest level.

Governance (G)

Governance at Corent Technology is maintained through clear policies, SOPs, and monitoring structures that promote accountability and compliance.

• Policy Framework: Policies are developed, approved, and reviewed by governance committees to ensure relevance and adherence to regulatory expectations.

• SOP Enforcement: SOPs for Accounts and General Administration standardize day-to-day operations and provide clarity on roles and responsibilities.

• Monitoring & Reporting: RADAR, Corent’s internal project management and tracking platform, enforces SLA-based accountability across teams. All compliance and remediation tasks are logged, monitored, and reviewed by committee members.

• Frequency of Oversight: Governance and Steering Committees meet periodically (monthly, quarterly, or as required) to assess compliance status, risk posture, and policy alignment.

• Integration with Risk & Compliance: Governance oversight extends into risk and compliance functions, ensuring that decisions are consistent with both business objectives and regulatory requirements.

Risk Management (R)

Risk Management Framework

Risks are identified, assessed for likelihood and impact, and documented in a risk register. Each risk is assigned an owner and remediation timeline.

Risk Register & Risk Owners

Maintained within the RADAR platform, which enforces SLAs for resolution and provides audit trails.

Vulnerability Management & VAPT Lifecycle

• Annual external Vulnerability Assessment and Penetration Testing (VAPT).

• Continuous internal monitoring of infrastructure and applications.

• Remediation tasks logged and tracked in RADAR until closure.

Business Continuity & Disaster Recovery (BCP/DR)

BCP and DR plans define recovery objectives, backup schedules, and periodic restore testing. Evidence includes restore logs and plan reviews.

Incident Response & Escalation

A documented Incident Response Plan defines severity levels, communication protocols, and escalation paths. Exercises are conducted periodically.

Compliance (C)

ISO/IEC 27001:2022 Certification

Corent’s ISMS is certified to ISO/IEC 27001:2022, covering development, QA, cloud operations, and support functions.

SOC 2 Compliance

Controls are aligned with the Trust Services Criteria (security, availability, confidentiality, integrity, and privacy). External audit reports are available on request.

GDPR Compliance

Data handling processes align with GDPR principles. This includes data subject rights, lawful processing, and privacy safeguards.

AWS Migration Competency & Foundational Technical Review (FTR)

Corent’s MaaS™ and SaaSOps™ solutions have passed AWS FTR reviews and are validated as Migration Competency solutions, confirming alignment with AWS best practices.

Awards & Recognitions

• SIIA CODiE Award (Best Platform-as-a-Service, 2022)

• IDC Market Glance placement in four FinOps Cloud transparency categories

• Trusted by and solution provider for nearly 80% of global GSIs

Security Assessments (VAPT, NIST/PTES)

Independent security assessments have confirmed compliance with NIST and PTES frameworks, with no critical findings.

Certified Developers & Engineers

Corent maintains a pool of AWS- and Azure-certified engineers across infrastructure, development, and operations.

Statutory Filing & Accounting Controls

The Accounts SOP documents statutory filing processes, external audit cycles, and reconciliation practices.

Global Regulatory Mapping

Compliance obligations are tracked across jurisdictions. For the EU, GDPR applies; for other regions, applicable local requirements are mapped and reviewed.

Vendor & Third-Party Compliance

Vendors are subject to due diligence reviews, contractual compliance clauses, and security assessments where relevant.

IT & Security Controls

Endpoint & Perimeter Protections

All IT infrastructure is protected by Sophos endpoint security and multiple hardware firewalls. Firewall rules and endpoint policies are reviewed periodically, with logs maintained for audit purposes.

Access Controls

Physical access to premises is secured via biometric systems. Internal systems such as RADAR are accessible only from internal networks with authenticated user credentials. Privileged access is restricted, monitored, and periodically reviewed.

Backups & Restore Testing

Critical systems undergo daily backups, with offsite storage and redundancy. Periodic restore tests are conducted to verify data integrity and recovery readiness. Reports from backup and restore cycles are retained.

Patch & Configuration Management

A patching schedule is followed for operating systems and applications, with exceptions logged and approved. Baseline configurations are maintained, and deviations are documented in change logs.

Logging, Monitoring & Retention

Security events and system logs are centrally captured and monitored. Logs are retained in accordance with compliance requirements and reviewed as part of incident detection and forensic readiness.

Operations & SOP Highlights

Operational consistency is sustained through documented Standard Operating Procedures (SOPs) that define processes, responsibilities, and accountability.

General Administration SOP

Covers visitor management (entry/exit logs), CCTV access control, keys management, and physical asset registers. Procurement processes and Annual Maintenance Contracts (AMCs) are documented, ensuring accountability in facilities management.

Accounts SOP

Defines controls for receivables, payables, and bank reconciliations. Statutory filings, audits, and compliance with financial regulations are included. Segregation of duties and approval hierarchies are specified to prevent conflicts of interest.

Integration with Governance:

SOPs are reviewed and approved by the Governance Committee, ensuring alignment with policies and statutory requirements.

Enforcement:

Compliance with SOPs is monitored through periodic internal audits and cross-departmental reviews.

Adaptability:

SOPs are updated as needed to reflect changes in regulations, tools, or operational priorities.

Training & Awareness

ISMS Training Program

All employees at Corent Technology undergo mandatory Information Security Management System (ISMS) training as part of their induction. Training covers security policies, acceptable use, incident reporting, and data protection principles. This ensures that new hires are aware of their responsibilities from day one.

Periodic Assessments

Employees are required to pass periodic assessments on ISMS awareness, with a minimum threshold of 80%. This measure ensures that staff not only attend training but also demonstrate comprehension and adherence to ISO 27001 requirements.

Continuous Awareness Campaigns

Awareness is reinforced through newsletters, posters, email advisories, and refresher sessions. Topics include phishing awareness, password hygiene, secure handling of customer data, and updates to regulatory requirements.

Specialized Training

Roles with elevated responsibilities — such as IT administrators, developers, and audit staff — receive targeted training on secure coding, access management, and compliance protocols. This ensures competency in handling higher-risk tasks.

High-Level Overview of Maintained Evidence & Certifications

Evidence Maintenance

Corent maintains comprehensive documentation and records to substantiate governance, risk, and compliance activities. These include risk registers, audit reports, RADAR extracts, backup and restore logs, and training results.

Non-Disclosure of Evidence

While detailed evidence cannot be shared externally due to ISMS 27001 standards, Corent provides a consolidated overview in this report. This demonstrates the existence of evidence while ensuring security and confidentiality are preserved.

Certifications & Recognitions

Corent’s commitment to compliance and excellence is reinforced by external validations and awards, such as:

• ISO/IEC 27001:2022 certification

• SOC 2 compliance attestation

• GDPR alignment

• AWS Migration Competency and Foundational Technical Review (FTR)

• SIIA CODiE Award (Best PaaS, 2022)

• IDC Market Glance positioning in four FinOps transparency categories

Accreditations Page

A high-level view of these certifications and recognitions is also published on Corent’s Accreditations & Achievements page, serving as a publicly available reference point.

Review Schedule

Governance Review Cadence

The Governance and Steering Committees meet on a structured calendar to review policies, risks, and compliance reports. Committee meetings occur quarterly, with ad hoc sessions held as required for emerging risks or incidents.

Audit & Assessment Cycle

Internal audits are performed at least annually, with external certification audits scheduled according to ISO 27001 and SOC 2 requirements. VAPT exercises are conducted annually, while backup restore tests and incident response drills follow pre-defined schedules.

SOP Review Frequency

SOPs for Accounts, Administration, and other operational areas are reviewed at least once a year, or sooner if regulatory changes, system updates, or business needs demand revisions.

Reporting

Results of reviews, audits, and assessments are logged in RADAR and reported to senior management for tracking and closure.

Continuous Improvement

Lessons Learned Approach

Findings from audits, incidents, and risk assessments feed into improvement initiatives. Each improvement item is assigned an owner, logged in RADAR, and tracked until completion.

Stakeholder Feedback

Feedback from customers, partners, and internal stakeholders is periodically collected and reviewed to identify opportunities for enhancing security, compliance, and service delivery.

Innovation & Adaptation

As technology, threats, and regulations evolve, Corent adapts its controls and frameworks. This includes adopting new tools, refining SOPs, and aligning with updated versions of compliance standards.

Culture of Improvement

Continuous improvement is embedded in Corent’s culture through awareness sessions, leadership reviews, and recognition of teams that contribute to strengthening governance and compliance practices.