Enterprise GRC Platform · Built for the GCC
Security risk
conquered
Risk, compliance, incidents, and architecture — one platform. Native GCC depth. 12 role views. Zero configuration.
40+Frameworks
12Role Views
6GCC Countries
2,000+Controls
Trusted by security teams across regulated industries
Financial Services
Banking & Insurance
Government & Defense
Healthcare
Energy & Utilities
Telecoms
The platform
One platform for every security domain
Risk, GRC, incidents, architecture, vendors, and evidence — one platform. Native Arabic support. Every role covered.
Native GCC Regulatory Coverage
Every major Gulf regulatory framework — CBUAE ISR, NCA ECC, SAMA CSF, ADGM FSRA, VARA CSF — built in and maintained. No manual mapping.
AI-Assisted Compliance
AI Suggest surfaces control gaps, drafts policy text, triages incident severity, and recommends treatment plans — all in context.
12 Distinct Role Views
Each of the 14 security roles sees exactly what they need — no more, no less. CISO gets board-ready posture; analyst gets their queue.
Built for the region
Native GRC for the GCC
CBUAE ISR 4-hour breach reporting, SAMA CSF, PDPL, QCB, NESA — pre-built frameworks with jurisdiction-aware incident workflows.
Regulatory frameworks covered
NCA ECCSaudi Arabia
SAMA CSFSaudi Arabia
CBUAE ISRUAE
NESA IASUAE
ADGM FSRAUAE
VARA CSF v2UAE
QCERT NCFQatar
CBB v3Bahrain
NCSI NCFOman
DHADubai
MOHAPUAE
SCAUAE
Security Domains
Six pillars zero silos
Every domain connects — risks link to incidents, incidents link to controls, controls map to frameworks, frameworks generate evidence.
Risk Management
GRC & Compliance
Incident Response
Security Architecture
Vendor Risk
Evidence Management
How it works
Live in days not months
No consultants. No 6-month implementation. Import your frameworks, map your team, and get signal from day one.
Adopt your frameworks
Select from 40+ pre-built templates — NCA ECC, ISO 27001, PCI DSS, SAMA CSF. Controls import instantly.
Map roles & risk appetite
Assign your 12 security roles. Set risk thresholds. Jurisdictions auto-populate regulatory deadlines.
Risk and evidence flow in
Log risks, declare incidents, upload evidence — all linked across frameworks. Every action audit-logged.
Board-ready reporting
CISO dashboard, executive reports, and compliance scorecards update in real time. No manual assembly.
Customer stories
Trusted by security leaders across the GCC
Security teams in banking, government, and critical infrastructure rely on Scale Risk as their single system of record.
Scale Risk replaced three separate tools we were using for GRC, incident tracking, and evidence management. The CBUAE ISR framework was ready out of the box — nothing else in the market comes close for GCC coverage.
Khalid Al-Mansouri
CISO · Regional Banking Group, UAE
The 12-role permission model is exactly what a large security team needs. Our SOC analysts see their queue, our CISO sees the board summary, our GRC team manages controls — all from one platform.
Priya Nair
GRC Manager · FinTech Enterprise, Riyadh
Implementation took two days, not six months. We imported ISO 27001 and NCA ECC, assigned roles, and had our first risk register within the week. AI Suggest for control gaps saved my team hours.
Omar Al-Rashid
Head of Cybersecurity · Government Authority, KSA
How We Compare
Built different
Most GRC tools retrofit compliance onto generic project management. Scale Risk was built from day one for security teams in regulated industries.
| Feature | Scale Risk | Vanta | Drata | OneTrust | Archer |
|---|---|---|---|---|---|
| GCC Regulatory Coverage | |||||
| Built-in Frameworks | 40+ | 20+ | 15+ | 30+ | 10+ |
| Role-Based Dashboards | 12 roles | 3 roles | 3 roles | 5 roles | 4 roles |
| Incident Breach Workflow | |||||
| Vendor Risk Management | |||||
| Multi-Framework Mapping | |||||
| Evidence Multi-Tagging | |||||
| OT/ICS Security | |||||
| RTL / Arabic Support |
Compliance Library
40+ compliance frameworks at your fingertips
Every framework ships with pre-mapped controls. Import in one click, or build your own.
ISO 27001:2022Global
International standard for information security management systems (ISMS).
COBIT 2019Global
ISACA COBIT 2019 framework for IT governance and management.
PCI DSS 4.0US
Payment Card Industry Data Security Standard version 4.0.
DORAEU/UK
Digital Operational Resilience Act — ICT risk management for EU financial entities.
BSI C5EU/UK
BSI Cloud Computing Compliance Criteria Catalogue — German cloud security.
FCA PS21/3EU/UK
FCA Operational Resilience Policy Statement for UK regulated firms.
SAMA CSFGCC
Saudi Arabian Monetary Authority Cybersecurity Framework.
UAE NESA IASGCC
UAE National Electronic Security Authority Information Assurance Standards.
UAE SCA CybersecurityGCC
UAE Securities & Commodities Authority cybersecurity requirements.
Qatar NIA FrameworkGCC
Qatar National Information Assurance Cybersecurity Framework.
CBB Vol. 2 InsuranceGCC
Central Bank of Bahrain insurance cybersecurity requirements.
CBK Guidelines (Kenya)Africa
Central Bank of Kenya Cybersecurity Guidelines for financial institutions.
RBI Payment Aggregator FrameworkIndia
RBI cybersecurity guidelines for Payment Aggregators and Gateways.
DPDPA 2023India
India Digital Personal Data Protection Act 2023.
APRA CPS 234APAC
Australian Prudential Regulation Authority Information Security standard.
POPIA (South Africa)Africa
South Africa Protection of Personal Information Act.
ADGM Data Protection Regulations 2021GCC
Abu Dhabi Global Market Data Protection Regulations 2021 for ADGM-registered entities.
Oman PDPLGCC
Oman Personal Data Protection Law — fully effective February 2025. NCSI enforcement.
Bank of Ghana Cybersecurity DirectiveAfrica
Bank of Ghana Cybersecurity Directive for BOG-supervised financial institutions.
Jordan CBJ Cybersecurity InstructionsMENA
Central Bank of Jordan Cybersecurity Instructions for CBJ-licensed financial institutions.
Morocco Bank Al-Maghrib CybersecurityMENA
Bank Al-Maghrib Circular 5/W/2021 on cybersecurity for Moroccan credit institutions.
ISO 27001:2022Global
International standard for information security management systems (ISMS).
COBIT 2019Global
ISACA COBIT 2019 framework for IT governance and management.
PCI DSS 4.0US
Payment Card Industry Data Security Standard version 4.0.
DORAEU/UK
Digital Operational Resilience Act — ICT risk management for EU financial entities.
BSI C5EU/UK
BSI Cloud Computing Compliance Criteria Catalogue — German cloud security.
FCA PS21/3EU/UK
FCA Operational Resilience Policy Statement for UK regulated firms.
SAMA CSFGCC
Saudi Arabian Monetary Authority Cybersecurity Framework.
UAE NESA IASGCC
UAE National Electronic Security Authority Information Assurance Standards.
UAE SCA CybersecurityGCC
UAE Securities & Commodities Authority cybersecurity requirements.
Qatar NIA FrameworkGCC
Qatar National Information Assurance Cybersecurity Framework.
CBB Vol. 2 InsuranceGCC
Central Bank of Bahrain insurance cybersecurity requirements.
CBK Guidelines (Kenya)Africa
Central Bank of Kenya Cybersecurity Guidelines for financial institutions.
RBI Payment Aggregator FrameworkIndia
RBI cybersecurity guidelines for Payment Aggregators and Gateways.
DPDPA 2023India
India Digital Personal Data Protection Act 2023.
APRA CPS 234APAC
Australian Prudential Regulation Authority Information Security standard.
POPIA (South Africa)Africa
South Africa Protection of Personal Information Act.
ADGM Data Protection Regulations 2021GCC
Abu Dhabi Global Market Data Protection Regulations 2021 for ADGM-registered entities.
Oman PDPLGCC
Oman Personal Data Protection Law — fully effective February 2025. NCSI enforcement.
Bank of Ghana Cybersecurity DirectiveAfrica
Bank of Ghana Cybersecurity Directive for BOG-supervised financial institutions.
Jordan CBJ Cybersecurity InstructionsMENA
Central Bank of Jordan Cybersecurity Instructions for CBJ-licensed financial institutions.
Morocco Bank Al-Maghrib CybersecurityMENA
Bank Al-Maghrib Circular 5/W/2021 on cybersecurity for Moroccan credit institutions.
NIST CSF 2.0Global
NIST Cybersecurity Framework 2.0 — six functions: Govern, Identify, Protect, Detect, Respond, Recover.
IEC 62443Global
Industrial Automation and Control Systems cybersecurity standard for OT/ICS environments.
SOC 2 Trust Services CriteriaUS
AICPA SOC 2 Trust Services Criteria for service organisations.
GDPREU/UK
General Data Protection Regulation — EU data protection and privacy.
BSI IT-GrundschutzEU/UK
BSI baseline protection methodology for comprehensive information security.
NCA ECCGCC
Saudi National Cybersecurity Authority Essential Cybersecurity Controls.
CBUAE Cyber Risk ManagementGCC
Central Bank of the UAE Cyber Risk Management Guidelines.
VARA CSF v2.0GCC
Dubai Virtual Assets Regulatory Authority Cyber Security Framework.
DHA CybersecurityGCC
Dubai Health Authority cybersecurity requirements for healthcare.
QCERT NCFGCC
Qatar CERT National Cybersecurity Framework for critical infrastructure.
NCSI NCF (Oman)GCC
Oman NCSI National Cybersecurity Framework for critical infrastructure.
CBU Cybersecurity (Uzbekistan)APAC
Central Bank of Uzbekistan cybersecurity requirements for banks.
IRDAI Cyber Security 2023India
IRDAI Information and Cyber Security Guidelines for Indian insurance entities.
SEBI CSCRF 2023India
SEBI Cybersecurity and Cyber Resilience Framework for regulated entities.
ASD Essential EightAPAC
Australian Signals Directorate Essential Eight Maturity Model.
UAE Federal PDPLGCC
UAE Federal Decree-Law No. 45/2021 on Personal Data Protection. TDRA/UAEDAPT enforcement.
EU AI ActEU/UK
EU Regulation 2024/1689 — comprehensive AI regulation with extraterritorial scope affecting EU persons.
Kuwait PDPLGCC
Kuwait Personal Data Protection Law. CITRA enforcement. 72-hour breach notification.
South Africa FSCA CybersecurityAfrica
FSCA Cybersecurity guidance for South African financial institutions. Complements POPIA.
Egypt CBE Cybersecurity FrameworkMENA
Central Bank of Egypt Cybersecurity Framework for CBE-regulated financial institutions.
NIST CSF 2.0Global
NIST Cybersecurity Framework 2.0 — six functions: Govern, Identify, Protect, Detect, Respond, Recover.
IEC 62443Global
Industrial Automation and Control Systems cybersecurity standard for OT/ICS environments.
SOC 2 Trust Services CriteriaUS
AICPA SOC 2 Trust Services Criteria for service organisations.
GDPREU/UK
General Data Protection Regulation — EU data protection and privacy.
BSI IT-GrundschutzEU/UK
BSI baseline protection methodology for comprehensive information security.
NCA ECCGCC
Saudi National Cybersecurity Authority Essential Cybersecurity Controls.
CBUAE Cyber Risk ManagementGCC
Central Bank of the UAE Cyber Risk Management Guidelines.
VARA CSF v2.0GCC
Dubai Virtual Assets Regulatory Authority Cyber Security Framework.
DHA CybersecurityGCC
Dubai Health Authority cybersecurity requirements for healthcare.
QCERT NCFGCC
Qatar CERT National Cybersecurity Framework for critical infrastructure.
NCSI NCF (Oman)GCC
Oman NCSI National Cybersecurity Framework for critical infrastructure.
CBU Cybersecurity (Uzbekistan)APAC
Central Bank of Uzbekistan cybersecurity requirements for banks.
IRDAI Cyber Security 2023India
IRDAI Information and Cyber Security Guidelines for Indian insurance entities.
SEBI CSCRF 2023India
SEBI Cybersecurity and Cyber Resilience Framework for regulated entities.
ASD Essential EightAPAC
Australian Signals Directorate Essential Eight Maturity Model.
UAE Federal PDPLGCC
UAE Federal Decree-Law No. 45/2021 on Personal Data Protection. TDRA/UAEDAPT enforcement.
EU AI ActEU/UK
EU Regulation 2024/1689 — comprehensive AI regulation with extraterritorial scope affecting EU persons.
Kuwait PDPLGCC
Kuwait Personal Data Protection Law. CITRA enforcement. 72-hour breach notification.
South Africa FSCA CybersecurityAfrica
FSCA Cybersecurity guidance for South African financial institutions. Complements POPIA.
Egypt CBE Cybersecurity FrameworkMENA
Central Bank of Egypt Cybersecurity Framework for CBE-regulated financial institutions.
CIS Controls v8Global
Center for Internet Security Critical Security Controls version 8.
SWIFT CSP 2024Global
SWIFT Customer Security Programme mandatory and advisory controls.
HIPAAUS
Health Insurance Portability and Accountability Act — PHI privacy and security.
NIS2 DirectiveEU/UK
Network and Information Security Directive 2 — EU cybersecurity requirements.
FCA SYSCEU/UK
FCA Senior Management Arrangements, Systems and Controls — UK FCA sourcebook.
NCA CSCCGCC
Saudi NCA Critical Systems Cybersecurity Controls for OT systems.
CBUAE ISR 2021GCC
Central Bank of the UAE Information Security Regulation — 14-domain framework.
ADGM FSRA CRMFGCC
Abu Dhabi Global Market Cyber Risk Management Framework.
MOHAP Health Data ProtectionGCC
UAE Ministry of Health cybersecurity and health data protection standards.
CBB Cyber Risk Module v3GCC
Central Bank of Bahrain Cyber Risk Module for financial institutions.
NCEMA Cybersecurity FrameworkGCC
UAE National Cybersecurity Authority CSF — mandated for UAE federal entities and critical infrastructure operators.
RBI Cyber Security FrameworkIndia
Reserve Bank of India Cyber Security Framework for banks and NBFCs.
CERT-In Directions 2022India
Indian CERT incident reporting and cybersecurity obligations.
MAS TRM 2021APAC
Monetary Authority of Singapore Technology Risk Management Guidelines.
PDPA (Singapore)APAC
Singapore Personal Data Protection Act for organisations.
DIFC Regulation 10 (AI) + DPLGCC
DIFC Regulation 10 on AI — first binding AI regulation in MEASA. Combined with DIFC Data Protection Law.
Qatar QCB AI GuidelineGCC
Qatar Central Bank AI Governance Guidelines — binding for Qatar financial sector. Rollout 2024–2027.
Nigeria CBN Cybersecurity FrameworkAfrica
Central Bank of Nigeria Cybersecurity Framework — mandatory for CBN-regulated financial institutions.
Pakistan SBP Cybersecurity FrameworkMENA
State Bank of Pakistan Cybersecurity Framework for SBP-regulated financial institutions.
Turkey BDDK Cybersecurity RegulationMENA
Turkey BDDK Cybersecurity Regulation with KVKK overlap for Turkish financial institutions.
CIS Controls v8Global
Center for Internet Security Critical Security Controls version 8.
SWIFT CSP 2024Global
SWIFT Customer Security Programme mandatory and advisory controls.
HIPAAUS
Health Insurance Portability and Accountability Act — PHI privacy and security.
NIS2 DirectiveEU/UK
Network and Information Security Directive 2 — EU cybersecurity requirements.
FCA SYSCEU/UK
FCA Senior Management Arrangements, Systems and Controls — UK FCA sourcebook.
NCA CSCCGCC
Saudi NCA Critical Systems Cybersecurity Controls for OT systems.
CBUAE ISR 2021GCC
Central Bank of the UAE Information Security Regulation — 14-domain framework.
ADGM FSRA CRMFGCC
Abu Dhabi Global Market Cyber Risk Management Framework.
MOHAP Health Data ProtectionGCC
UAE Ministry of Health cybersecurity and health data protection standards.
CBB Cyber Risk Module v3GCC
Central Bank of Bahrain Cyber Risk Module for financial institutions.
NCEMA Cybersecurity FrameworkGCC
UAE National Cybersecurity Authority CSF — mandated for UAE federal entities and critical infrastructure operators.
RBI Cyber Security FrameworkIndia
Reserve Bank of India Cyber Security Framework for banks and NBFCs.
CERT-In Directions 2022India
Indian CERT incident reporting and cybersecurity obligations.
MAS TRM 2021APAC
Monetary Authority of Singapore Technology Risk Management Guidelines.
PDPA (Singapore)APAC
Singapore Personal Data Protection Act for organisations.
DIFC Regulation 10 (AI) + DPLGCC
DIFC Regulation 10 on AI — first binding AI regulation in MEASA. Combined with DIFC Data Protection Law.
Qatar QCB AI GuidelineGCC
Qatar Central Bank AI Governance Guidelines — binding for Qatar financial sector. Rollout 2024–2027.
Nigeria CBN Cybersecurity FrameworkAfrica
Central Bank of Nigeria Cybersecurity Framework — mandatory for CBN-regulated financial institutions.
Pakistan SBP Cybersecurity FrameworkMENA
State Bank of Pakistan Cybersecurity Framework for SBP-regulated financial institutions.
Turkey BDDK Cybersecurity RegulationMENA
Turkey BDDK Cybersecurity Regulation with KVKK overlap for Turkish financial institutions.
Designed for every person on the team
Every role gets its own view out of the box
Every role sees exactly the signal they need. No shared generic dashboards. Each view is purpose-built for its owner.
CISOBoard-ready posture, every morning
GRC ManagerFramework gaps, deadlines, evidence
Security AnalystYour queue, nothing else
SOC ManagerIncidents end-to-end