Transfer Impact Assessments for Cloud in 2026
Maria, the CISO at InnovatePay, stared at page 12 of the due diligence questionnaire.
Her company, a fast-growing European FinTech SaaS provider, was close to signing its largest customer yet, a major bank with strict operational resilience expectations. The questionnaire was not asking only for an ISO 27001 certificate, penetration test summary or security policy pack. It asked for a full Transfer Impact Assessment for InnovatePay’s primary US-based cloud provider, a subprocessor breakdown, the applicable Standard Contractual Clauses, the geographic data transfer declaration, and proof that supplementary measures were mapped to ISO/IEC 27001:2022, NIS2 and DORA.
Legal had the Data Processing Addendum. Procurement had the vendor portal. Engineering had cloud region settings. Security had encryption diagrams. Customer success had promised “EU hosting” in a sales call. Nobody could immediately prove whether support access from India was in scope, whether the analytics add-on used a US subprocessor, or whether error logs were replicated through a global monitoring provider.
That is the 2026 reality for SaaS companies, cloud providers, FinTech suppliers and managed ICT service providers. A Transfer Impact Assessment, or TIA, is no longer a privacy memo created at the end of procurement. It is a cross-compliance evidence package that must explain where personal data goes, who can access it, what legal transfer mechanism applies, which supplementary measures reduce the risk, and how the organization monitors the transfer over time.
For many teams, the problem is not lack of effort. It is fragmentation. SCCs sit in a contract repository. Subprocessor lists live in vendor portals. Data residency settings are in the cloud console. Risk decisions are buried in email. Encryption evidence sits in Confluence. A strong cloud Transfer Impact Assessment connects those fragments into one defensible chain of evidence.
Why cloud TIAs have become a board-level risk issue
A Transfer Impact Assessment evaluates whether personal data transferred outside the European Economic Area remains protected in practice. The assessment should identify the data, parties, processing purposes, storage locations, access locations, onward transfers, legal transfer mechanism, recipient-country risks and supplementary measures.
Under GDPR, the starting point is broad. Personal data, processing, controller, processor, pseudonymisation and personal data breach are defined widely. Cloud telemetry, support tickets, authentication logs, billing records, user identifiers, IP addresses and product analytics can all fall into scope. GDPR accountability under Article 5 requires organizations to demonstrate compliance, while Article 28 processor obligations and Chapter V international transfer rules depend on knowing exactly what data moves, where it moves and who can touch it.
The Schrems II judgment made the practical burden clearer. Signing SCCs is not enough by itself. Organizations must consider whether the laws and practices of the destination country could undermine the protections promised in the contract, then apply supplementary measures where needed.
For cloud businesses, that becomes complicated fast. A SaaS product may use one infrastructure provider, a separate support platform, an email service, an error monitoring tool, a CDN, a data warehouse and an AI analytics feature. Each provider may have subprocessors. Each subprocessor may introduce a storage location, access location, operational support path or onward transfer.
This is why ISO/IEC 27001:2022, NIS2, DORA and NIST CSF 2.0 have become part of the TIA conversation:
- GDPR asks whether there is a lawful transfer mechanism, appropriate processor terms, subprocessor control and effective supplementary measures.
- ISO/IEC 27001:2022 asks whether the transfer risk is identified, treated, controlled, monitored and included in the Statement of Applicability.
- NIS2 asks whether essential and important entities manage supplier and service-provider cybersecurity risk with management oversight.
- DORA asks financial entities to prove ICT third-party governance, contractual clauses, subcontracting visibility, location transparency, concentration risk and exit readiness.
- NIST CSF 2.0 helps translate these requirements into governance, supplier risk, protection, response and recovery outcomes.
The practical conclusion is simple: a TIA should live inside the ISMS, not outside it.
Use the ISMS as the compliance hub
Trying to manage TIAs, GDPR, DORA and NIS2 in separate spreadsheets creates duplicated work and audit gaps. The more scalable approach is to use ISO/IEC 27001:2022 as the management system that connects obligations, risks, controls and evidence.
ISO/IEC 27001:2022 requires organizations to understand their context, interested-party requirements, interfaces and dependencies with other organizations. It also requires a repeatable information security risk assessment, risk treatment process, Statement of Applicability and evidence that selected controls operate as intended.
That structure fits a TIA perfectly. The risk “EU personal data may be accessed from a third country through a cloud provider or subprocessor without effective safeguards” belongs in the risk register. The treatment belongs in the treatment plan. The selected controls belong in the SoA. The supporting artifacts belong in an evidence index.
Clarysec’s Zenith Blueprint: An Auditor’s 30-Step Roadmap captures this relationship in the Risk Management phase, Step 13:
The SoA is effectively a bridging document : it links your risk assessment/treatment to the actual controls you have. By completing it, you also double-check if you missed any controls.
That sentence is central to TIA readiness. The TIA is not the control. It is the assessment that explains why controls are needed and how they reduce residual transfer risk. The SoA is the bridge that ties the risk to cloud governance, supplier contracts, cryptography, access control, monitoring, incident response, continuity and legal compliance.
Start with the transfer map, not the SCC
Many organizations begin a TIA by asking whether the contract contains SCCs. That is necessary, but it is not the first question. SCCs are only meaningful if the organization knows which transfers they cover.
A practical cloud TIA starts with five questions.
| TIA question | Evidence source | Why auditors care |
|---|---|---|
| What personal data is transferred? | Records of processing, data classification, cloud asset inventory, data flow maps | GDPR accountability and ISO 27001 risk identification require defined assets and processing context |
| Where is data stored, accessed, supported or replicated? | Cloud service register, provider residency settings, subprocessor declarations | International transfer analysis depends on both storage and access locations |
| Who receives or can access the data? | Supplier register, DPA, subprocessor list, privileged access records | Processor and subprocessor governance must be enforceable and monitored |
| What mechanism supports the transfer? | SCCs, adequacy decision, EU-US Data Privacy Framework where applicable, BCRs or other documented basis | GDPR Chapter V requires a valid transfer mechanism with onward transfer controls |
| What supplementary measures reduce residual risk? | Encryption design, key ownership, pseudonymisation, access approvals, logging, DLP, incident process | The assessment must show practical protection, not only paper clauses |
Clarysec’s SME Cloud Usage Policy-sme makes this operational by requiring a register:
A Cloud Service Register must be maintained by the IT provider or GM. It must record:
From section “Governance Requirements”, policy clause 5.3.
The same clause family includes a location requirement that is essential for TIAs:
The country or region where data is stored
From section “Governance Requirements”, policy clause 5.3.4.
For larger environments, Clarysec’s Cloud Usage Policy explicitly connects cloud governance to transfer mechanisms:
Review standard contractual clauses (SCCs) and transfer mechanisms under GDPR, where applicable.
From section “Roles and Responsibilities”, policy clause 4.5.2.
The same policy adds the cross-regulatory requirement:
Cross-border data transfers must comply with GDPR Chapter V and, where applicable, DORA Article 28.
From section “Policy Implementation Requirements”, policy clause 6.6.3.
This changes the TIA conversation. The question is not “do we have SCCs?” The question is “which cloud service, which personal data, which country, which access path, which subprocessor, which transfer mechanism, which supplementary measures and which residual risk?”
Map cloud TIAs to ISO/IEC 27001:2022 evidence
ISO/IEC 27001:2022 provides the structure for proving that a TIA is part of an operating control environment. The most relevant evidence areas are supplier governance, cloud governance, legal obligations, privacy, cryptography, access control, monitoring, incident response and continuity.
| ISO/IEC 27001:2022 evidence area | What to show for a TIA | Example artifact |
|---|---|---|
| Supplier risk management | Supplier due diligence includes international transfer, data location and subprocessor risk | Supplier risk assessment with transfer section |
| Supplier agreements | Security, privacy, audit, breach notification, subcontractor and exit clauses are defined | DPA, SCCs, ICT contract schedule, security addendum |
| ICT supply chain | Downstream providers and cloud dependencies are identified and controlled | Subprocessor register and flow-down evidence |
| Supplier monitoring | Provider evidence is reviewed periodically and changes trigger reassessment | SOC report review, ISO certificate review, subprocessor change log |
| Cloud services | Cloud acquisition, use, management and exit are governed | Cloud service register, shared responsibility matrix, cloud exit plan |
| Legal and privacy obligations | GDPR Chapter V, processor obligations and customer commitments are documented | Legal obligations register, TIA, records of processing |
| Cryptography and access control | Supplementary measures are implemented and verified | Encryption architecture, KMS settings, access review logs |
| Incident and continuity | Cloud and supplier incidents are detected, reported, handled and learned from | Incident runbook, notification clauses, recovery test records |
Clarysec’s Zenith Controls: The Cross-Compliance Guide is especially useful here. In Zenith Controls, ISO/IEC 27002:2022 control 5.23, Information security for use of cloud services, is treated as a preventive control supporting confidentiality, integrity and availability across governance, ecosystem and protection domains. It ties cloud use to supplier relationships, endpoint security, network security, information transfer, data masking, data leakage prevention, asset inventory and secure development lifecycle.
That mapping matters because a TIA is rarely solved by a single legal clause. It often involves cloud admin access, APIs moving data between regions, support consoles, logs, storage buckets, monitoring platforms and backup locations.
Zenith Controls also maps 5.23 to related standards, including ISO/IEC 27017 for cloud shared responsibility and audit trails, ISO/IEC 27018 for protection of PII in public cloud, ISO/IEC 27701 for privacy extension requirements, ISO/IEC 27036-4 for cloud service monitoring and ISO/IEC 27005 for cloud risk assessment.
For supplier contracts, Zenith Controls covers ISO/IEC 27002:2022 control 5.20, Addressing information security within supplier agreements. This control turns transfer requirements into enforceable commitments. GDPR Article 28 processor terms, subprocessor controls, NIS2 supply chain expectations and DORA Article 30 contractual provisions all become contract evidence.
For continuous oversight, ISO/IEC 27002:2022 control 5.22, Monitoring, review and change management of supplier services, is the key. A TIA completed during onboarding can become stale after a provider adds a subprocessor, changes support locations, modifies logging architecture or launches a new feature.
Fix the subprocessor weak point
The most common TIA failure is not missing SCCs. It is stale subprocessor knowledge.
Cloud providers and SaaS platforms frequently change service regions, support models, telemetry pipelines, CDNs and subcontractors. If a TIA depends on a subprocessor list downloaded once during procurement, it will quickly become unreliable.
Clarysec’s Third party and supplier security policy addresses this through a contractual requirement:
The use of subcontractors subject to prior written consent
From section “Governance Requirements”, policy clause 5.3.5.
Clarysec’s Legal and Regulatory Compliance Policy identifies the legal evidence that should be maintained:
Subprocessor disclosures and geographic data transfer declarations
From section “Policy Implementation Requirements”, policy clause 6.3.1.2.
That requirement is short, but it is often the difference between a credible TIA and an incomplete one. If an organization cannot produce subprocessor disclosures and geographic transfer declarations, it cannot reliably explain onward transfers.
The Zenith Blueprint, Controls in Action phase, Step 23, adds the operational expectation:
For every critical supplier, identify if they use subcontractors (sub-processors) who may access your data or systems. Document how your information security requirements are flowed down to these parties, either through your supplier’s contract terms or your own direct clauses.
In practice, this means high-risk suppliers should have an annual subprocessor review, change notification process, documented approval workflow and risk reassessment trigger. For DORA-relevant services, the same evidence also supports subcontracting and concentration risk analysis.
Make supplementary measures specific and provable
Supplementary measures should never be documented as “we use encryption” without detail. Auditors and enterprise customers will ask what is encrypted, where encryption is applied, who controls the keys, whether provider personnel can access plaintext, whether logs contain personal data, and how privileged access is approved.
A strong supplementary-measures package combines technical, contractual, organizational and resilience safeguards.
| Measure type | Example | TIA evidence |
|---|---|---|
| Technical | Encryption in transit, encryption at rest, customer-managed keys, pseudonymisation, tokenisation, DLP, access logging | Architecture diagram, KMS configuration, encryption policy, log samples |
| Contractual | SCCs, DPA, subprocessor approval, breach notification, audit rights, data return and deletion | Signed agreements, clause checklist, contract mapping |
| Organizational | Transfer review workflow, access approvals, staff training, supplier review cadence | TIA procedure, access review records, training logs |
| Resilience | Backup, recovery, exit plan, alternative provider strategy, incident communications | Recovery test, cloud exit plan, crisis communications plan |
Clarysec’s Cryptographic Controls Policy-sme provides the anchor:
Encryption must be applied to:
From section “Policy Implementation Requirements”, policy clause 6.1.1.
For a TIA, that policy statement should become explicit evidence. Encryption should be described for personal data in transit between EU systems and third-country cloud services, at rest in cloud storage, and in backups. Key ownership should be defined. If customer-managed keys are used, the TIA should explain whether the provider can access plaintext, when support access is allowed, and how administrative access is logged.
Clarysec’s Third-Party and Supplier Security Policy-sme reinforces location assurance:
Where suppliers are required to store data off-site, the company must obtain assurance regarding data protection, physical security, and the geographic storage location (e.g., EU-only hosting where required by GDPR).
From section “Policy Implementation Requirements”, policy clause 6.2.4.
The same SME policy also supports contract completeness:
Contracts must include mandatory clauses covering:
From section “Governance Requirements”, policy clause 5.3.
For TIAs, those mandatory clauses should cover confidentiality, security measures, breach notification, subprocessors, audit rights, data return, deletion, transfer mechanisms and location commitments.
Build an audit-ready TIA evidence pack
Assume a European B2B SaaS provider uses a US-based analytics platform. The platform ingests customer usage events, user IDs, IP addresses and support metadata. It offers EU hosting and SCCs, but support personnel outside the EEA may access tickets, and error logs may be processed by a third-country subprocessor.
A practical evidence pack can be built in six steps.
1. Create the transfer record
Start with the Cloud Service Register required by Cloud Usage Policy-sme. Add service owner, business purpose, data categories, data subjects, role, hosting region, access countries, support locations, subprocessors, transfer mechanism, supplementary measures, risk rating and next review date.
For the analytics platform, record that events are hosted in the EU, support access may occur outside the EEA, and error monitoring creates an onward transfer.
2. Attach contractual evidence
Attach the DPA, SCCs or other transfer mechanism evidence, security addendum, incident notification terms and subprocessor list. Use Cloud Usage Policy clause 4.5.2 to evidence review of SCCs and transfer mechanisms. Use Third party and supplier security policy clause 5.3.5 to evidence subprocessor approval or consent.
If relying on the EU-US Data Privacy Framework for a provider, record scope, certification status, service coverage and fallback mechanism. Do not assume it covers every onward transfer.
3. Create the risk scenario
Add the risk to the ISMS risk register:
“EU personal data processed through analytics platform may be accessed from a third country by provider support or subprocessors, creating confidentiality, legal and regulatory compliance risk.”
Assign the owner, likelihood, impact, inherent rating, treatment plan and residual rating. Link it to GDPR Chapter V, customer commitments, ISO/IEC 27001:2022 cloud and supplier controls, NIS2 Article 21 where applicable, and DORA Articles 28, 29 and 30 for financial-sector contexts.
Clarysec’s Risk Management Policy sets the treatment discipline:
The Risk Officer shall ensure that treatments are realistic, time-bound, and mapped to ISO/IEC 27001 Annex A controls.
From section “Policy Implementation Requirements”, policy clause 6.4.2.
4. Select supplementary measures
For the analytics platform, measures may include EU hosting, minimised event payloads, pseudonymous identifiers, encryption in transit, encryption at rest, restricted support access, MFA for administrators, privileged access logging, DLP rules preventing sensitive fields in analytics events, subprocessor notice obligations and annual evidence review.
Map these measures to ISO/IEC 27002:2022 controls such as 5.14 Information transfer, 5.15 Access control, 5.20 Addressing information security within supplier agreements, 5.22 Monitoring, review and change management of supplier services, 5.23 Information security for use of cloud services, 5.31 Legal, statutory, regulatory and contractual requirements, 5.34 Privacy and protection of PII, 8.11 Data masking, 8.12 Data leakage prevention, 8.16 Monitoring activities and 8.24 Use of cryptography.
5. Define review triggers
A TIA is not complete until review triggers are defined. Triggers should include a new subprocessor, new country of access, new data category, change in support model, security incident, contract renewal, new critical customer requirement, new DORA classification or material change in cloud architecture.
This is where ISO/IEC 27002:2022 control 5.22 becomes operational. Review SOC reports, ISO certificates, penetration test summaries, service change notices, incident history and subprocessor updates. Track exceptions to closure.
6. Update the SoA and evidence index
In the Statement of Applicability, mark cloud, supplier, legal, privacy, cryptography, access, monitoring, incident and continuity controls as applicable. Add SoA notes such as “supports GDPR Chapter V TIA for analytics platform,” “supports DORA ICT third-party contract evidence” or “supports NIS2 supply chain security evidence.”
That final indexing step turns a privacy assessment into audit-ready compliance evidence.
Map the same evidence to GDPR, DORA, NIS2 and ISO 27001
A well-built TIA evidence pack should satisfy multiple audit lenses without creating duplicate documentation.
| Challenge area | GDPR requirement | DORA requirement | NIS2 requirement | ISO/IEC 27001:2022 evidence |
|---|---|---|---|---|
| International data transfer | Chapter V transfer mechanism and TIA | Articles 28 and 30 location and contractual evidence | Article 21 supply chain security | 5.23 cloud register, 5.14 information transfer, 5.31 legal obligations |
| Subprocessor management | Article 28(2) prior specific or general written authorization | Article 29 subcontracting and concentration risk | Article 21 supplier and service provider risk | 5.20 contractual flow-down, 5.21 ICT supply chain, 5.22 monitoring |
| Supplementary measures | Article 32 security of processing | Article 9 protection and prevention | Article 21 cryptography, access control and cyber hygiene | 8.24 use of cryptography, 5.15 access control, 8.16 monitoring activities |
| Accountability and governance | Article 5(2) demonstrate compliance | Articles 5 and 6 governance and ICT risk management framework | Article 20 management oversight | Clauses 5 and 6, risk register, treatment plan, SoA |
| Incident and resilience evidence | Articles 33 and 34 breach notification where applicable | Incident reporting, response, recovery and exit expectations | Article 23 significant incident reporting | Incident runbooks, notification clauses, recovery tests, exit plans |
DORA is especially important where the customer is a financial entity or the service supports a financial-sector ICT chain. DORA applies from 17 January 2025 and sets requirements for ICT risk management, incident reporting, resilience testing, information sharing and ICT third-party risk. Article 8 requires identification and classification of ICT assets, information assets and dependencies. Article 28 requires ICT third-party risk governance, registers of information, due diligence and exit strategies. Article 29 addresses ICT concentration and subcontracting risk. Article 30 requires written contracts with service descriptions, processing locations, data protection, access, recovery, return of data, incident assistance, cooperation with authorities, termination rights, audit rights and transition arrangements.
NIS2 adds management accountability. Article 20 requires management bodies to approve and oversee cybersecurity risk-management measures. Article 21 requires appropriate and proportionate technical, operational and organizational measures, including risk policies, incident handling, business continuity, supply chain security, secure acquisition and development, assessment of control effectiveness, cyber hygiene, cryptography, HR security, access control, asset management and MFA where appropriate.
The overlap is clear. A TIA that identifies subprocessors, transfer locations, supplementary measures, incident obligations and supplier monitoring is also evidence for supplier resilience.
How auditors will test your TIA
Different auditors ask different questions, but the evidence should be reusable.
| Auditor lens | Likely audit question | Strong evidence |
|---|---|---|
| GDPR privacy audit | Can you prove the transfer mechanism, subprocessor control and supplementary measures? | TIA, SCCs, DPA, subprocessor register, data location declaration, encryption and access evidence |
| ISO/IEC 27001:2022 audit | Is the transfer risk identified, treated, controlled and included in the SoA? | Risk register, treatment plan, SoA notes, cloud register, supplier review records |
| ISO/IEC 27701 privacy audit | Are processor obligations operational in cloud services processing personal data? | DPA clauses, data subject request support, deletion workflow, incident notification process |
| NIS2 readiness review | Are supplier and cloud risks managed with management-approved measures? | Supplier risk assessment, management review, cryptography policy, incident and continuity records |
| DORA ICT third-party review | Are ICT contracts, subcontracting, locations, monitoring and exit plans controlled? | ICT contract register, Article 30 clause mapping, subcontractor review, exit test |
| NIST CSF 2.0 assessment | Are legal, regulatory, contractual and supplier risks governed and improved? | Current and Target Profiles, gap plan, supplier criticality, risk response tracking |
| COBIT 2019 or ISACA-style audit | Is there clear governance ownership, process performance and control accountability? | RACI, policy ownership, KPIs, KRIs, issue management, board reporting |
Zenith Controls provides practical audit methodology for these areas. For cloud services, auditors look for a register of approved cloud services and evidence that unauthorized cloud usage is monitored. For supplier agreements, auditors perform contract sampling on high-risk suppliers and validate confidentiality, data protection, breach notification timelines, audit rights, subprocessor approval and data return or destruction. For supplier monitoring, auditors examine review records, KPI reports, supplier certifications, SOC reports, penetration test summaries, exceptions and remediation actions.
The audit lesson is straightforward: evidence must show operation over time. A TIA signed once and never revisited will not satisfy a serious cloud, supplier or resilience review.
Use NIST CSF 2.0 to explain TIA risk to leadership
Boards rarely want to debate SCC modules or cloud support locations in detail. They want to know whether risk is governed, prioritized and improving. NIST CSF 2.0 helps translate the TIA into executive language through GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER.
For a TIA, the GOVERN function is especially useful. It includes legal, regulatory and contractual requirements, risk appetite, roles, policies, oversight and supplier cybersecurity risk management. Build a Current Profile showing today’s state, such as a partial cloud register, SCC repository, limited subprocessor review and no defined TIA review cadence. Then define a Target Profile, such as a complete transfer inventory, risk-rated subprocessors, verified transfer mechanisms, customer-managed keys for high-risk data, quarterly critical supplier reviews, DORA-ready contract mapping and tested cloud exit plans.
The gap plan becomes a practical roadmap that management can fund and track.
The Clarysec cloud TIA checklist for 2026
Use this checklist to test whether your Transfer Impact Assessment is audit-ready:
- Maintain a cloud service register with owner, purpose, data categories, locations, access countries and subprocessors.
- Identify whether each service is a controller, processor, subprocessor or independent provider relationship.
- Attach DPA, SCCs or other transfer mechanism evidence to the supplier record.
- Record EU-US Data Privacy Framework reliance only where scope and onward transfers are verified.
- Maintain subprocessor disclosures and geographic transfer declarations.
- Require prior written consent or contractual notice for new subprocessors, based on risk.
- Map supplementary measures to specific technical controls, not generic statements.
- Prove encryption in transit, encryption at rest, key management ownership and privileged access logging.
- Minimise, pseudonymise or mask personal data before transfer where possible.
- Define review triggers for new countries, new subprocessors, new data categories, incidents and contract changes.
- Link each TIA risk to the risk register, treatment plan and SoA.
- Review supplier evidence periodically and track exceptions to closure.
- Include incident notification, audit rights, data return, deletion and exit obligations in contracts.
- For DORA-relevant services, map contracts to ICT third-party requirements, subcontracting, locations, concentration risk and exit strategy.
- Report high-risk transfer decisions to management as part of ISMS governance.
Turn transfer uncertainty into audit-ready evidence
InnovatePay won the bank deal because Maria stopped treating the TIA as a last-minute legal document. Her team built a Cloud Service Register, attached SCCs and DPAs, documented subprocessors, mapped supplementary measures to ISO/IEC 27001:2022 controls, updated the risk register, added SoA notes and created monitoring triggers. The result was not just a better questionnaire response. It was a repeatable supplier-risk process.
Your organization can do the same.
Start with the Zenith Blueprint: An Auditor’s 30-Step Roadmap to connect transfer risks to the risk register, treatment plan and Statement of Applicability. Use Zenith Controls: The Cross-Compliance Guide to map ISO/IEC 27002:2022 cloud, supplier agreement and supplier monitoring controls to GDPR, NIS2, DORA, NIST and audit expectations. Then operationalize the evidence through Clarysec policies such as Cloud Usage Policy, Third party and supplier security policy, Legal and Regulatory Compliance Policy, Risk Management Policy, and the SME versions where appropriate.
A cloud Transfer Impact Assessment should not be a sales emergency. In 2026, it is part of cloud governance, supplier assurance, privacy accountability and operational resilience. The organizations that earn trust will be the ones that can quickly prove where data goes, who touches it, what protects it and how the risk is governed over time.
Frequently Asked Questions
About the Author
Igor Petreski
Compliance Systems Architect, Clarysec LLC
Igor Petreski is a cybersecurity leader with over 30 years of experience in information technology and a dedicated decade specializing in global Governance, Risk, and Compliance (GRC).Core Credentials & Qualifications:• MSc in Cyber Security from Royal Holloway, University of London• PECB-Certified ISO/IEC 27001 Lead Auditor & Trainer• Certified Information Systems Auditor (CISA) from ISACA• Certified Information Security Manager (CISM) from ISACA • Certified Ethical Hacker from EC-Council
