Kareem M.

·

GRC Education: Choosing Between NIST AI RMF and ISO 42001 for AI Risk Management

📋 GRC Education: NIST AI RMF vs. ISO 42001 — which should you pursue first? Both address AI risk management but are designed differently: 🇺🇸 NIST AI RMF • US government-backed, voluntary • Flexible guidance across 4 functions: Govern, Map, Measure, Manage • No external audit or certification — you implement and self-attest • Best for: US organizations wanting an AI risk management methodology 🌍 ISO 42001:2023 • International standard, voluntary • Requires building a formal AI Management System (AIMS) • External certification available via accredited auditor • Best for: organizations wanting a globally recognized, certifiable AI governance credential Key insight: in Vanta, these two frameworks share very high overlap. Pursuing both may add significantly less incremental work than expected — worth checking the Framework Overlap feature before deciding. Which are you exploring and why? 👇

0Comments

3

Commented on How Are You Advancing Your GRC Education and Certi...·Posted inGRC

Kareem M.

·

Ohh interesting. I think certs are very handy at different points in your career. I've gotten the CISA, CISM, CISSP, and AIGP but only hold the CISSP and AIGP now. I think certs are a good anchoring point for a body of knowledge that you're interested in. For example if you want to know security but it doesn't need to be your day job, the Comptia Security+ could be very useful. However if you want to have certs tied toward being able to perform specific skills I'd say work backwards from what you want to be doing. If you want to work as an auditor, a CISA is a must. The CISSP not as much. If you want to work in Security Management then the CISSP is a big help in understanding the different domains of security and how they relate. TLDR: Certs can be helpful to learn concepts or anchor skills. It depends on what you want to do with it.

Commented on Clarifying MFA Requirements and Paid Option Implic...·Posted inGRC

Kareem M.

·

I second Jason's reading of this. If there's a breach regulators will want to make sure all necessary controls were implemented to prevent a breach. This can also have cyber insurance implications as well. To put it another way, this is like expecting your bank to invest in the latest and greatest in Vault technology even if its expensive.

Posted in GRC·

Kareem M.

·

Importance of Quarterly Access Reviews for SOC 2 Type II Compliance and Common Audit Pitfalls

📋 GRC education: If you're pursuing SOC 2 Type II, access reviews are a required periodic control — and most auditors expect them quarterly. Here's what auditors look for: ✅ Evidence that you reviewed who has access to each in-scope system ✅ Documentation of your review decisions (approve, revoke, escalate) ✅ Timely revocation of access for anyone flagged during the review ✅ Consistent cadence — not just a one-time review right before the audit Common gaps we see: ❌ Reviews run once a year instead of quarterly ❌ No documentation of decisions — just informal Slack threads ❌ Terminated employees missed because they had direct app logins outside SSO The good news: when access reviews are run in Vanta, the evidence is captured automatically — no manual screenshots required. How frequently is your team running access reviews? 👇

·

SOC 2 Type II Access Reviews: Auditor Expectations and Common Compliance Gaps Explained

📋 GRC education: If you're pursuing SOC 2 Type II, access reviews are a required periodic control — and most auditors expect them quarterly. Here's what auditors look for: ✅ Evidence that you reviewed who has access to each in-scope system ✅ Documentation of your review decisions (approve, revoke, escalate) ✅ Timely revocation of access for anyone flagged during the review ✅ Consistent cadence — not just a one-time review right before the audit Common gaps we see: ❌ Reviews run once a year instead of quarterly ❌ No documentation of decisions — just informal Slack threads ❌ Terminated employees missed because they had direct app logins outside SSO The good news: when access reviews are run in Vanta, the evidence is captured automatically — no manual screenshots required. How frequently is your team running access reviews? 👇

1Comment

13

Kareem M.

Kareem M.

GRC Education: Choosing Between NIST AI RMF and ISO 42001 for AI Risk Management

Importance of Quarterly Access Reviews for SOC 2 Type II Compliance and Common Audit Pitfalls

SOC 2 Type II Access Reviews: Auditor Expectations and Common Compliance Gaps Explained

Awards & Badges

About