Skip to content
View badrnkarim's full-sized avatar

Achievements

Achievement: QuickdrawAchievement: Pull Shark

Achievements

Achievement: QuickdrawAchievement: Pull Shark

Block or report badrnkarim

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don't include any personal information such as legal names or email addresses. Markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
badrnkarim/README.md

Badr Karim

Cybersecurity GRC Intern | Security Assurance | Risk-Based Controls | Privacy-Driven TPRM

Risk-first GRC. I translate business impact into risk-based controls and evidence-backed vendor decisions, strengthening third-party risk (TPRM) and US privacy-focused vendor governance.

Quick Proof

Featured Work

1) TPRM — US Privacy + Cloud Data Protection (Audit-Ready Program Portfolio)

Repo: https://github.com/badrnkarim/TPRM-US-Privacy-Cloud

A complete Third-Party Risk Management (TPRM) program pack focused on US privacy obligations and cloud vendor data protection, built with evidence discipline and decision-maker artifacts.

What it demonstrates:

  • Privacy-heavy vendor governance: purpose limitation, minimization, retention/deletion, DSAR readiness
  • Subprocessor governance and change review workflow
  • Residual risk scoring tied to control maturity + evidence confidence
  • Audit-ready evidence system (EV-INDEX + evidence artifacts) and remediation tracking
  • Business decision layer: Executive Decision Brief, Approval Authority Matrix, Risk Committee brief

2) SDG GRC Portfolio — Multi-Framework Assurance (Primary GRC Portfolio)

Repo: https://github.com/badrnkarim/grc-portfolio-sdg

A multi-framework assurance portfolio organized around risk-based controls and mapped across:
COBIT • NIST CSF 2.0 • ISO 27000 family • ISO 31000 • SOC 2 • ISO 37301

What it demonstrates:

  • Risk → control alignment (impact-driven, not checklist-driven)
  • Cross-framework mapping that reduces redundancy and improves coverage
  • Assurance-style structure built for audit review and decision support
  • Evidence mindset: controls are written to be testable, reviewable, and traceable

3) Secure Database Gateway (SDG) Showcase — Elite Security Architecture

Repo: https://github.com/badrnkarim/sdg-secure-db-gateway-showcase

A complete, US-grade showcase repository demonstrating the Secure Database Gateway (SDG), functioning as a real-world security enforcement point.

What it demonstrates:

  • Technical evidence of RBAC, Template-only SQL execution, and SSRF-safe validations
  • Auditability proofs including log history, integrity snapshot verification, and tampering mismatch detection
  • Professional security baseline (threat modeling, control matrix, and complete architectural documentation)
  • Perfect mapping of conceptual security controls to operational UI evidence

4) ISO/IEC 27001 ISMS Portfolio — Audit-Grade Documentation Pack

Repo: https://github.com/badrnkarim/ISO27001-ISMS-GRC-Portfolio

An ISMS documentation portfolio structured for audit readiness and assurance review.

What it demonstrates:

  • ISMS governance artifacts and disciplined documentation structure
  • Risk handling logic and traceability (risk → controls → evidence)
  • Evidence indexing mindset (proof-first organization)
  • Internal audit / CAPA mindset (findings → remediation → verification)

What I Do (Intern Scope, Strong Output)

I work like an assurance analyst: clear logic, clean traceability, and evidence-ready outputs.

  • Risk assessment support: document threats, likelihood, and business impact to prioritize risk
  • Risk-based controls: support selecting controls based on impact and control value
  • Vendor risk (TPRM): support privacy/security requirements (retention/deletion, DSAR readiness, subprocessors) with enforceable evidence
  • Framework mapping: align one control set across frameworks to maximize coverage
  • Assurance documentation: structure tests + evidence so decisions survive review

Core Strengths

  • Evidence-based GRC – building portfolios that link controls to risks, policies, procedures and audit evidence.
  • Cross-framework integration – mapping requirements from COBIT, NIST CSF 2.0, ISO 27000 family, ISO 31000, SOC 2 and ISO 37301 to minimize redundancy and maximize coverage.
  • Audit preparedness & CAPA management – documenting control tests, managing corrective & preventive actions, and producing audit-ready evidence.
  • Risk communication – translating technical risks into business language to support leadership decision-making.

Coverage Focus (Compact)

  • Vendor risk & privacy operations: purpose limitation, minimization, retention/deletion, DSAR readiness, subprocessors (TPRM)
  • Governance & control objectives: COBIT
  • Security outcomes: NIST CSF 2.0
  • ISMS & controls: ISO 27001/27002 (+ ISO 27005 risk approach)
  • Enterprise risk: ISO 31000
  • Assurance reporting: SOC 2
  • Compliance systems: ISO 37301

How I Work (Assurance Flow)

Risk → Control → Test → Evidence → Findings → CAPA → Verification

I keep each step traceable so a reviewer can answer:

  • Why is this control needed?
  • How is it validated?
  • What evidence proves it works?

Connect

LinkedIn: https://www.linkedin.com/in/badrkarim/

Pinned Loading

  1. ISO27001-ISMS-GRC-Portfolio ISO27001-ISMS-GRC-Portfolio Public

    ISO 27001 ISMS / GRC SaaS portfolio with NIST CSF + SOC 2 mapping: risks, SoA, audits, CAPA, management review, evidence index.

    Python

  2. grc-portfolio-sdg grc-portfolio-sdg Public

    Evidence-backed GRC & assurance portfolio for SDG (COBIT, NIST CSF 2.0, ISO 27001/27002/27005, ISO 31000, SOC 2, ISO 37301).

    Shell

  3. TPRM-US-Privacy-Cloud TPRM-US-Privacy-Cloud Public

    TPRM portfolio focused on US privacy & cloud vendor risk: minimization, retention/deletion, DSAR readiness, subprocessors, evidence-backed decisions.