TITLE:
Convergence of Cybersecurity Governance, Risk Management and Compliance (GRC) for IT and OT Environments - Context of KSA
AUTHORS:
Muhammad Shoaib, Abdulaziz Alharbi
KEYWORDS:
IT-OT Convergence, I-GRC Framework, Cybersecurity Governance, ISO/IEC 27001, ISA/IEC 62443, NIST SP 800-82, Saudi Arabia, Vision 2030
JOURNAL NAME:
Journal of Computer and Communications,
Vol.13 No.12,
December
17,
2025
ABSTRACT: The growing convergence of Information Technology (IT) and Operational Technology (OT) has introduced complex cybersecurity, governance, and compliance challenges for organizations, particularly within the Kingdom of Saudi Arabia (KSA). This study addresses these challenges by proposing an Integrated IT-OT Governance, Risk, and Compliance (I-GRC) Framework that unifies cybersecurity management across both domains. Using a descriptive analytical approach, this research reviewed scholarly literature published between 2020 and 2025 from leading databases, including JSTOR, Taylor & Francis Online, Emerald Insight, ScienceDirect, IEEE Xplore, and SpringerLink. It also examined key international standards—ISO/IEC 27001, ISA/IEC 62443, and NIST SP 800-82—to identify common control objectives, risk models, and compliance practices relevant to IT-OT integration. The findings and synthesis of twelve recent peer-reviewed studies led to the development of the I-GRC Framework, built around four core determinants: Governance Integration, Risk Management Alignment, Compliance Harmonization, and Performance Measurement. These determinants collectively ensure consistent leadership, unified risk assessment, streamlined compliance across IT and OT domains, and continuous evaluation through measurable cybersecurity indicators. Aligned with the National Cybersecurity Authority (NCA) guidelines and Vision 2030 objectives, the proposed I-GRC Framework enhances Saudi Arabia’s national cybersecurity posture by promoting regulatory readiness, operational resilience, and data-driven governance. The study contributes a practical and measurable model for organizations seeking to bridge IT and OT systems, improve compliance maturity, and achieve sustainable cybersecurity integration within critical infrastructure sectors.