Interesting Readings

Writing Opportunities in GRC Domain

Amitkumar Bachuwar & Sumedh Nene


GRC stands for Governance, Risk and Compliance and documentation in this area is a big market for Technical Writers; and only getting bigger. Industries and organizations require writing professionals – with or without domain knowledge – to document their standards, policies and processes to demonstrate that they are compliant with different certifications and regulatory bodies. These certificates endorse that the prescribed industry best practices are implemented and are being met and followed, and they are assessed by qualified professionals (agencies / auditors) from time to time.

There are many certifications out there. These can include Cybersecurity Maturity Model Certification (CMMC), Quality Compliance (ISO 9001 family), Service Organization Control (SOC), NIST, FedRAMP just to name a few. Some are at a company level while others are at department level. For example, CMMC is at a company level and requires the organization to have its policies, and standard operating procedures (SOPs) documented according to its assessment guide. This is where technical writers come in. 

All policies, governance mechanisms, SOPs must be defined, maintained, and revised from time to time. Standard templates are used for authoring these and there may be guidelines that must be followed that are prescribed by the certifying body. An internal or external qualified auditor performs compliance reviews, which are known as Audits. These are not financial but compliance audits that check the adherence to the defined standards. All regulatory standards are usually updated every few years to keep up with the changing landscape. The organization must update its documentation to keep up with the changing standards and requirements.

An organization or department with ISO 9001:2015 (the current version) certification, demonstrates compliance in whichever field it is certified in, such as manufacturing related processes, people management, customer satisfaction, etc. There are many certifications within the ISO family that require documentation:

What are  some Regulatory Bodies that require Technical Writers
The following is just a small list of some of the most popular or trending certifications – there are many, many more across industries and geographies:

  • ISO 20000: IT Industry / Customer Service Organizations require this for Incident Management Processes
  • ISO 27000: Information Security certification
  • ISO 27701: A framework for data privacy that builds on ISO 27001. It guides organizations on policies and procedures that must be in place to comply with General Data Protection Regulation (GDPR) and other data protection/privacy regulations and laws
  • ASPICE: Automotive Manufacturers and Suppliers / Embedded Organizations
  • ISO 22301:2019: Business Continuity Management System
  • ISO 13485:2016: Quality Management System for Medical Devices
  • ISO 14001:2015: Environment Management System
  • ISO 45001:2018: Occupational Health and Safety Management System
  • CMMC: Cyber Security Certification that aims to protect Controlled Unclassified Data (CUI) and Federal Contract Information (FCI). The CMMC framework is already released and expected to begin appearing in contracts at the end of 2024 or early 2025. While CMMC is already in demand in the US, it is just a matter of time before it starts making its way to India.
  • NIST-800: This series comprises guidelines, recommendations, and technical specifications to address and support the security and privacy needs of U.S. Federal Government information and information systems. 
  • GDPR: The organization must take appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing, accidental loss, destruction, and damage. Simply put, it must avoid the risk of encountering data leaks or breaches.
  • EU MDR: The European Medical Device Regulation is a set of regulations that governs the production and distribution of medical devices in Europe.

Challenges for Organizations & Opportunities for Technical Writers

  • To have the documents (Policy / Procedures) defined and implemented. It is especially challenging to find writers with experience in Governance, Risk and Compliance (GRC).
  • Maintain documents in terms of revisions to standards or to even address any findings from the reviews (Audits). This is hard not only because teams that own the documentation are too busy to keep them updated, but also because standards, controls and certification requirements are evolving, often faster than they can be consumed.
  • Large organizations are very likely to need and implement several standards and  frameworks across many of their geographies and subsidiaries. This makes being compliant with all the standards an ongoing and never-ending activity – a must have for business but also an overhead. Some modifications or localization may also be needed for their various subsidiaries, requiring separate processes to be defined and maintained.

Endless opportunities for Technical Writers
Communication Professionals (CPs) can leverage this huge surge in compliance and policy documentation in various capacities:

  • Documentation: Help organizations define and maintain the documentation.
  • Freelancer or consultant : As an incorporated entity or sole proprietor, provide consulting services to several organizations in documenting and interpreting the defined controls or requirements.
  • Trainer / Coach: Standards and certification requirements need to be understood by subject matter experts that need to meet the compliance requirements. Become an industry-expert and continuously upskill for latest trends and changes in that industry. 

Some popular courses and certifications to consider to get intro Cybersecurity

  • CompTIA Security+
  • Certified CMMC Professional (CCP)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Auditor (CISA)

There are others you can explore to get expertise in the regulatory body that catches your interest. 

We hope this article provided you with some new avenues to consider. It is by no means an exhaustive description of the opportunities in the world of compliance, but it will give you enough to start exploring if this domain or a career in this field is for you. 

About Authors

About Amitkumar Bachuwar

Amitkumar Bachuwar is a Professional with Technical Writing, Lead Auditor for Quality and Information Security having industry experience across several domains. Presently, he holds the position of Senior Technical Manager at Persistent Systems.

Current Role: Senior Technical Manager
Company: Persistent Systems
City: Pune, India

Connect at LinkedIn

About Sumedh Nene

Sumedh Nene has 20+ years of international experience in Technical Communications. He has worked with Cisco Systems, HP, Philips, TIBCO, Nvidia Graphics, Deutsche Bank and Levis’ in Singapore, Australia, India, USA (Bay Area), and Canada (Toronto).

He has been teaching Technical Writing and mentoring writers for many years. He was the lead instructor at George Brown College in Toronto and Rotman School of Management, Toronto. He was also a visiting faculty for communication-related topics at SIMS, SSIBM, PIBM and Bits Pilani, Roorkee. Sumedh has conducted workshops at Avaya, Siemens, MCCIA, Eclipsys and many other IT MNCs.

Current Role: Technical Writer, Trainer, Editor, Documentation Specialist
Company: CrackerJack WordSmiths Inc.
City: Mississauga, Canada

Connect at LinkedIn

No Comments

Post A Comment