August 12, 2020

Last Updated on June 20, 2024

A number of companies in the US Defense Industrial Base (DIB) are currently ISO 27001 certified. Having achieved the international “gold standard” for cybersecurity attestation, these firms should be poised to pass a Cybersecurity Maturity Model Certification (CMMC) audit… right?
If you’re already ISO 27001 certified, what else will you need to do to pass a CMMC audit?
To get some bankable guidance from an uber expert auditor, we invited Thomas Price to be our guest on a recent episode of The Virtual CISO Podcast. Thomas is a Client Manager/IT and Information Security Auditor/Quality Management Professional with international audit and compliance leader BSI.
Both Thomas and episode host John Verry, Pivot Point Security’s CISO and Managing Partner, are certified ISO 27001 Lead Auditors. The complementary “implementer versus auditor” perspectives of these two thought leaders really makes their conversation special.
John asks: “We’ve got clients that are already ISO 27001 certified. But at the time we constructed that, NIST 800-171 or CMMC were not a requirement. … So if you only needed to be CMMC Level 1 or Level 2 certified, you’d probably be in pretty good shape. If you need to get up to Level 3, 4 or 5 you probably have a fair amount of work to do. Your thoughts as an auditor?”

Step 1: Provide evidence of CMMC compliance

“The most important thing from an auditor’s perspective is you need objective evidence … that demonstrates compliance,” replies Thomas. “One of the biggest challenges of doing CMMC is that because many of the practices have a technical focus, people may have the tendency to ignore the administrative side. That is, not having policies for each of the domains, not having plans that specify what is your approach and the resources that you’re going to use and apply to ensure that you implement, monitor and maintain each of those practices.”

Step 2: Update your key ISO 27001 documents

From there, John looks to quantify “next steps”:  “From my perspective, the first thing we’d have to do is update your ISMS scope statement to reflect the CUI [controlled unclassified information] explicitly. And update any of the particular interested parties, including CMMC-AB [the CMMC Accreditation Body] and contractors and people of that nature, on any of the specific systems that are different or that weren’t part of the critical interfaces and boundaries. I would want to update the risk assessment to make sure we’re looking at that. And that risk assessment would probably drive potentially some changes to the Statement of Applicability.”

Step 3: Assess and Close the Gap with CMMC Controls

John continues: “I’d probably want to gap-assess the implementation of our controls versus the more prescriptive requirements of CMMC. And then assuming that all went swimmingly, I’d probably want to validate that it all worked the way that I thought by doing my ISMS internal audit. If I had done that, and you came in to audit me… thoughts?”
“I would say that yes, if you updated your ISMS and your documentation and you did the risk assessment, that you are on a good footing,” Thomas acknowledges.

Step 4: Identify your CUI

But you’re not done yet!
“You need to identify what CUI you have, and where it resides in your environment or under your control,” Thomas points out. “You need to review your contract and work with your contracting officer to identify and understand the CUI requirements and also the CMMC requirements for your organization and the contracts that you have. You need to have a good handle on that before you get too far into the documentation…”

Step 5: Update your ISMS scope

And then there’s updating your controls.
“You need to scope the CUI and how the CMMC affects your organization, your systems and then put together a plan of attack on how you’re going to update your ISMS and your current controls and practices to meet the CMMC level that is specified in your contract,” adds Thomas.
If your business will need to comply with CMMC and you are ISO 27001 certified, pursuing ISO 27001 or contemplating doing so, this podcast episode with Thomas Price and John Verry offers some of the best guidance you’ll find anywhere.
To hear the complete podcast episode, and get access to the many other episodes in The Virtual CISO Podcast series, click here.
If you don’t use Apple Podcasts, you can access all our episodes here.