Last Updated on May 9, 2025
Many companies in the US defense industrial base (DIB) are ISO 27001 certified. Having achieved the international “gold standard” for cybersecurity attestation, these firms should be poised to show that they can protect controlled unclassified information (CUI) and breeze through a Cybersecurity Maturity Model Certification (CMMC) Level 2 audit… right?
If your business is already ISO 27001 certified, what else must you do to attain a CMMC 2.0 Level 2 certification? This post identifies the five critical steps an ISO 27001 certified business must take to bring its ISMS into compliance with CMMC Level 2.
Key takeaways
- ISO 27001 and CMMC 2.0 are both comprehensive cybersecurity standards, but their objectives differ. CMMC focuses on protecting CUI and federal contract information (FCI) on non-government systems, while ISO 27001 defines best practices for establishing and maintaining an information security management system (ISMS) that can protect any kind of sensitive data. CMMC is thus more prescriptive than ISO 27001 in terms of the controls an organization must implement to achieve certification.
- While both CMMC Level 2 and ISO 27001 certifications require third-party audits, ISO 27001 compliance is voluntary whereas CMMC Level 2 compliance will be mandated for defense suppliers that handle CUI.
- To meet CMMC Level 2 requirements, you will need to identify all the CUI and FCI that your business handles and the systems, processes, and people that touch it.
- ISO 27001 controls provide a solid foundation for CMMC certification. But many businesses will need to add additional controls to meet CMMC Level 2’s CUI-specific requirements, especially in key areas like email encryption and government-approved cybersecurity awareness training.
Step 1: Identify your CUI
A key initial step in meeting CMMC Level 2 guidelines is to identify all the FCI and CUI you store, transmit, process, and/or generate, where it resides, and what systems, processes, and people interact with it. In line with this process, it’s essential to review your DoD contract and fully understand what it mandates you to protect and at what level.
Once you know what CUI you have and how it flows through your organization, you can begin taking steps to segregate it from your other data where possible. The goal is to create the smallest possible environment that will be “in scope” for CMMC Level 2.
Step 2: Update your ISMS scope to encompass your CUI
Before you can begin updating your ISO 27001 controls and practices to align with CMMC requirements, you need to update your ISMS scope to cover CUI. Then you can start creating a roadmap for extending your ISMS to comply with CMMC Level 2.
Step 3: Assess and close the gap with CMMC controls
Once you know where CUI resides and what associated assets you need to protect, you can “gap assess” your current controls implementation against the more prescriptive CMMC requirements.
As an adjunct to gap assessment, many ISO 27001 certified businesses also elect to conduct an ISMS internal audit to validate that all controls operate as intended. Conducting a risk assessment that includes CUI and the in-scope CMMC environment is also beneficial as preparation for an external audit.
As part of your gap assessment, you can document missing or incomplete controls in Plans of Action & Milestones (POA&Ms) per CMMC guidance. Then develop a plan of action to remediate the POA&M items.
Step 4: Update your key ISO 27001 documents
Along with remediating your control gaps, you’ll also need to update all the associated ISO 27001 documentation to align with CMMC Level 2. Key documents to update include:
- Your system security plan (SSP)
- Your ISMS scope statement
- Your risk assessment
- Your statement of applicability
Step 5: Provide evidence of CMMC compliance
One of the most important things from a CMMC auditor’s perspective is objective evidence that demonstrates compliance. Many of the CMMC practices have a technical focus, but they also have an administrative/operational aspect.
For example, you will need policies that cover each of the CMMC Level 2 domains, along with plans that specify how you will implement, monitor, and maintain each of the CMMC practices.
For more guidance on extending an ISO 27001 ISMS to include CMMC Level 2, check out this episode of The Virtual CISO Podcast with guest Thomas Price, Information Security Auditor/Quality Management Professional at BSI.
How do ISO 27001 and CMMC Level 2 controls compare?
CMMC 2.0 does not map directly to ISO 27001. However, Appendix D in NIST 800-171 Rev. 2—the standard CMMC 2.0 Level 2 is based on—maps the NIST controls to ISO 27001.
Some of the many areas where NIST 800-171 and ISO 27001 controls align include:
- Access controls
- User authentication
- Incident management
- Configuration and change management
- Risk management and risk-based practices
However, NIST 800-171 mandates controls for protecting CUI that ISO 27001 does not specifically address. These include special encryption and media protection standards for CUI.
Can you build CMMC Level 2 compliance into your ISO 27001 ISMS?
A key reason why ISO 27001 is considered one of the premier cybersecurity certifications worldwide is its flexibility and applicability to any use case. Building CMMC Level 2 compliance into your ISO 27001 ISMS requires careful planning but is achievable, practical, and cost-efficient.
Why maintain two cybersecurity programs when you can incorporate CMMC Level 2 requirements into your existing ISMS. Working with a trusted partner that has deep experience with both ISO 27001 and CMMC can streamline your approach to this objective.
What about CMMC reciprocity with ISO 27001?
There is currently no direct reciprocity between ISO 27001 and CMMC 2.0. From the DoD’s perspective, an ISO 27001 certification is an outstanding foundation for CMMC compliance and potentially a competitive advantage in the eyes of the government and its prime contractors. But it does not automatically confer a CMMC Level 2 certification.
Nor does ISO 27001 automatically equate to compliance with CMMC Level 1. A self-attestation of compliance along with an executive affirmation in the DoD’s Supplier Performance Risk System (SPRS) is still required.
What if you don’t think you handle CUI?
If your company doesn’t handle CUI then hopefully your contract doesn’t contain the DFARS 7012 clause or (post CMMC launch) the “CMMC clauses” 7019, 7020, or 7021. In that case, you may not be required to comply with NIST SP 800-171 or CMMC Level 2.
If you are not sure whether you handle CUI, or you think your contract should not contain CUI protection requirements, contact your contracting officer or government program manager. There is also an official dispute process for dealing with improper CUI marking or inappropriate contract requirements.
What’s next?
If your business needs to comply with CMMC and you are ISO 27001 certified or pursuing ISO 27001 certification, optimally leveraging your ISMS investments can save you considerable time and money and simplify your cybersecurity program governance.
To connect with an expert on how ISO 27001 can support your CMMC journey, contact CBIZ Pivot Point Security.
