Last Updated on July 30, 2020
If your company participates in US Department of Defense (DoD) contracts, you probably already know about the new Cybersecurity Maturity Model Certification (CMMC) audit program, which will progressively roll out through 2025. CMMC certification “raises the bar” over the current NIST 800-171 self-attestation scenario, and promises significant compliance impacts for many firms.
As information security consultants who are fans of the ISO 27001 standard, we wondered…
Can ISO 27001 play a role in CMMC Certification?
If you’re pursuing ISO 27001 certification (or considering it), how close will that get you to CMMC certification? What’s most vital for you to focus on to efficiently architect your ISO 27001 information security management system (ISMS) to also cover CMMC?
To get the deepest and sharpest insight possible on this topic (even as we await some specifics from the CMMC Accreditation Body), we interviewed Thomas Price, one of our industry’s most accomplished auditors, on a recent episode of The Virtual CISO Podcast. Thomas is a Client Manager/IT and Information Security Auditor/Quality Management Professional at global audit and compliance leader BSI.
Like episode host John Verry, Pivot Point Security’s CISO and Managing Partner, Thomas is a certified ISO 27001 Lead Auditor. But John’s view centers on helping clients build their ISMS, while Thomas is all about assessing the result. The contrasting perspectives of these two experts adds unique value to this not-to-be-missed conversation.
Thomas begins by framing the basics: “ISO 27001 helps you to build a great foundation for implementing an information security management system. It helps you build a program where you can identify your information and put in safeguards to protect those information assets. CMMC is designed specifically for safeguarding controlled unclassified information—CUI—that resides either in your systems or in the federal systems that you may work with.”
“With ISO 27001, you select controls based on risk,” Thomas continues. “While in the CMMC model, the practices you have to implement are based on the level of CMMC that you need to achieve, which is specified in your contract.”
In other words, ISO 27001 lets you decide what controls are applicable to your ISMS based on risk assessment for your specific environment. With the CMMC model, there is no choice. The practices you must implement are defined by the CMMC level (Level 1 through Level 5) specified in your contract.
John then asks “the” question:
“Because ISO can be used in any use case, does that mean we can use ISO from a CMMC perspective? If you’re getting ISO 27001 certified, or you’re considering it, and you know that CMMC [certification] is something you need to achieve… And as you’re constructing your ISMS you are considering the CMMC requirements as part of your ISMS scope… I would think that the resultant ISMS should essentially be ready for CMMC certification assuming we do it right. Thoughts? Gotchas? Anything you would look at differently as an auditor?
Thomas does have some “gotchas” up his sleeve: “The ISO 27001 certification can provide a foundation for implementing key components and practices of CMMC. Many of the domains that are in the CMMC model are also within the controls of ISO 27001. The only exceptions are there’s two areas [in CMMC] which are not covered. [These are Situational Awareness and Maintenance.] But the thing is this: the ISO 27001 controls are less prescriptive, and they do not delve into some of the technical aspects of securing data that the CMMC practices do.”
The bottom line, says Thomas, is that even if you architect your ISO 27001 ISMS with CMMC in mind, “You may need more resources and additional technology and tools to satisfy the CMMC requirements.”
John then asserts, “If we architect an ISMS with CMMC fully considered (fully in scope), we should end up in a place where we can be both ISO 27001 certified and CMMC certified.”
“That is correct,” states Thomas. So while an organization can certainly pursue these two independently verified cybersecurity attestations in parallel, achieving CMMC certification based on ISO 27001 requires careful planning and is not a slam-dunk. That said, there is significant overlap between CMMC and ISO 27001, making a parallel certification effort potentially cost- and time-effective for many companies.
If your business will need to pursue CMMC compliance and/or is currently required to attest to NIST 800-171 compliance, you’ll gain a wealth of strategic insight from John and Thomas’ discussion.
To listen to the full episode, and also any of the many other episodes in The Virtual CISO Podcast series, click here.
If you don’t use Apple Podcasts, you can access all our episodes here.