Last Updated on June 29, 2021
Quite a few SMB manufacturers in the US defense supply chain maintain an ISO 9001 certified Quality Management System (QMS). This differentiating level of process maturity has multiple competitive benefits—including moving you closer to compliance with the US Department of Defense (DoD)’s new Cybersecurity Maturity Model Certification (CMMC) standard.
So, what are these CMMC compliance benefits from ISO 9001? And how exactly can you reap them?
In a recent episode of The Virtual CISO Podcast, John Laffey, program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security), provides a “clause by clause” overview of how your ISO 9001 QMS aligns with CMMC requirements and processes. Hosting the show as usual is John Verry, Pivot Point Security CISO and Managing Partner.
“Improvement is very important to a management system auditor,” John Laffey states. “This is ideally where all the information that’s being gathered, all these objectives we’re defining, all the metrics that support them… at some regular interval, the key folks in the organization are meeting and looking at all this information and saying, ‘Where are we? How are we doing? Are we getting the expected outcomes? Are we driving improvement? What can we do to improve our system?’”
“There should be a lot of decisions made or follow-up items that come out of these meetings, and this should really be a huge mechanism for change and driving improvement within the organization,” John Laffey emphasizes.
How can you measure security improvement?
Some suggestions include:
- Number of security incidents over a given interval
- A report showing how many potential attacks were blocked
- How many staff clicked a phishing link before versus after security awareness training
- Percentage of coverage by your SIEM solution
- Mean time to close vulnerabilities identified in penetration tests or third-party reports
As John Verry points out, security metrics are valuable not just for passing your CMMC audit, but also for reducing your cybersecurity risk.
But continuously improving a management system is harder in many ways than certifying it in the first place. As John Verry notes: “People struggle with operationalizing ISO [27001 or 9001]. Context change isn’t reflected in risk assessment, security objectives aren’t being constantly updated…”
“For some of the clients I audit, it can be difficult to put these kinds of more quantifiable metrics in place for information security,” John Laffey echoes. “A lot of times the objectives are kind of nebulous and super high-level, and it’s hard to actually create these measurables that are going to be tangible and still drive improvement.”
“With a lot of my clients, initially there’s a big push—it’s a huge undertaking and they do a great job with it,” adds John Laffey. “Unfortunately, it then sits on the shelf a little bit because it hasn’t been operationalized. It hasn’t been injected into people who don’t directly work with information security or IT; maybe they’re a programmer or in marketing or sales. … Until [security] becomes embedded in the company culture that can be challenging.”
If you’d like to help your company streamline CMMC compliance effort by tapping your ISO 9001 expertise, this interview with John Laffey is a great way to jumpstart that process.