Last Updated on June 29, 2021
If yours is among the many businesses in the US defense industrial base (DIB) that have an ISO 9001 certified Quality Management System (QMS), get ready to apply your ISO 9001 skills to accelerate compliance with the DoD’s Cybersecurity Maturity Model Certification (CMMC) program.
The Virtual CISO Podcast recently shared the exceptional expertise of John Laffey, program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security). In this episode, John explains “clause by clause” how your ISO 9001 efforts pertain directly to CMMC.
“When I look at support from the management system point of view, I’m typically thinking about training competencies, determining what the required competencies are, and then ensuring that folks are meeting those,” describes John. “Obviously, with information security you’re also looking at ongoing training to build a culture of security awareness. I think there’s a lot of different approaches organizations can take, but it should really be something that’s continuous.”
“It’s not just you were hired and as part of your week-long whirlwind orientation meetings, they talked about locking your computer or using a strong password. It should be something that’s happening on a regular basis. And again, obviously there’s practices related to that in CMMC as well,” adds John.
Another key element of your ISO 9001 support clause that relates directly to CMMC is budgeting. Elevating your security requires financial commitment as well as training, not to mention potentially hiring new people with the right skills. Both ISO 9001 and CMMC require you to budget appropriately for hiring and training staff, and for acquiring and maintaining tools to support your controls.
“So don’t be surprised if your CMMC auditor asks about your budget,” advises show host John Verry, Pivot Point Security’s CISO and Managing Partner.
“[The auditor] can relate that back to leadership, too,” replies John Laffey. “Another way to demonstrate commitment from the top is that [management is] actually funding these projects.”
If your ISO 9001 certified company does business in the DoD supply chain, or with any of the US federal agencies now requiring CMMC compliance, be sure to catch this show with John Laffey.