May 24, 2021

Last Updated on January 12, 2024

By now most firms in the US defense industrial base (DIB) are aware of the new Cybersecurity Maturity Model Certification (CMMC) program and associated compliance requirements. If you do business with the US Department of Defense (DoD) or one of its subcontractors, you’ll soon need to pass a third-party CMMC audit at whatever cyber maturity level your contract specifies.

Especially for DIB SMBs that store, transmit and/or process Controlled Unclassified Information (CUI), CMMC compliance could be a tall order. But for those that have an ISO 9001 certification, there’s good news—your ISO 9001 investment and experience can give you a big leg up on CMMC compliance!

To explain exactly how ISO 9001 know-how can streamline CMMC efforts, a recent episode of The Virtual CISO Podcast features John Laffey, a program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security). Hosting the episode is John Verry, Pivot Point Security’s CISO and Managing Partner.

So what does ISO 9001 have to do with CMMC?

Here’s the logic: ISO 9001 defines a management system. It requires you to create processes that are repeatable, measurable, and drive continuous improvement. Similarly, the ISO 27001 information security standard also defines a management system. ISO even normalized the ISO 9001 and ISO 27001 management systems back in 2015, so they are structured similarly and have the same seven major clauses (context, leadership, planning, support, operation, performance evaluation, and improvement) that you’ve familiar with from ISO 9001.

In fact, John Verry notes that some of the most exemplary ISO 27001 information security management systems he’s come across as an auditor were overseen by ISO 9001 experts—not security experts.

What’s Next?

So, if your ISO 9001 activities could help you with ISO 27001… they can help you with CMMC. As CMMC and ISO 27001 are broadly comparable and overlap in many ways, even at the control level.

In short, what it takes to run a management system, like defining scopes, developing policies, measuring performance, etc., translates very well from ISO 9001 to CMMC.

Want to get more details on how all this looks and works? To hear the show with John Laffey and John Verry in its entirety, click here.

If you don’t use Apple Podcasts, you’ll find this and all our other podcast episodes here.