May 26, 2021

Last Updated on January 12, 2024

If your company does business with the US Department of Defense (DoD) and has an ISO 9001 certified Quality Management System (QMS), you’re in luck! Your ISO 9001 QMS can be a huge help as you move toward compliance with the DoD’s new Cybersecurity Maturity Model Certification (CMMC) framework.

On recent episode of The Virtual CISO Podcast, special guest John Laffey, program manager with Perry Johnson Registrars and a certified Lead Auditor for both ISO 9001 and ISO 27001 (information security), shares “clause by clause” exactly how your ISO 9001 QMS can help drive CMMC certification.

“With leadership, the main thing we’re looking for is that at the top level there’s buy-in, whether it be with ISO 9001 or with the CMMC model,” states John. “Because in practice what I see as an auditor when I go to audit an organization and it’s clear that they’ve hired a quality manager and it’s one person and it’s their responsibility to completely implement and maintain the QMS… it’s a little bit tougher.”

“You need at least at the top level a message to the organization at large of what we’re doing, why it’s important, how it’s going to help us, what the expectations are—really driving the entire process and continuing to champion it; making sure resources are available,” John continues. “There’s a good chance certain things might need to be purchased or individuals may need to be hired, and management needs to be on board with all of it.”

“They should also have eyes on it because it’s a great mechanism to understand how your organization is performing,” notes John. “A lot of what happens with the QMS is you review different process indicators and how things are performing, and you use it to drive change. So I think it’s absolutely critical that top leadership is involved.”

“Without what we call ‘tone at the top,’ you have nothing, right?” agrees show host John Verry, Pivot Point Security’s CISO and Managing Partner. “If you’re a quality manager or you’re an information security director, if the boss is saying, ‘Hey, I’m not going to use strong passwords’ or ‘I’m not going to let my system be monitored,’ that attitude flows down to everybody.”

What’s Next?

If your business is ISO 9001 certified and participates in contracts with the DoD, General Services Administration (GSA), Department of Homeland Security (DHS) or any of the growing number of US federal agencies now mandating CMMC compliance, this podcast with John Laffey is ideal for you.

To hear the episode all the way through, click here. If you don’t use Apple Podcasts, you can access this and all our other podcast episodes here.