May 31, 2021

Last Updated on January 12, 2024

If yours is one of the many organizations in the US defense industrial base (DIB) that maintains an ISO 9001 certified Quality Management System (QMS) certification, did you know that your ISO 9001 program can help streamline compliance with the DoD’s Cybersecurity Maturity Model Certification (CMMC) standard?

On a recent episode of The Virtual CISO Podcast, we got a “clause by clause” explanation of how ISO 9001 relates to CMMC from John Laffey, program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security). Hosting the show as always is John Verry, Pivot Point Security’s CISO and Managing Partner.

“[Operation] is where typically the rubber hits the road,” observes John Laffey. “This is where you’re going to have those various processes defined that actually drive you to do what you do, whether it’s delivering services or producing manufactured goods. And this clause is where you’re going to go through the process of making sure those processes are being done in a repeatable manner to reduce any issues with quality or information security, depending on which standard you’re looking at.”

“In CMMC, this is obviously going to be where we’re looking to verify that those practices that you’ve said you’ve implemented in a given way are actually being carried out that way,” continues John Laffey. “During your assessment, a lot of time is going to be taken up verifying that you’re doing what you say you do. That’s kind of Auditing 101: Say what you do and do what you say.”

“In ISO 27001, we have a tendency to audit the management system and sample the controls,” notes John Verry, who is an ISO 27001 certified Lead Auditor. “The logic is that if the management system is operating the way it should, the controls and everything downstream flow naturally from that.”

“CMMC is going to be a bit different,” John Verry emphasizes. “CMMC is going to be much more onerous. [The CMMC auditors] need you to demonstrate a habitual and persistent execution of each control. So they’ll be looking for two forms of objective evidence for each.”

“So, is ISO 9001 [auditing] more like CMMC, where we’re sampling the actual quality practices at a higher rate? Or is it more like ISO 27001, where you’re auditing the management system and just lightly sampling the actual execution of the controls?” asks John Verry.

“With ISO 9001 specifically, you’re going to be spending a lot of time sampling what they’re actually doing on the production floor or in their service deliver processes,” John Laffey replies. “Yes, it’s very important that the management system clauses are in places and verified. But, at the end of the day, the biggest effect on quality is going to be what those folks are doing right in terms of operations. That’s where we want to spend the majority of our time as ISO 9001 auditors—really getting a good understanding of whether the folks involved in a process are following it, if they understand it, and if they’re getting the expected outcomes.”

“So that means that ISO 9001 firms are probably going to be a little bit better prepared for their CMMC audit,” shares John Verry.

What’s Next?

If your DIB organization is ISO 9001 certified and you want to make the most of those efforts for CMMC, you’ll love this podcast episode featuring John Laffey.

To listen to the complete show, click here. If you don’t use Apple Podcasts, you’ll find all our podcast content here.