June 1, 2021

Last Updated on January 12, 2024

A number of SMB manufacturers and other organizations in the US defense industrial base (DIB) maintain an ISO 9001 certified Quality Management System (QMS). This high standard of process maturity has direct benefits towards achieving compliance with the US Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC).

But what exactly are these benefits, and how can you tap into them?

On a recent episode of The Virtual CISO Podcast, John Laffey , program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security), offers a “clause by clause” rundown of how an ISO 9001 QMS overlaps with CMMC.

“I love performance evaluation because as long as the client’s doing it, it makes our job as auditors real easy,” shares John Laffey. “We just come in and say, ‘Okay, you did a great internal audit and you are driving improvement.’ But yeah, as an ISO 9000 and ISO 27001 auditor, this is a critical clause. Basically, it’s what should be driving the system in lieu of a third-party certification body.”

“You should be internally auditing your own system just like a third-party certification body would,” John Laffey highlights. “Sampling people in operation, looking at the management system clauses in terms of CMMC or ISO 27001, looking at controls and practices, sampling, making sure permissions are assigned as they should be and encryption is in place where it should be, whatever the case may be. It’s the day-to-day, month-to-month, year-to-year maintenance of ensuring that things are staying on the rails and that nothing’s slipping.”

But as host John Verry, Pivot Point Security CISO and Managing Partner notes, CMMC doesn’t specifically require an internal audit, unlike ISO 9001 and ISO 27001.

“Maybe they’re comfortable with just having the third-party assessors take care of that,” John Laffey speculates. “But I think it’s a good idea for any organization to have some type of internal auditor checking or regular maintenance where you’re looking at these various things. Because everybody knows you get busy, pandemics happen, crazy things happen. And the stuff that you’re doing with management systems or complying with various frameworks might not always be top-of-mind. So it’s a great idea to have something in place on some regular basis to just at least do a once-over and make sure things haven’t gone off the rails.”

“I think most organizations that we’re talking to want to do [internal audits] anyway because the fear of not passing their CMMC audit and that costing them the ability to bid on contracts is not a risk they’re willing to take,” John Verry adds. “And the other side is that if you did a good enough job with security metrics, and if you did a good enough job with operationalizing the information security management system (ISMS) so that you can easily validate the objective evidence [that the CMMC auditor needs], independent of an outside internal audit, I think you’ll probably be okay.”

“Yes, absolutely,” concurs John Laffey. “And with more mature systems, like you mentioned, hopefully the day-to-day work that folks do results in that objective evidence being available to review, because it’s just the way they go about their processes. It’s not something special they need to do to show an auditor. It’s just, ‘Yeah, here’s what I worked on yesterday. Take a look.’”

“The devil’s going to be in the details, definitely,” recaps John Laffey. “But at least we have somewhere we can start to look and understand if there’s a gap. You’re going to be in a much better position, as opposed to… ‘Can we see this? No, I don’t have it. I’m not sure how to get it to you.’ That’s going to be a short conversation.”

What’s Next?

If your DIB org is looking to leverage its ISO 9001 QMS to streamline CMMC compliance, this podcast episode with John Laffey is perfect for your needs.

To hear the full episode, click here. If you don’t use Apple Podcasts, you’ll find all our episodes here.