October 24, 2022

Last Updated on January 18, 2024

ISO 27001 Certified Orgs—Here’s the Latest on CMMC Reciprocity

If your business is ISO 27001 certified, it’s logical that would help you achieve Cybersecurity Maturity Model Certification (CMMC) compliance. But how much? Is there official reciprocity for ISO 27001 certified entities to be awarded CMMC certification?

To share the latest guidance on top CMMC questions from across the defense industrial base (DIB), a recent episode of The Virtual CISO Podcast is a rapid-fire Q&A session with George Perezdiaz, NIST/CMMC Consultant at Pivot Point Security. The podcast host is John Verry, Pivot Point Security CISO and Managing Partner.

Next for reciprocity… But when?

George relates that ISO 270001 reciprocity is still on the table, but not yet official.

“Back two years ago when we were all looking at CMMC through the lens of Version 1, reciprocity was a heavy item of discussion,” recalls George. “FedRAMP was in the plan, and then ISO [27001]. We recently had notification that FedRAMP reciprocity now exists. And ISO is next, right?”

George guesses we’ll have “more guidance” in the next 6 to 12 months. But ISO 27001 certified firms in the DIB can’t afford to wait that long when CMMC language is expected to appear in DoD contracts starting in July 2023.

Aligning your ISO 27001 ISMS with CMMC

For now, ISO 27001 and CMMC certifications are largely independent. But you can architect your ISO 27001 information security management system (ISMS) and your CMMC scope to broadly intersect. This renders the DoD’s “reciprocity” somewhat moot by fulfilling the requirements of both standards with the same cybersecurity program.

“If you make your ISMS and DoD scopes one and the same, then you can relatively easily maximize your ISO 27001 investments,” explains George. “But there’s going to be some heavy lift in there to identify your assets, categorize them correctly, making sure that those data paths and data communications are tagged and labeled correctly, etc. to start building that CMMC scope.”

What about cost savings?

How much ISO 27001 certified orgs might save on CMMC certification depends on how many of the NIST 800-171 controls you already have in place. Are you just trying to make your mature ISO 27001 environment manage your CUI and NIST 800-171 frameworks (as described above)? Then you might be looking at $25,000 to $30,000 invested to achieve a CMMC certification.

But if you’re protecting commercial data separately from how you’re protecting CUI, you might effectively end up with a separate CMMC enclave—and effectively two separate projects/programs. That will make it harder to get “double duty” out of your ISO 27001 investments. But your ISO 27001 experience and process maturity will certainly still benefit you.

What about cost savings?

To hear the complete CMMC Q&A podcast with guest expert George Perezdiaz, click here.

For more guidance on leveraging ISO 27001 for CMMC efforts, see these related blog posts:
5 Critical Steps to Add CMMC Certification to Your ISO 27001 Attestation
Leveraging ISO 27001 for CMMC Requirements
CMMC and ISO 27001 Audit Requirements Compared