June 17, 2020

Last Updated on January 13, 2024

Thomas Price from BSI is a crazy-accomplished auditor. 
He has experience in ISO 9001, 20000, 27001, 27017, NIST 800-171, NIST CSF. This guy knows his stuff. I truly believe he will be one of the first auditors to be certified to complete a CMMC certification.
If you want a glimpse into what one of your future CMMC audits will be like, this is the show for you. If you hire BSI to perform your CMMC certification audit, you may even have our guest, Thomas Price (or someone he trains) show up at your facility, so this is as real as it gets. 
Thomas knows his stuff. If you can convince him, you’re in really, really good standing.
I tossed him some scenarios on how to leverage ISO 27001 to meet CMMC requirements, letting him, from that auditor’s perspective, weigh in on whether they would pass muster.
In a weird way, sitting down with Thomas for this episode felt an awful lot like being audited!  It was a very different kind of conversation, and one that you won’t want to miss.

2 Sides of the Same Certification

Despite the fact that I’m a lead auditor, I tend to live on the consultative side of the equation. 
Where I am more about building information security management systems, the work Thomas does is more about assessing it. I know this is going to be a fun conversation, because we look at things a little bit differently. So, I started off by asking him this deceptively simple question:

 “From your perspective, how are 27001 and CMMC the same, or similar?”

Thomas broke it down really well, by starting with the bones. ISO 27001 helps build a great foundation for an Information Security Management System (ISMS). It assists in building a program identifying information and placing safeguards and setting up protection for confidentiality, integrity and availability of information assets.
He went on to talk about the CMMC “origin story”, if you will. Definitely a Marvel reference in here somewhere, but moving on. 
When the government began evaluating the self-assessment process companies were doing to comply with NIST 800-171, not liking what they saw, they developed the CMMC.

One of CMMC’s goals is to establish a higher level of confidence in the implementation of DIB security controls, which enables companies to better address the compliance requirements the government wants to see for the CUI they control.

So, How are ISO 27001 and CMMC Different?

ISO 27001 is an international standard, and it’s accepted across different countries, while the CMMC is a US DoD creation.
The CMMC certification process is a process that’s used to attest a company’s ability to protect CUI information and data. While you can include any data types in your ISO 27001 scope (including CUI, BTW), CMMC only focuses on CUI.
Thomas adds:
“Also, CMMC entails determining process maturity levels and the implementation of prescribed practices for each level of the model.” 

This Part Made Me Sweat a Bit…

After walking through the ins and outs of each Cert, I thought it was time to take a look to see if our different approaches would collide or not, and I ever so gently slid this onto the table.
CMMC seems to have some more prescriptive guidance.
As long as we’re implementing our ISO 27001 controls in consideration of that guidance, which of course we would, if that was something that was documented in our system security plan, reflected in our statement of applicability, and reflected in our risk assessment, I would think that would mean that we’d ensure that we implement those controls in a way that would conform with CMMC, right?
*Pause to wipe brow
So, if we architect an ISMS with CMMC fully considered, we should end up in a place where we can both be ISO 27001 certified, and CMMC certified.
*Bites nails, and glances over at the Knob Creek 
“That is correct.” 
Nailed it!

A Behind the Curtain Peek at a Really Strong Auditor’s Thinking

Like I mentioned at the beginning, this episode is different. 
It was really special, and Thomas was generous, engaging, crazy-smart, and a little scary! 
The stuff above is just the tip of the spear. Catch the full episode as we cover:

  • Updating your ISMS scope statement 
  • Addressing specific systems 
  • Developing a plan of attack for updating your ISMS 
  • What to do if you are reclassified from CMMC Level 2 to Level 3 mid-year
  • Making judgements based on the scope of your CUI
  • And a lot more.

This episode is a must listen. 
Fill a glass, and join us.

This post is based on The Virtual CISO podcast hosted by John Verry and featuring special guest, Thomas Price.
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.