June 3, 2021

Last Updated on January 15, 2024

The new Cybersecurity Maturity Model Certification (CMMC) requirements are coming up fast for SMBs in the Department of Defense (DoD) supply chain, as well as companies doing business with other US federal agencies like the General Services Administration (GSA) and the Department of Homeland Security (DHS).

But for firms that have already invested in an ISO 9001 Quality Management System (QMS), the road to CMMC could be a little less rocky.

To explain how ISO 9001 skills can benefit CMMC efforts, a recent episode of The Virtual CISO Podcast features the unique expertise of John Laffey, a program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security). Hosting the episode is John Verry, Pivot Point Security’s CISO and Managing Partner.

One of the most interesting and relevant topics on the show was the question of whether an ISO 9001 quality professional would be a good choice to run a CMMC program.

“I think they would definitely have a lot of the necessary skills to be a part of the team leading the CMMC implementation,” John Laffey confirms.” I think the background they would have from going through ISO 9001 and understanding the management system requirements that we’ve discussed here are going to give them a leg up on say someone who is super technical, but not concerned with processes, policies or management systems.”

“The best ISO 27001 management systems I’ve ever seen are run by ISO 9001 gurus,” validates John Verry.

“Yeah, and then you just layer in the technical folks when and where you need them,” explains John Laffey. “I’ve found in my time auditing that some of the brightest technical people almost get forced into documenting policies and plans and procedures. But it’s not the way their minds work necessarily. They’re not interested in writing about how they’re going to do something. They just want to do it and show you the next cool thing they can do.”

“So I think you need a great mix of the two,” John Laffey underscores. “But having the management system background is going to be key to keeping this whole [CMMC] thing herded in and pushing it to the finish line.”

“Your best bet, if it’s not an ISO 9001 expert, would be someone who’s more project management oriented or process oriented,” advises John Verry. “So, if you’re listening to this and you’re worried about being successful in CMMC, don’t let your brightest and best technical guy [run your CMMC program]. Because more likely than not he’s not the right guy for the project.”

What’s Next?

Ready to hear more about how your ISO 9001 know-how can help with CMMC? To listen to the complete episode with John Laffey and John Verry, click here.

If you don’t use Apple Podcasts, you’ll find all our information security podcast episodes here.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.