May 27, 2021

Last Updated on January 12, 2024

Many businesses in the US defense industrial base (DIB) have an ISO 9001 certified Quality Management System (QMS). If yours is among them, did you know that your ISO 9001 expertise can help pave the way to compliance with the DoD’s new Cybersecurity Maturity Model Certification (CMMC) framework?

The Virtual CISO Podcast recently showcased the unique expertise of John Laffey, program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security). In this show, John reveals “clause by clause” how your ISO 9001 QMS parallels the CMMC framework.

“I think planning is going to be critical once you start getting up to CMMC Level 2 and Level 3, because that’s the point when you now have to sit down and actually document policies that say what you’re going to do,” asserts John. “You also have to document your approach for implementing those practices or controls. Say there’s a [CMMC] practice that requires that all users be uniquely identified on your system. Okay, at CMMC Level 1, you can just show [the auditor] that you’re doing it, and that might be okay. But when you get into the higher maturity levels, there should be a documented process that says exactly how you do it. A ticket is opened up in this system, it must be approved by this person, whatever the case may be. And it should be something that can be repeatable, so new employees can be trained on it. There should be a single source of information to go to, to understand how you do these things to make sure that there’s no deviations and there’s nothing that falls through the cracks.”

Another key element of the ISO 9001 planning clause that relates directly to CMMC is the concept of risk assessment and risk management. Change equals risk. Anytime something changes in your environment, it needs to trigger your risk assessment process as part of the planning.

“If you’re going to make a change, if you’re going to bring on a new supplier, if you’re going to integrate with a new cloud-based platform, really going through and understanding all the potential impacts that could have and the information security risks or just business risks associated with potential things coming to pass—it’s a cornerstone for information security, as risk assessments in ISO 27001 drives everything. And it’s a requirement in CMMC as well,” John describes.

What’s Next?

If your ISO 9001 certified business has contracts with the DoD—or any of the growing list of US federal agencies that are mandating CMMC compliance—don’t miss this show with John Laffey! To hear the episode in its entirety, click here.

If you prefer not to use Apple Podcasts, you’ll find all our podcast episodes here.