ISO 27001 audits versus CMMC assessments

In the June/July 2024 issue of Defense and Munitions, I discussed steps necessary to prepare for a Cybersecurity Maturity Model Certification (CMMC) assessment. Preparing for an ISO 27001 audit is similar and preparing for both simultaneously can save time and money. Comparing the assessment processes, let’s address what ISO 27001 is and how it benefits companies.

What is ISO 27001?

ISO released the ISO 27001 standard in 2005. Like most ISO standards, ISO 27001 focuses on a management system. In this case, the focus is on information security management systems. ISO 27001 is an international standard for information security, focused on protecting the confidentiality, integrity, and availability of an organization’s infrastructure, business operations, information technology (IT) systems, and data. This contrasts with CMMC, which focuses on protecting the confidentiality of Department of Defense (DOD) data. ISO 27001 complements General Data Protection Regulation (GDPR) for European organizations focusing on Personally Identifiable Information (PII). In a time when cybersecurity risks seem omnipresent, an ISO 27001 certification indicates an organization’s dedication to robust cybersecurity practices, especially in regard to their customer data.

Preparation for an ISO 27001 audit versus a CMMC assessment

In the June/July issue, I listed a few steps to complete before a CMMC assessment. How do those steps compare to preparing for an ISO 27001 audit?

1. Define the scope (boundary) of your Information Security Management System (ISMS). This should include all interconnected systems used in generating and tracking the organization’s products or services. CMMC scoping is only around the DOD data and its use.
2. Assess whether you need a technology partner to help implement and internally assess the controls of ISO 27001.
3. Determine the applicability of each control in Annex A against the organization’s requirements. CMMC does not allow non-applicable controls without a waiver from the DOD’s chief information officer.
4. Conduct an internal assessment of all applicable controls and rationale for non-applicable controls. This is the same for CMMC.
5. Remediate or mitigate each non-compliant control in Annex A. CMMC does not allow mitigating a control, each control must be met on its own.
6. Document how each control is met, who is the control owner, and what processes and policies are applicable to this control in the organization’s Statement of Applicability (SoA). CMMC requires this level of documentation in the System Security Plan (SSP).
7. Contact your ISO 27001 accredited certification body to schedule your assessment. An accredited certification body ensures that your ISO 27001 certification holds value in the eyes of clients, stakeholders, and regulatory bodies.

NOTE: Any consultant or technology partner who assists an organization in implementing or the internal assessment of an ISMS cannot be part of the 3rd party certification audit. When selecting a C3PAO and/or a consultant to help your company in advance of an assessment, make sure they aren’t promising both services. The assessor can offer general guidance but cannot give consultation to a company they will assess.

What questions do you have about ISO 27001 and CMMC?

Smithers can serve as both an ISO 27001:2022 auditor and a C3PAO (CMMC Third-Party Assessor Organization). Just as our ANSI National Accreditation Board (ANAB) accreditation means we can certify companies to the ISO 27001 standard, our status as an authorized C3PAO means we can conduct final CMMC assessments. Other companies may not have Certified CMMC Assessors (CCAs) or Certified CMMC Professionals (CCPs) on staff, which means they are not able to serve as a C3PAO. If you have questions about either standard, or if your organization is ready for your final assessment, please contact me to discuss your compliance journey.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.

Smithers
https://www.smithers.com