How to Use ISO 27001 for CMMC?
It is not advisable to use ISO 27001 for CMMC. While leveraging an existing ISO 27001 Information Security Management System (ISMS) to address NIST 800-171 requirements may sound appealing, there is a good chance that the organization will take on more work to adapt ISO to NIST/CMMC than it is to address CMMC as its own compliance initiative.
Key reasons why it is not advisable to use ISO 27001 for CMMC include:
- The US DoD does not offer any reciprocity for ISO 27001 so there is no benefit to using the framework;
- The scoping for an ISO 27001 ISMS and CMMC are often going to be very different;
- ISO 27001 and NIST 800-171 are designed for different purposes. While they both deal with the concept of cybersecurity, the frameworks are very different; and
- ISO 27001 is not data centric, which is one of its biggest weaknesses in trying to leverage it for CMMC.
Components where an organization could leverage an existing ISO 27001 ISMS for CMMC:
- Existing policies and standards may be sufficient and can be edited to increase scope for missing NIST 800-171 controls; and
- Existing internal audit processes should help with maintaining situational awareness on CMMC compliance efforts.