Insert Coin: Introduction
If you’ve ever played a video game sequel, you know the feeling. The first game took you hundreds of hours. You learned the mechanics, figured out the enemy patterns, built your character from the ground up, and eventually, finally, cleared it. Then the sequel drops. You fire it up, and something interesting happens. You’re not a complete beginner. Your instincts are sharper. The genre is familiar. You know what a health bar looks like, and you have a general idea of what to do when it appears.
But the sequel has new mechanics. The map is different, some of your old strategies don’t really work anymore, and if you walk in assuming that your expertise from Game 1 automatically covers you in Game 2, the first major boss is going to disabuse you of that notion quickly. (I see you, Dark Souls veterans. You know exactly what I mean.)
That’s a pretty accurate picture of what it’s like when an organization that has implemented ISO 27001 finds itself facing a CMMC Level 2 requirement in its DoD contracts. Your ISO 27001 work is real, and it matters. You’ve built genuine capabilities that carry over into this new playthrough. But CMMC Level 2 is a sequel, not a remaster, and it has enough new mechanics to keep even experienced players humble if they walk in unprepared.
In today’s blog, I want to talk directly to those organizations in the Defense Industrial Base (DIB) that have been playing the ISO 27001 game and are now staring at the CMMC Level 2 title screen, wondering what they’re in for. We’ll walk through the challenges that are unique to this transition, acknowledge what you’re genuinely bringing into this new playthrough, and talk about how IntelliGRC fits into your party for this campaign.
Same Genre, Different Mechanics
Before we map out what’s ahead, it’s worth making sure we understand both games. ISO 27001 is an international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Think of it like a strategy role-playing game. The main clauses (Clauses 4 through 10) define the entire system you’re building: understanding your organizational context, assigning responsibility, planning and operating your security program, and committing to continual improvement. Annex A gives you a catalog of security controls (about 93 of them under ISO 27001:2022) organized across four themes that you select based on your own risk assessment. These requirements are meant to be maintainable in a system over time, and they’re flexible enough to fit organizations of all shapes and sizes. Depending on the risks the organization faces, certain Annex A requirements may be useful, while others may not be. Applicability is a big part of ISO 27001, and you must justify applicability when you’ve opted not to implement a certain requirement. A “Statement of Applicability” is one of the explicitly required documents that you’ll need to maintain for your ISO 27001 audit.
CMMC Level 2 is a bit different. Its requirements are currently rooted in the 110 / 320 objectives from NIST SP 800-171 Rev 2 and NIST SP 800-171A and its entire purpose is to verify that organizations in the DIB are protecting Controlled Unclassified Information (CUI) in accordance with DFARS 252.204-7012 and 32 CFR Part 170. There’s no risk-based control selection here per se; I mean, there kind of is, but that’s something the DoD has already decided. The DoD assessed the risks related to non-federal, contractor-owned systems being used to handle CUI and determined the requirements to mitigate those risks: NIST SP 800-171. Nevertheless, there’s no Statement of Applicability that lets you opt out of requirements that don’t “fit.” All 110 requirements apply to your assessed environment unless you’ve received an explicit adjudication from the DoD Chief Information Officer (CIO) for something being considered “Not applicable”. So, for the ones that are applicable, you either meet them or you don’t, and, for contracts that will require a CMMC Level 2 Certification, a Third-Party Assessment Organization (C3PAO) Assessment Team will eventually show up to confirm which it is.
It’s the same general genre, but the mechanics, the win conditions, and what the judges are scoring can be quite different. So let me flesh out the biggest adjustments you got to’ get used to.
New Mechanics That Will Humble You: The Challenges of Transition
The Map Has Changed: Scoping in CMMC Is More Prescriptive
One of the first things that catches ISO 27001 organizations off guard in CMMC is the scoping principles. In ISO 27001, you define your ISMS scope based on your organizational context and risk decisions. You decide what’s in and what’s out, document it thoughtfully, and move on. It’s a flexible system that works well for establishing a broad security baseline.
CMMC’s scoping model plays by different, much more stringent and explicit rules. The 32 CFR Part 170 and the CMMC Level 2 Scoping Guide define specific asset categories that govern what ends up in scope: CUI Assets, Security Protection Assets (SPAs), Contractor Risk Managed Assets (CRMAs), and Specialized Assets. Whether a given asset falls into one of those buckets depends on its relationship to CUI and the security functions it performs for the system, not your risk appetite or organizational preferences. Here’s where it gets humbling: that scoping exercise, done correctly for CMMC, often reveals system components and External Service Providers that may have never appeared in your ISMS scope at all. Your CMMC boundary isn’t just where CUI lives. It extends to anything that provides security protections to the environment where CUI lives. One more note here, the 32 CFR and the CMMC Level 2 Scoping Guidance also added another caveat for consideration. Security Protection Data (things like vulnerability scan results, credentials used to access the system, logs, etc.) also have implications for scoping, too. Offline or cloud cold storage is one of the examples that is called out in the Scoping Guide, and it states that the location where the offline/cold storage of those security logs is also considered part of the scope. That is a big deal, because, in short, that means that security-relevant data for the system resides, also needs to be protected as a Security Protection Asset, which has the same requirements as everything else (where applicable, of course, you don’t need to implement FIPS-Validated Cryptography for encrypted audit logs.)
Regardless, it’s a new map with new rules. It’s not trivial.
Your Old Save File Isn’t Enough
Here’s where the sequel analogy starts to make a lot of sense. In a lot of sequels, your old achievements don’t count toward the new ones; instead, you’ve got to earn them from scratch as they are part of a different game. The same dynamic plays out when an ISO 27001 organization undergoes a CMMC assessment.
CMMC assessors from a C3PAO are not evaluating your ISMS. They are evaluating whether you have implemented specific NIST SP 800-171 requirements in your environment, and they need direct, requirement-specific explanations and evidence to confirm it. Your management review minutes won’t necessarily satisfy an assessment objective for Audit Correlation (AU.L2-3.3.5), or Change Management (CM.L2-3.4.3-3.4.5), or Security Control Assessments (CA.L2-3.12.1). Your ISMS scope statement won’t necessarily demonstrate that your external and internal system boundaries are defined for SC.L2-3.13.1. Your risk treatment plan, as solid as it is, won’t automatically map to what an assessor will ask for when they are evaluating 3.11.1. All these things might be incredibly relevant, but it is not an automatic one-to-one. There are 110 requirements, each with its own unique assessment objectives, and each one needs its own stack of evidence.
Side note: This is not me saying your ISO 27001 documentation is useless in a CMMC context. But it does mean you need to do some evaluating rather than assuming coverage. The burden of evidence in CMMC is requirement-specific, and assessors are looking for targeted proof of implementation, not necessarily a well-organized management system manual.
Check Your Inventory: The Real Advantages
Ok, I don’t want this whole blog to read as a list of boss fights with no checkpoint in sight, else I wouldn’t have written it in the first place. Here’s the truth. If you’ve been living inside an ISO 27001 ISMS and applying Annex A controls to an information system that overlaps with your CMMC scope, you are meaningfully ahead of a lot of organizations within the DIB. Let me get specific about what you’re probably bringing to the table because of your ISO efforts.
Your Documentation Discipline
CMMC assessors need evidence, not just policies, but actual operational evidence. Audit logs, access control records, configuration baselines, incident response documentation, training records, and a well-maintained System Security Plan (SSP). Organizations that have been managing an ISO 27001 ISMS already understand the discipline of keeping records and preparing for third-party audits. You’ve been writing procedures, maintaining documentation, and engaging with external auditors. That muscle memory is genuinely transferable once you know what it needs to be transferred to. You should feel encouraged about your position if this is you!
The Control Overlap Is Substantial and Real
ISO 27001:2022 Annex A and NIST SP 800-171 Rev 2 share a significant amount of substantive DNA. Access control, cryptographic protections, audit logging, incident response, physical security, vulnerability management, and risk assessment are all addressed meaningfully in both frameworks. If you’ve implemented Annex A controls in areas like access management (A.5.15, A.5.18), information logging, time synchronization, and monitoring (A.8.15, A.8.16, A.8.17), vulnerability management (A.8.8), or secure configuration management (A.8.9), there is genuine, meaningful overlap with the corresponding NIST SP 800-171 requirements. You haven’t been grinding the wrong stats. You’ve been building a character that, with a targeted gap analysis, can be leveled up to meet CMMC Level 2 without starting over!
Your Risk Assessment Is Already Leveled Up
ISO 27001’s risk assessment and treatment process, done well, gives you a clear-eyed picture of your security landscape. When it’s time to understand your CMMC gaps, that existing foundation, like the documented threats, vulnerabilities, and treatment decisions you’ve already captured, can serve as a meaningful head start for a more targeted CMMC gap analysis. I had to mention this because Risk Management and Risk Assessments are often really under-considered when, in reality, they are the bedrock of EVERYTHING we do in cybersecurity. And, if ISO 27001 already requires you to perform risk assessments in a very intentional way, then you’ve probably got all procedural/process infrastructure necessary to meet that RA.L2-3.11.1 requirement almost immediately when you start you CMMC implementation journey. Take heart, weary traveler!
Your Party Member For This Campaign: Where IntelliGRC Comes In
This is the part I genuinely enjoy talking about. (Yes, I’m biased, but rightly so.)
IntelliGRC was built for exactly this kind of complexity. We work with organizations of all shapes and sizes, and especially those in the DIB, including those with ISO 27001 backgrounds, to help them figure out where they stand, where their gaps are, and how to close them efficiently without reinventing the wheel. IntelliGRC is purpose-built to support CMMC Level 2 implementation and assessment readiness, and our team has run this dungeon before. What does this mean practically?
Define and document your CMMC scope accurately
We help you work through the CMMC Asset Categories, data types, External Service Providers, and other scoping in alignment with 32 CFR Part 170, so your assessment boundary is defensible from the start. Developing a well-defined system boundary is one of the first things that gets done when you start using our app!
Gap analysis that respects your existing work
We’re not going to ask you to scrap what you’ve done for ISO 27001. Once the information you’ve utilized for implementing those Annex A requirements is brought into IntelliGRC, we’ll map them to the appropriate NIST SP 800-171 requirements and their objectives. We estimate that if you’ve completed a robust implementation of the Annex A requirements from ISO 27001 and documented them well, you’re probably about 40-60% of the way done regarding implementing the requirements for CMMC. From there, IntelliGRC can help identify specifically what needs to be extended, tightened, or newly documented so you’re covering all your bases without starting over.
Side note: Our estimate here is based on IntelliGRC’s use of a common set of objectives utilized across frameworks. For an organization that has documented their implementation of the Annex A requirements well and have the evidence to back it up, and assuming that the scope is about the same for the ISO 27001 environment as it is for the CMMC boundary, this is our estimate. We understand that user experience will vary because every organization is different, and the impacts created by the CMMC-based scoping adjustments and the variance in depth to which an organization implemented and documented their implementation of the Annex A requirements are a huge factor. The point is still the same, ISO 27001 implementation on a system that will be used for DoD contracting work is significant progress regardless the amount.
SSP, policies, procedures, and body of evidence
With tools and templates designed around what a C3PAO examiner is going to evaluate, not just what makes an ISO auditor comfortable, the outputs, templates, and particular features within IntelliGRC were developed based on the blood, sweat, and tears of experience working in this industry and the knowledge of what an assessor is really going to be asking for and expecting to see. Things like the System Security Plan, Continuous Monitoring Procedures, Operational Plan of Action details, the Body of Evidence, and more can all be built using IntelliGRC and delivered to an assessment team in a way that’s straightforward and resonates with their experience.
Support from implementation through assessment
Whether you’re just beginning to evaluate your CMMC exposure as an ISO 27001 organization or you’re already deep in implementation and eyeing a formal C3PAO assessment, we’re in your party for the whole campaign.
You’re Not a New Player and Don’t Play Like One
At the end of the day, transitioning from ISO 27001 to CMMC Level 2 is real work. I’d never want to pretend otherwise. The scoping model is very different and specific; the evidence requirements are granular and requirement-specific, and all 110 practices are in play with rare and explicit exceptions. These are genuine challenges, and they deserve real attention.
But if you’ve implemented ISO 27001 well, you are not walking into this blind. You have documented controls, a risk-aware security culture with leadership buy-in, and experience presenting to third-party auditors. That is not nothing. In the DIB, it’s quite a lot. You’re a returning player with a solid inventory stepping into a sequel. The new mechanics will take some getting used to, but you are capable of getting through this and implementing CMMC.
If you’re ready to figure out where you stand and what it’s going to take to get through this campaign, we’d love to connect. Reach out through our Contact Us page on our website or shoot us a note at sales@intelliGRC.com. You can also connect with me directly on LinkedIn.
As always, Happy Implementing!
– Steven Molter