Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a framework which has been  developed by the U.S. Department of Defense (DoD) to improve the security practices of its supply chain.  In order to protect against cyber threats, defence contractors and other organisations that handle controlled unclassified information (CUI) are required to meet a set of cybersecurity standards and practices to adopt appropriate cybersecurity measures.

In November 2021, the DoD announced ‘CMMC 2.0’ an updated programme structure (with three levels replacing the previous five) and requirements designed to achieve the primary goals of its internal CMMC review.  The three CMMC levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).  Each level builds on the previous one, with the highest level requiring organisations to implement more advanced and comprehensive cybersecurity practices.   Organisations which handle CUI on behalf of the DoD are required to achieve compliance or certification at the level which corresponds to the type and sensitivity of the information they handle.

Key Features of CMMC 2.0

The CMMC framework incorporates a range of cybersecurity practices and controls, including the development of policies and processes, access control, incident response management, and security awareness training.  There are also provisions for third-party assessments and audits to ensure that supply chain organisations are meeting the required standards.

How does CMMC differ from ISO 27001?

While both CMMC and ISO 27001 are focussed on information security and the protection of sensitive information, they are intended for different audiences and have different goals.  ISO 27001 is a general standard which can be applied to any organisation, whereas CMMC is specific to the U.S. DoD and its contractors.  Key differences include:

  • ISO 27001 is more high level which, with its sister Standard ISO 27002, provides general guidance on information security practices.  CMMC, however, is more detailed and specific, with three levels which require increasingly advanced and comprehensive cybersecurity practices.
  • ISO 27001 can be applied to any organisation, regardless of industry or sector.  CMMC, on the other hand, is specific to the DoD and organisations which process CUI on its behalf.
  • ISO 27001 certification is, in the main, voluntary and organisations can choose to be externally assessed in order to demonstrate conformance with the Standard.  However, CMMC certification is mandatory for those organisations that handle CUI on behalf of the DoD and also wish to work with the DoD and, depending on the level, are required to either self-certify or externally assessed.

Contact CMMC Experts Today

Having assisted over 400 organisations to implement an ISMS and then achieve ISO 27001 certification since the Standard’s establishment in 2005, we at URM are the ideal experts and partners to help you certify.  A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards, such as SOC 2, CMMC and ISO 27001..  

Get in touch with our CMMC specialists today to find out more.

Contact Us

How can URM assist you?

Gap Analysis

With our CMMC gap analysis, URM will assess your organisation's current cybersecurity practices and identify any gaps or weaknesses that need to be addressed in order for you to meet the requirements of the CMMC framework.

Typically, URM’s gap analysis involves the following steps:

  • During the discovery and scoping phase, URM will help establish whether there is a requirement either through the processing, storage or transmission of CUI or Federal Contract Information (FCI) or meeting a specified client requirement and then map, at a high level, the data journey to determine the system scope and the sites/locations in scope.  One of URM’s senior consultants will guide you through the CMMC framework in order for you to understand the specific cybersecurity practices and controls that are required at each of the 3 levels of the CMMC framework.
  • URM will then assess your organisation's current cybersecurity practices and controls to identify any gaps or weaknesses that need to be addressed.  This involves an evaluation of the maturity of your current controls including technology (e.g., firewalls and intrusion prevention systems) policies and processes (e.g., access control and incident management) and people (e.g., awareness training) controls.
  • Following our assessment of your cybersecurity practices, URM will identify any specific cybersecurity practices which need to be improved or enhanced in order to fully meet the requirements of the CMMC framework.  URM will specifically identify any gaps between the current maturity level and the maturity required to achieve the identified CMMC level.  
  • The final stage will involve URM working with you to develop a plan (including actions and milestones) to address any identified gaps and improve your cybersecurity practices and be able to consistently demonstrate the maturity (evidence) of the CMMC implementation programme.  As part of the plan, we will help you identify the resources and support which will be needed to implement the required changes.

Implementation

Having conducted a gap analysis, URM can provide hands-on support to implement any identified improvements and how to demonstrate the appropriate level maturity by building up the expected evidence.  URM can design and specify the necessary controls and specify the evidence required to assist you in implementing, owning and operating the necessary controls.

Certification Support

URM is able to support the certification audit, where required, to ensure the controls are appropriately represented and the necessary audit evidence is available and explained.

Solutions & Products

One the key requirements of ISO 27001 is the need for robust risk assessment which can produce repeatable and comparable results.  With its proven, best practice methodology, URM’s information security risk management software, Abriska 27001, enables you to meet this requirement.   We can also assist you to increase awareness among your staff with our expertly designed and engaging learning management system (LMS), Alurna.

View Products

InfoSec Training Courses

Our information security and ISO 27001 training courses can help you learn how to effectively manage information security.  Our Certificate in Information Security Management Principles (CISMP) training course will prepare you to take the BCS (Chartered Institute for IT) administered exam, enabling you to gain an industry-recognised qualification.  Meanwhile, our Introduction to ISO 27001 Course and ISO/IEC 27001:2022 Transition Course will significantly enhance your ISO 27001 knowledge and professional skillset.

View Training Courses

Why URM for CMMC?

Track record

URM has a 17-year track record of providing high quality consultancy and training support, assisting organisations improve their information and cyber security, as well as information governance posture and capabilities.  A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards, such as SOC 2, CMMC and ISO 27001.  Having assisted over 400 organisations to achieve world recognised standards, URM has worked with organisations of all sizes from micro businesses to multi-national organisations and from all the major market sectors.

Tailored approach

URM is renowned for adopting a highly tailored and bespoke service, where its consultants are constantly striving to deliver sustainable solutions that meet both the current and future needs of the client organisation.

Flexible delivery

When transferring knowledge on meeting the requirements of CMMC URM can deliver this through various delivery mechanisms, i.e., through one-to-one support, workshops or training courses.  Furthermore, when delivering remediation services to address gaps, URM’s support is tailored and flexible, based on the client’s requirements, internal knowledge and available resources.  Support can be delivered on an activity-per-activity basis or where a consultant is allocated on a recurring basis, e.g., 1 day a week   Such an engagement helps to ensure that remediation activities are followed through, remain compliant and that sufficient evidence for the audit is generated.

CMMC Consultancy Services

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

Round TableHow to Achieve ISO 27001 Certification

On 20 November, BSI and URM are collaborating to deliver a free, half-day Round Table event on how to implement ISO 27001

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarSOC 2: What, Why and How

In this webinar, URM’s consultants guide you through all the key aspects of SOC 2 including pitfalls to avoid and the success criteria.

Read more
Listen to recording
USB stick, Padlock, Keys
Webinar5 Steps to Improve Your Supplier Information Security Risk Management

URM presents and discusses 5 key steps you can take to improve your supplier information security risk management.

Read more
Listen to recording
USB stick, Padlock, Keys

ISO 27001 FAQs

How long does it take to implement ISO 27001?

There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available.  However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001.  

With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.

Apart from the existing maturity of operational practices and controls and availability of in-house resource, another key determinant in how long an ISO 27001 implementation will take place will be the support and involvement of senior management.  URM has seen organisations achieve very aggressive timescales in implementing and achieving ISO 27001 certification where Senior Management has prioritised the project, often associated with being awarded a significant client project.

Is there a legal requirement to comply with or be certified to ISO 27001?

There is, generally, no direct legal requirement for compliance as such, indicating why many people choose to use the word conformance rather than compliance.  Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.  

There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by virtue of a contract.

What does ISO 27001 require you to do?

A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS.  You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement.  

These requirements are broken down into 7 major clauses, which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement.  These clauses are consistent with other ISO Management system standards such as ISO 9001 and ISO 22301, and is known as the harmonised structure.

When was ISO 27001 last updated?

The current version of the Standard, ISO/IEC 27001:2022 replaced the 2013 version of the Standard on 25 October 2022.  As of 1 May 2024, all initial and recertification assessments must be conducted against ISO 27001:2022 and, on 31 October 2025, all ISO 27001:2013 certificates will be withdrawn.  Whilst the management system clauses received a relatively minor makeover in order to harmonize ISO 27001 with other standards, the information security controls contained within Annex A were completely restructured with some controls being merged with others as well as 11 new ones being introduced.

Read more
Information Security FAQ

Speak to a CMMC Expert

URM has a 19-year track record of providing high quality consultancy and training support, assisting organisations improve their information and cyber security, as well as information governance posture and capabilities

Speak to one of our experts for more information on how we can help. Simply call 0118 206 5410 or request a call back using the form below.

Developing an ISO 27001 Information Security Policy

Published on
5/11/2024

URM’s blog discusses how to develop and implement an information security policy that fully conforms to both your organisation’s and ISO 27001 requirements.

Read more
Thumbnail of the Blog Illustration
Internal Audit
Published on
18/10/2024
Internal Auditing of Management Systems

URM’s blog explains how to plan and execute effective and conformant internal audits of management systems at each stage of the internal audit process.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
4/10/2024
Implementing and Auditing ‘People Controls’ from ISO 27001:2022

URM’s blog explains why ‘people’ warrants its own control theme in ISO 27001 and how to prepare for a people controls audit, offering advice for each control.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
20/9/2024
ISO 27002, the Unsung Hero

URM’s blog explains what ISO 27002 is, how it can benefit your organisation, & how you can use it to support your implementation of an ISO 27001-conformant ISMS

Read more
"
Without URM, Havas People would not of achieved its certification goals.
Director, Havas People