CMMC Level 1 to ISO/IEC 27001:2022 Alignment
  • Sign in

    • CMMC Level 1 to ISO/IEC 27001:2022 Alignment

    CMMC Level 1 Practice

    ISO/IEC 27001:2022 Annex A Control(s)

    1. Limit system access to authorized users

    A.5.18 Access control

    2. Limit system access to permitted transactions/functions

    A.5.18 Access control

    3. Verify and control/limit external connections

    A.5.15 Access to network and network services

    4. Control information on publicly accessible systems

    A.8.23 Web filtering
    A.5.34 Protection during audit testing

    5. Identify system users and devices

    A.5.17 Identification and authentication

    6. Authenticate/verify identities of users, processes, or devices

    A.5.17 Identification and authentication

    7. Sanitize/destroy media before disposal or reuse

    A.8.10 Information deletion
    A.8.11 Data masking

    8. Limit physical access to systems, equipment, and environments

    A.7.4 Physical security monitoring
    A.7.5 Securing offices, rooms, and facilities

    9. Escort visitors and monitor activity

    A.7.4 Physical security monitoring
    A.7.7 Visitor management

    10. Maintain audit logs of physical access

    A.7.8 Physical access logs

    11. Control/manage physical access devices

    A.7.7 Visitor management 
    A.7.8 Physical access logs

    12. Monitor, control, and protect communications (networks)

    A.8.20 Network security

    13. Implement boundary protection (firewalls, routers, gateways)

    A.8.20 Network security
    A.8.21 Segregation of networks

    14. Identify, report, and correct system flaws

    A.8.8 Management of technical vulnerabilities

    15. Protect malicious code

    A.8.7 Protection against malware

    If you are already certified with ISO/IEC 27001:2022, you have coverage for all CMMC Level 1 practices. ISO is broader and risk-based, but its Annex A controls overlap completely with the FAR 52.204-21 requirements that form the backbone of CMMC Level 1.