The full compliance process for CMMC, the Cybersecurity Maturity Model Certification, culminates in an audit that validates an organization’s cybersecurity posture and its implementation of the security controls that apply to it. Throughout this process, there is a gatekeeper who performs your audit. You may have heard of them referred to as a CMMC Auditor or a CMMC Assessor. With these two terms in play, you may be wondering what the difference is between them.

The Cybersecurity Maturity Model Certification, version 2.0, is finally in effect, which means thousands of businesses that have roles in the Department of Defense supply line need to do the work to comply and pass their audits to receive certification. It’s inevitable that many of these businesses will fail their initial audits. The standards are high, the margin of error is narrow, and the timeline is tight.

The final step to achieving ISO 27001 certification is passing a final audit of your ISMS. During this process, you will work with an external, third-party auditor to perform a thorough audit of your systems, to evaluate compliance with the guidelines in ISO 27001. The question is, what will that auditor be doing? Do you hand them paperwork and the keys to the building and let them do their thing, or are they more interactive? What can you expect when working with your auditor?