Free Assessment

Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

Request a Demo

Home

  /

  / ISO 27001 Business Continuity Requirements Guide

ISO 27001 Business Continuity Requirements Guide

Picture of Pedro Dias
Copy Link

Two controls decide whether your ISO 27001 business continuity plan survives an audit: Annex A 5.29 and Annex A 5.30. One keeps your security controls working while everything else is failing. The other gets your systems back online before the damage becomes permanent.

Plenty of teams write a continuity policy that satisfies neither in the way a certification auditor expects, and they discover the gap during the Stage 2 audit, when it is expensive to fix.

This article covers what ISO 27001:2022 actually requires for business continuity, the components an auditor will ask to see, the step-by-step build, and the mistakes that turn a continuity plan into a non-conformity.

ISO 27001 Business Continuity Plan

What Is an ISO 27001 Business Continuity Plan?

An ISO 27001 business continuity plan is the documented set of procedures that keeps information security effective and critical ICT services available during a disruption. It is not a generic “keep the lights on” binder. Under ISO 27001, the plan protects the confidentiality, integrity, and availability of information when normal operations break down: a ransomware event, a cloud outage, a data center failure, or a supplier collapse.

The plan lives inside your Information Security Management System (ISMS). It draws on your risk assessment, your asset register, and your Business Impact Analysis (BIA), and it feeds your disaster recovery procedures. Scope is the part people get wrong. ISO 27001 cares about the information security aspects of continuity, not every operational hiccup a full business continuity program might cover.

 

Why You Need a Business Continuity Plan for ISO 27001 Compliance

Downtime is expensive, and the bill arrives fast. For most organizations, the question is not whether a disruption will happen, but how quickly they recover when it does.

There is also a hard compliance reason. You cannot certify to ISO 27001 while ignoring continuity. The standard requires you to maintain information security during disruption and to keep ICT able to support recovery, and an auditor will ask for the evidence. A continuity plan is where availability stops being a promise and becomes a tested capability.

Let Axipro help you build a business continuity plan that's practical, compliant, and audit-ready.

Strengthen Your Business Continuity Strategy

Schedule A Consultation

ISO 27001 Requirements Related to Business Continuity Planning

ISO/IEC 27001:2022 carries 93 Annex A controls across four categories: organizational, people, physical, and technological. Continuity sits in the organizational set, and two controls do the heavy lifting, supported by two more on the technical side.

Annex A 5.29 – Information Security During Disruption

A.5.29 requires you to maintain information security at an appropriate level when a disruption hits. The point is that security controls have a habit of degrading under pressure. People disable multi-factor authentication to “speed things up,” logging stops on a failover system, or access controls loosen while everyone scrambles. A.5.29 says the confidentiality and integrity of your information must be maintained even while availability is under threat. It is classed as both a preventive and a corrective control, meaning it should reduce the chance of an incident and also help resolve one already underway.

Annex A 5.30 – ICT Readiness for Business Continuity

A.5.30 is the technical engine. It requires that your ICT readiness is planned, implemented, maintained, and tested against business continuity objectives and ICT continuity requirements. In plain terms, your servers, networks, applications, and cloud services need a defined recovery path, each with a Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and you need to prove the path works. This control is entirely new in the 2022 revision. It has no precedent in ISO 27001:2013, which is exactly why teams migrating from the older version so often have a gap here.

Important: A.5.30 did not exist in ISO 27001:2013. If your continuity documentation was written against the old Annex A 17 cluster and never updated, you are missing a control the auditor will specifically test. Treat ICT readiness as a fresh requirement, not a relabel.

Two technological controls back these up.

  • Annex A 8.13 (Information Backup) requires backups to be taken and tested in line with an agreed policy, and
  • Annex A 8.14 (Redundancy of Information Processing Facilities) covers the failover and redundancy that let critical systems keep running when a component dies.

Relationship Between ISO 27001 and ISO 22301

This is where confusion is common. ISO 27001 requires the information security aspects of continuity. ISO 22301 is the dedicated standard for a full Business Continuity Management System (BCMS), covering people, facilities, supply chain, and operations far beyond information security. An ISO 27001 certificate does not certify your wider continuity program.

The good news: both standards share the Annex SL high-level structure, so risk assessment, internal audit, management review, and document control carry across. Teams that already run ISO 27001 can layer ISO 22301 on top with far less effort than starting from scratch.

ISO 27001 Business Continuity Plan

Key Components of an ISO 27001 Business Continuity Plan

Business Impact Analysis (BIA)

The BIA is the foundation. It identifies your critical business processes, the ICT systems they depend on, and the cost of losing each one over time. It is where your recovery objectives come from, not from a vendor datasheet. A BIA also sets the Maximum Tolerable Period of Disruption (MTPD): the point beyond which an activity’s failure causes unacceptable damage.

Risk and Disruption Scenario Assessment

Your risk assessment identifies what could cause a disruption and how likely it is, feeding the Risk Treatment Plan and the Statement of Applicability (SoA) that records which controls apply. Continuity planning then runs concrete scenarios: ransomware, a regional outage, a key supplier failure, the loss of a data center.

Response and Recovery Strategies

For each critical system, you define how you will respond and recover: failover to a secondary site, restore from backup, or switch to a manual workaround. This links incident response to crisis management, the executive-level decision-making that kicks in when an incident escalates beyond a routine fix.

Roles and Responsibilities

Name real people, not departments. “IT will handle it” is the single most common reason a plan fails under pressure. Every critical system and recovery step needs a named owner and a named deputy, with current contact details and the authority to act.

Pro Tip: Replace every instance of "IT" or "the business" in your plan

Replace every instance of "IT" or "the business" in your plan with a person's name and a backup name. Auditors increasingly check whether the primary responder for a critical system can actually describe their role. A swim-lane diagram showing who does what, in order, is worth more than ten pages of policy prose.

Communication Plan

Decide in advance who tells customers, regulators, staff, and partners, through which channels, and on what timeline. Many disruptions become reputational events not because recovery was slow but because the silence was loud.

Backup and Redundancy Measures

This is Annex A 8.13 and 8.14 in practice. The widely used benchmark is the 3-2-1 rule: three copies of data, on two media types, with one off-site and ideally immutable. The U.S. Cybersecurity and Infrastructure Security Agency still recommends this baseline, with an additional offline or immutable copy as ransomware defense. Redundancy means no single point of failure can take down a critical service on its own.

Testing, Maintenance, and Continual Improvement

A plan that has never been tested is a hypothesis. ISO 27001 expects testing at planned intervals, typically at least annually and after any significant change. This is the Continual Improvement half of the PDCA cycle: test, capture what failed, fix it, retest. Our guide to Testing Maintenance and Continual Improvement covers the cadence in detail.

How to Create an ISO 27001 Business Continuity Plan: Step-by-Step

Step 1: Secure Management Support

Continuity planning needs budget and authority. Get senior management to own the objectives, because A.5.30 plans must be approved at that level and the BIA needs sign-off to carry weight in an audit.

Step 2: Conduct a Business Impact Analysis

Map every critical process to its supporting systems, suppliers, and data. Quantify the impact of losing each one at intervals such as 1 hour, 24 hours, and one week, and use that to rank what gets recovered first.

Step 3: Perform a Risk Assessment

Identify the threats that could cause those impacts, assess likelihood, and record your treatment decisions in the Risk Treatment Plan and the SoA. The risk assessment and the BIA together justify where you spend on resilience.

Step 4: Define Recovery Objectives (RTO and RPO)

Set an RTO and RPO for every critical system, derived from the BIA. RTO is the maximum time to restore a service. RPO is the maximum data loss you can absorb, measured in time. Both must fit inside the MTPD.

Insider Note: The most common RTO mistake is setting it based on what your technology can deliver, then calling that the target. Auditors and regulators expect the opposite: business tolerance sets the number, and the architecture is built to meet it. The NIST guidance in SP 800-34 is explicit that RTO must sit below the maximum tolerable downtime, with a safety margin. A stale or wishful RTO is worse than none, because it creates false confidence.

Step 5: Develop the Business Continuity Plan Document

Write the plan: scope, roles, scenarios, recovery procedures, a Disaster Recovery Plan (DRP) for ICT, communication protocols, and the testing schedule. Keep procedures specific enough to follow at 2 a.m. with half the team unreachable.

Step 6: Train Personnel and Assign Responsibilities

Brief the recovery team on their roles and give general staff awareness of the temporary procedures that apply during a disruption. Training records are audit evidence, so keep them.

Step 7: Test, Review, and Update the Plan

Run a tabletop exercise or a live failover test, document the results, log every gap in a corrective action tracker, and feed the fixes back into the plan. Then schedule the next test. A test that produces no findings usually means the test was too easy.

ISO 27001 Business Continuity Plan Template (What to Include)

A workable plan template covers, at minimum: scope and objectives; a register of critical processes and their ICT dependencies; the BIA results with MTPD, RTO, and RPO per system; named roles and deputies; disruption scenarios and recovery strategies; the DRP and backup arrangements; the communication plan; and the test schedule with a log of past exercises and their outcomes. The NIST contingency planning guide and ISO/TS 22317 both offer BIA templates worth borrowing from if you are starting cold rather than reinventing the structure.

We’ve created an editable template for your use, click the link below to view it.

Download the BCP Template →

How to Evaluate Information Security Continuity

Evaluation is not a one-off. ISO 27001 expects you to verify, through testing and review, that information security controls and ICT recovery still work as intended. That means checking after each test that recovery met the documented RTO and RPO, that security controls such as logging, encryption, and multi-factor authentication stayed active during failover, and that the lessons from the last exercise were actually implemented. Internal audit and management review are the formal mechanisms that close this loop and give the auditor a paper trail to follow.

 

Common Mistakes to Avoid When Building Your Plan

The recurring failures are predictable. Writing the plan in IT isolation with no buy-in from the rest of the business. Setting RTO and RPO from technology capability rather than business need. Leaving ownership as a job title instead of a person. Never testing, or testing once and filing the report. Disabling security controls during recovery to move faster, which directly breaches A.5.29. And treating A.5.30 as a relabel of the old Annex A 17, when it is a genuinely new requirement with its own evidence demands.

Worth Knowing: Don't Sacrifice Security During Recovery

Worth Knowing: Auditors treat the suppression of a security control during recovery as a non-conformity, not a pragmatic shortcut. If you turn off MFA or firewall inspection to speed a restore, that decision has to be a documented, risk-assessed waiver, not an undocumented field call. A failover that quietly drops your logging is a finding waiting to happen.

What Auditors Look for in an ISO 27001 Business Continuity Plan

A certification auditor wants living proof, not shelf-ware. Expect them to ask for a BIA reviewed and signed off by management within the last 12 months, a register of critical ICT assets with RTO and RPO attached, the DRP and its technical recovery procedures, evidence of backup integrity, and a schedule of tests with results from previous exercises. They will look for after-action reports and a tracked corrective action plan showing that failures from the last test were remediated. They will check training records for the recovery team. And they will probe whether a named responder can actually describe their role. The theme throughout: evidence that continuity is operationally real, not a policy PDF filed away after last year’s audit.

If you want help building or auditing this against ISO 27001:2022, Axipro’s ISO 27001 implementation support covers the BIA, control mapping, and evidence preparation end to end.

Let Axipro help you build a business continuity plan that's practical, compliant, and audit-ready.

Strengthen Your Business Continuity Strategy

Schedule A Consultation

Conclusion

An ISO 27001 business continuity plan succeeds or fails on two things: whether your information security holds during a disruption, and whether your ICT can recover within the targets the business actually needs. A.5.29 and A.5.30 make both measurable and auditable. Build the plan from a real BIA, set recovery objectives from business tolerance, name owners, test the plan, and fix what breaks. Do that, and certification becomes the byproduct of genuine resilience rather than a paperwork exercise.

ISO 27001 BCP Frequently Asked Questions

Is a business continuity plan mandatory for ISO 27001 certification?

You cannot ignore continuity. ISO 27001:2022 includes A.5.29 and A.5.30 as Annex A controls, and unless you can justify their exclusion in the Statement of Applicability, you must implement them. In practice this means documented, tested continuity arrangements for information security and ICT, even if you do not pursue a full ISO 22301 BCMS.

ISO 27001 covers the information security aspects of continuity: keeping data confidential, intact, and available during disruption. ISO 22301 is a standalone Business Continuity Management System standard covering the whole organization, including people, facilities, and supply chain. An ISO 27001 certificate does not prove you have a complete BCMS; ISO 22301 does.

At planned intervals, which in practice means at least once a year and after any significant change, such as a major system migration, an acquisition, or a real incident that exposed a gap. The BIA should be reviewed on the same cadence so the recovery objectives stay accurate.

Senior management owns the objectives and approves the plan, but day-to-day responsibility is distributed across process owners, an ICT recovery team, and named individuals for each critical system and recovery step. The plan should name people and deputies, not departments.

The business continuity plan is the umbrella, covering how the organization keeps critical functions running during disruption. The Disaster Recovery Plan is a subset focused specifically on restoring IT and technology infrastructure. Under ISO 27001, the DRP supports A.5.30, while the broader continuity plan supports A.5.29 and ties the technical recovery to business priorities.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.
Copy Link

Blog Highlights

Explore More Articles

Read More Blogs
ISO 27001 Business Continuity Plan

ISO 27001 Business Continuity Requirements Guide

Two controls decide whether your ISO 27001 business continuity plan survives an audit: Annex A 5.29 and Annex A 5.30. One keeps your security controls working while everything else is failing. The other gets your systems back online before the damage becomes permanent. Plenty of teams write a continuity policy that satisfies neither in the way a certification auditor expects, and they discover the gap during the Stage 2 audit, when it is expensive to fix. This article covers what ISO 27001:2022 actually requires for business continuity, the components an auditor will ask to see, the step-by-step build, and the mistakes that turn a continuity plan into a non-conformity. What Is an ISO 27001 Business Continuity Plan? An ISO 27001 business continuity plan is the documented set of procedures that keeps information security effective and critical ICT services available during a disruption. It is not a generic “keep the lights on” binder. Under ISO 27001, the plan protects the confidentiality, integrity, and availability of information when normal operations break down: a ransomware event, a cloud outage, a data center failure, or a supplier collapse. The plan lives inside your Information Security Management System (ISMS). It draws on your risk assessment, your asset register, and your Business Impact Analysis (BIA), and it feeds your disaster recovery procedures. Scope is the part people get wrong. ISO 27001 cares about the information security aspects of continuity, not every operational hiccup a full business continuity program might cover.   Why You Need a Business Continuity Plan for ISO 27001 Compliance Downtime is expensive, and the bill arrives fast. For most organizations, the question is not whether a disruption will happen, but how quickly they recover when it does. There is also a hard compliance reason. You cannot certify to ISO 27001 while ignoring continuity. The standard requires you to maintain information security during disruption and to keep ICT able to support recovery, and an auditor will ask for the evidence. A continuity plan is where availability stops being a promise and becomes a tested capability. Let Axipro help you build a business continuity plan that’s practical, compliant, and audit-ready. Strengthen Your Business Continuity Strategy Schedule A Consultation ISO 27001 Requirements Related to Business Continuity Planning ISO/IEC 27001:2022 carries 93 Annex A controls across four categories: organizational, people, physical, and technological. Continuity sits in the organizational set, and two controls do the heavy lifting, supported by two more on the technical side. Annex A 5.29 – Information Security During Disruption A.5.29 requires you to maintain information security at an appropriate level when a disruption hits. The point is that security controls have a habit of degrading under pressure. People disable multi-factor authentication to “speed things up,” logging stops on a failover system, or access controls loosen while everyone scrambles. A.5.29 says the confidentiality and integrity of your information must be maintained even while availability is under threat. It is classed as both a preventive and a corrective control, meaning it should reduce the chance of an incident and also help resolve one already underway. Annex A 5.30 – ICT Readiness for Business Continuity A.5.30 is the technical engine. It requires that your ICT readiness is planned, implemented, maintained, and tested against business continuity objectives and ICT continuity requirements. In plain terms, your servers, networks, applications, and cloud services need a defined recovery path, each with a Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and you need to prove the path works. This control is entirely new in the 2022 revision. It has no precedent in ISO 27001:2013, which is exactly why teams migrating from the older version so often have a gap here. Important: A.5.30 did not exist in ISO 27001:2013. If your continuity documentation was written against the old Annex A 17 cluster and never updated, you are missing a control the auditor will specifically test. Treat ICT readiness as a fresh requirement, not a relabel. Two technological controls back these up. Annex A 8.13 (Information Backup) requires backups to be taken and tested in line with an agreed policy, and Annex A 8.14 (Redundancy of Information Processing Facilities) covers the failover and redundancy that let critical systems keep running when a component dies. Relationship Between ISO 27001 and ISO 22301 This is where confusion is common. ISO 27001 requires the information security aspects of continuity. ISO 22301 is the dedicated standard for a full Business Continuity Management System (BCMS), covering people, facilities, supply chain, and operations far beyond information security. An ISO 27001 certificate does not certify your wider continuity program. The good news: both standards share the Annex SL high-level structure, so risk assessment, internal audit, management review, and document control carry across. Teams that already run ISO 27001 can layer ISO 22301 on top with far less effort than starting from scratch. Key Components of an ISO 27001 Business Continuity Plan Business Impact Analysis (BIA) The BIA is the foundation. It identifies your critical business processes, the ICT systems they depend on, and the cost of losing each one over time. It is where your recovery objectives come from, not from a vendor datasheet. A BIA also sets the Maximum Tolerable Period of Disruption (MTPD): the point beyond which an activity’s failure causes unacceptable damage. Risk and Disruption Scenario Assessment Your risk assessment identifies what could cause a disruption and how likely it is, feeding the Risk Treatment Plan and the Statement of Applicability (SoA) that records which controls apply. Continuity planning then runs concrete scenarios: ransomware, a regional outage, a key supplier failure, the loss of a data center. Response and Recovery Strategies For each critical system, you define how you will respond and recover: failover to a secondary site, restore from backup, or switch to a manual workaround. This links incident response to crisis management, the executive-level decision-making that kicks in when an incident escalates beyond a routine fix. Roles and Responsibilities Name real people, not departments. “IT will handle it” is the single most common

Read more

Prompt Injection: AI’s Biggest Security Risk

When researchers found that Microsoft 365 Copilot could be tricked into leaking corporate data from a single email, the flaw got a clean public identifier: CVE-2025-32711, severity 9.3. When a bug hunter coaxed ChatGPT into producing valid Windows product keys by framing the request as a guessing game, it got nothing.  Both were prompt injections. Only one is trackable. That Vulnerability Tracking Gap in AI Security, and what it costs defenders, is the subject of this article. What Is a CVE and Why Does It Matter for Software Security? A CVE (Common Vulnerabilities and Exposures) is a unique public identifier for a specific software flaw. It gives the whole industry one name for one bug, so a researcher in Berlin and an analyst in Bahrain know they mean the same thing. The Role of MITRE’s CVE Program in Traditional Vulnerability Management The CVE program is run by the MITRE Corporation, a US nonprofit. Since 1999 it has assigned hundreds of thousands of IDs, each tied to a discrete, reproducible defect in a defined product and version. A CVE is the connective tissue of coordinated disclosure: a researcher reports the flaw, the vendor patches it, the ID is published, and defenders map it to their own assets. Without that shared label, the same bug ends up with three names and no clear owner. The National Vulnerability Database (NVD) and CVSS Scoring The National Vulnerability Database, maintained by NIST, enriches each CVE with a CVSS (Common Vulnerability Scoring System) score from 0 to 10. That lets teams triage: a 9.3 jumps the queue, a 4.0 waits. Why Prompt Injection Breaks the Traditional CVE Model The CVE model assumes a bug lives in code, sits in a version, and can be fixed. Prompt injection violates all three. Prompt Injection as a Class of Attack, Not a Discrete Bug Prompt injection smuggles instructions into the data an LLM reads, so the model follows the attacker rather than the user. OWASP ranks it as LLM01, the top entry in its 2025 Top 10 for LLM Applications. It is a property of how language models work, not one line of faulty code, so you cannot file a CVE against it. A SQL injection either works or it does not. A prompt injection might succeed nine times in ten, fail on the eleventh, then stop working after a silent model update, which makes the “reproducible” part of reporting genuinely hard. Model Versioning vs. Software Versioning Software has clean version numbers. A weight update to a hosted model can ship silently, with no version a researcher can cite. Two calls to “gpt-4o” a week apart may not behave the same way, and there is no changelog to point at. Why “Patching” an LLM Differs From Patching Code Patching code closes a specific hole. A developer rewrites the faulty line, ships the diff, and the exploit path is gone for good. That clean, binary, auditable loop is the entire premise on which the CVE system rests. “Patching” a model offers none of it. There is no single line to fix, because the behavior the attacker abused is the same behavior that makes the model useful: it reads text and follows instructions. A vendor’s only levers, retraining, hardening the system prompt, or wrapping the model in input and output guardrails, all lower the odds of a successful attack rather than removing the possibility. The fix reduces the success rate from 80 percent to 5 percent and marks it as remediated. The hole is narrower, not closed. The recent record shows how thin that margin is. EchoLeak got past Microsoft’s dedicated cross-prompt-injection classifier by hiding its exfiltration channel in reference-style Markdown that the filter did not recognize, and the AgentFlayer exploit slipped through OpenAI’s URL safety check by routing stolen data through trusted Azure Blob Storage links. Each guardrail worked against the obvious version of the attack and fell to a rephrasing. There is a tuning tax on top of that: crank the filters too tight and the model starts refusing legitimate work, so vendors settle for a balance point rather than elimination.  The practical takeaway is to treat “we’ve addressed this” as risk reduction, not closure. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule A Free ASSESSMENT The Current State of AI Vulnerability Tracking Several frameworks exist. None is a true registry of individual, citable prompt injection vulnerabilities. OWASP LLM Top 10 and the LLM01 Classification The OWASP GenAI Security Project’s LLM01:2025 entry is the most cited reference point. It is a category, not a catalog: it does not enumerate specific incidents with IDs. MITRE ATLAS for Adversarial AI Threats MITRE ATLAS is an ATT&CK-style knowledge base of adversarial tactics against AI systems, documenting 16 tactics and more than 80 techniques with real-world case studies as of late 2025. It maps how attacks work, but is not a per-vulnerability ledger with scores. AVID (AI Vulnerability Database) and Its Limitations AVID, run by a nonprofit, is the closest thing to a dedicated AI vulnerability database, cataloging failure modes with reproducible evidence. But it leans on community submissions, skews toward bias and broader failure modes, and notes that the definition of an “AI vulnerability” is itself still a working one. Vendor-Specific Disclosures vs. Industry-Wide Registries Disclosure happens vendor by vendor. OpenAI patched the Windows-key jailbreak server-side; Microsoft fixed EchoLeak and issued a CVE. There is no common venue where these land side by side.   The Consequences of No Shared Threat Registry for Prompt Injection Fragmented Disclosure Across AI Vendors Each lab discloses on its own terms, on its own blog, if at all. A defender protecting a multi-model stack has to monitor a dozen channels and hope nothing slips by. Duplicate Discovery and Wasted Research Effort Researchers rediscover the same attack repeatedly. The guessing-game jailbreak, the “dead grandma” trick, and other framing attacks are variations on one theme nobody numbered. No Standardized Severity Scoring for

Read more

CMMC Requirements for Small Businesses in November 2026

On November 10, 2026, third-party certification becomes mandatory for most small defense contractors that handle Controlled Unclassified Information. That date, the start of Phase 2 of the CMMC rollout, is the one to circle in red.  The framework itself has been binding since the 32 CFR program rule took effect on December 16, 2024, and certification clauses began appearing in new contracts on November 10, 2025. Roughly 73 percent of the Defense Industrial Base (DIB) is made up of small businesses, and a 20-person machine shop now faces the same control set as a prime with a dedicated security team. This guide breaks down what the CMMC requirements for small business actually demand: the levels, the controls, the documentation, the real cost, and the route to certification. What Is CMMC and Who Needs to Comply? The Cybersecurity Maturity Model Certification is the Department of Defense’s program for verifying that contractors protect sensitive federal information on their own systems. For years, contractors simply self-attested compliance with NIST Special Publication 800-171. CMMC ends the honor system. It keeps self-assessment for lower-risk work and adds independent audits for everything else. Two regulations run the program. 32 CFR Part 170 defines the structure, the three levels, and the assessment rules. 48 CFR amends the Defense Federal Acquisition Regulation Supplement and embeds CMMC into contracts through clause DFARS 252.204-7021. The first sets the standard, the second makes it a condition of the award. Compliance is not optional based on company size. If you process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the performance of a DoD contract or subcontract, CMMC applies. The requirement flows down from prime contractors to subcontractors and suppliers at every tier. The main carve-out is for companies that supply only commercially available off-the-shelf (COTS) products. The distinction between the two data types drives everything. FCI is information not meant for public release that is provided by or generated for the government under a contract. CUI is more sensitive: technical drawings, specifications, and procurement data the government requires you to safeguard. Which one you handle sets your level. The fastest way to check is your contract itself. Clauses such as DFARS 252.204-7012, 7019, and 7020 are strong signals that CUI is in scope. CMMC Levels Explained for Small Businesses CMMC has three levels. Most small contractors land at Level 1 or Level 2. Level 3 is reserved for a tiny fraction of the supply chain handling the most sensitive programs. Level 1 covers basic safeguarding of FCI. It maps to the 15 requirements in FAR 52.204-21, things most businesses already do, like using passwords and limiting who can access systems. Self-assessment is permitted and the cost is modest. Level 2 is where the majority of CUI-handling contractors sit. It requires all 110 security requirements in NIST SP 800-171 Revision 2, organized across 14 control families. Some non-prioritized contracts allow an annual self-assessment, but DoD estimates that around 95 percent of Level 2 contractors handle CUI critical enough to require a C3PAO assessment. Level 3 adds 24 selected enhanced requirements from NIST SP 800-172 on top of the full 110, for high-value programs targeted by advanced persistent threats. Assessments are conducted by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and a contractor must already hold Level 2 certification before a Level 3 assessment can begin. Fewer than 1 percent of contractors will need it. To determine your level, read the solicitation and ask your prime directly. If any data you touch is CUI, plan for Level 2 and assume a third-party assessment until a contract tells you otherwise. Prepare Your Business for CMMC Compliance Get ready for the November 2026 CMMC deadline with expert guidance. Talk to a CMMC Expert Core CMMC Requirements Small Businesses Must Meet Level 2 requirements break into 14 control families covering 110 individual requirements and 320 assessment objectives. Access Control and System and Communications Protection are the two heaviest domains. In practice, these families fall into two buckets. The technical controls govern how your systems behave: limiting access to authorized users, requiring multi-factor authentication, logging system activity, hardening configurations, encrypting data, and detecting and responding to incidents. The administrative controls govern how your organization behaves: training staff, screening personnel, controlling physical spaces, assessing risk, and documenting everything. A small business cannot skip a family because it is inconvenient. There is no partial credit and no small-business exemption from the 110. Documentation Requirements for Small Business Compliance Assessors evaluate evidence, not intentions. Two documents anchor the entire effort. The System Security Plan (SSP) describes your environment, your CUI boundary, and how you implement each of the 110 controls. It is a living document and the first thing any assessor reads. The Plan of Action and Milestones (POA&M) records gaps, owners, and timelines for fixing them. CMMC scores Level 2 on a 110-point scale weighted by control importance. A score of at least 88 (80 percent) can earn conditional status, but only if certain high-value controls are fully met. Conditional status gives you 180 days to close every remaining item on your POA&M and pass a closeout assessment. Some critical controls cannot be deferred to a POA&M at all. Beyond the SSP and POA&M, you need written policies and procedures for each domain, plus concrete evidence that controls operate as documented: configuration screenshots, training logs, access reviews, and audit records. Pro Tip: Build your SSP Build your SSP before you spend a dollar on tools. Mapping your current state against all 110 requirements first tells you exactly where the gaps are, so you remediate the right things in the right order instead of buying software you may not need. Technical Requirements and Controls A handful of technical controls account for most assessment failures, and they deserve direct attention. The most effective cost and risk lever is scoping: isolating CUI into a dedicated enclave, a defined set of systems and networks, so the 110 controls apply only there rather than across your

Read more