This table shows the 25 compliance areas where CMMC 2.0 and ISO 27001 controls overlap. When you mark a control as implemented in either framework, Venvera automatically propagates the status to the equivalent control in the other.
| Compliance Area | CMMC 2.0 | ISO 27001 |
|---|---|---|
| Access Control Policy | AC.L2-3.1.1, AC.L2-3.1.2 | A.5.15, A.8.3 |
| Least Privilege | AC.L2-3.1.5, AC.L2-3.1.6 | A.8.2 |
| Remote Access | AC.L2-3.1.12, AC.L2-3.1.14 | A.8.20, A.6.7 |
| Wireless Access | AC.L2-3.1.16, AC.L2-3.1.17 | A.8.20, A.8.21 |
| Session Controls | AC.L2-3.1.10, AC.L2-3.1.11 | A.8.5 |
| Authentication & MFA | IA.L2-3.5.3, IA.L2-3.5.4 | A.5.17, A.8.5 |
| Identifier Management | IA.L2-3.5.1, IA.L2-3.5.2 | A.5.16 |
| Security Awareness & Training | AT.L2-3.2.1, AT.L2-3.2.2 | A.6.3 |
| Insider Threat Awareness | AT.L2-3.2.3 | A.6.3, A.6.6 |
| Audit Logging | AU.L2-3.3.1, AU.L2-3.3.2 | A.8.15 |
| Audit Review & Reporting | AU.L2-3.3.5, AU.L2-3.3.6 | A.8.15, A.8.16 |
| Configuration Management | CM.L2-3.4.1, CM.L2-3.4.2 | A.8.9 |
| Change Control | CM.L2-3.4.3, CM.L2-3.4.4 | A.8.32 |
| Incident Response | IR.L2-3.6.1, IR.L2-3.6.2 | A.5.24, A.5.25, A.5.26 |
| Incident Reporting | IR.L2-3.6.3 | A.5.24, A.5.27 |
| Maintenance Controls | MA.L2-3.7.1, MA.L2-3.7.2 | A.7.13, A.8.9 |
| Media Protection | MP.L2-3.8.1, MP.L2-3.8.2 | A.7.10, A.8.10 |
| Media Sanitization | MP.L2-3.8.3 | A.7.10, A.8.10 |
| Physical Protection | PE.L2-3.10.1, PE.L2-3.10.2 | A.7.1, A.7.2 |
| Personnel Security | PS.L2-3.9.1, PS.L2-3.9.2 | A.6.1, A.6.5 |
| Risk Assessment | RA.L2-3.11.1, RA.L2-3.11.2 | A.5.7 |
| Vulnerability Management | RA.L2-3.11.2, RA.L2-3.11.3 | A.8.8 |
| Security Assessment | CA.L2-3.12.1, CA.L2-3.12.3 | A.5.35 |
| Boundary Protection | SC.L2-3.13.1, SC.L2-3.13.5 | A.8.20, A.8.22 |
| Encryption | SC.L2-3.13.8, SC.L2-3.13.11 | A.8.24 |
For details on how propagation works, thresholds, and the auto-mapped badge, see the Cross-Framework Control Propagation overview article.