The Common Control Framework (CCF) by Adobe is the cornerstone of our company-wide compliance strategy. It is a comprehensive set of simple control requirements, rationalized from the alphabet soup of several different industry information security and privacy standards. The CCF has enabled Adobe’s cloud products, services, platforms and operations to achieve compliance with various security certifications, standards, and regulations (SOC2, ISO, PCI, HIPAA, FedRAMP etc.).
This multi-year effort to implement the CCF across all business units was led by our Risk, Advisory and Assurance Services (RAAS) group. As part of our ongoing efforts in knowledge sharing with the broader security community, we are releasing a generic version of CCF through a Creative Commons license to help drive ongoing innovation around compliance in the security industry.
Open source CCF contains a baseline set of control activities. These control activities are meant to assist organizations in meeting the requirements of ISO/IEC 27001, AICPA SOC Common Criteria, AICPA SOC Availability, and the security requirements of GLBA and FERPA. These common activities were identified and developed based on industry requirements. They have been adopted by Adobe product operations and engineering teams to achieve compliance with these standards. This information is only to be used as an illustrative example of common security controls that could be tailored to your organization’s security objectives.
We are excited to share the CCF with the security and compliance community. However, potential users should note that it is more than just a unified compliance framework. Our goal with CCF is to help the industry realize more significant value by adopting a more collaborative implementation strategy within their business. This will help enable more scalable security, compliance, and operations processes to ensure ongoing success.
We hope you will take the opportunity to download CCF today and begin using it in your organization. We welcome feedback and questions about the framework. You can contact us on the Open Source CCF team directly at firstname.lastname@example.org.
Sr. Director, Risk Advisory and Assurance Services (RAAS)