Introducing the Adobe Common Controls Framework (CCF) version 2.0

ComplianceMajor InitiativesOpen Source

The Common Control Framework (CCF) by Adobe represents the foundation of our company-wide compliance strategy.  The CCF is a comprehensive set of simple control requirements, aggregated, correlated and rationalized from the vast array of industry information security and privacy standards.  Adoption of the CCF has enabled Adobe’s cloud products, services, platforms and operations to achieve compliance with a host of security certifications, standards and regulations for example; SOC 2, ISO, PCI, FedRAMP and others.

As part of our ongoing efforts in knowledge sharing with the broader security community a generic version of the CCF was open-sourced in 2017. The 2017 release contained a baseline set of control activities meant to assist organizations in meeting the requirements of ISO/IEC 27001, AICPA SOC Common Criteria, AICPA SOC Availability, and the security requirements of GLBA and FERPA.

The Technology Governance, Risk and Compliance (Tech GRC) group at Adobe continually works on updating and improving the CCF, and are happy to announce the release of the CCF v2.0 through the Creative Commons licensing. The CCF v2.0 is open-sourced and includes the additional mapping of the control activities to FedRAMP Tailored and PCI DSS V3.2.1 requirements. These activities were determined by common industry requirements. They have been adopted by Adobe product operations and engineering teams to achieve compliance with the standards set forth by these regulatory bodies. The CCF is an illustrative example of common security controls that can be tailored to your organization’s specific security objectives.

Adobe is enthusiastic about sharing the updated CCF with the broader security and compliance community.  Potential users should note that the CCF is more than simply a unified compliance framework.  The aim is to help the industry to realize significant additional value by adopting more collaborative implementation strategies within their organization. Integrating the CCF into their compliance workflows will help enable more scalable security strategies, resulting in higher levels of compliance in engineering and operations processes that ensure continuing success.

We invite you to take the opportunity to download the CCF today and see how you can best utilize in your organization. We welcome feedback and questions about the framework. You can contact us directly at

Prasant Vadlamudi
Director, Technology Governance, Risk and Compliance (Tech GRC)

Compliance, Major Initiatives, Open Source

Posted on 10-18-2018