The Adobe Common Controls Framework (CCF)

We believe that a sound compliance and risk management strategy is as important to the success of an organization as the company’s product strategy. Adobe demonstrates our commitment to security by implementing a range of important industry standards and complying with government regulations concerning the security and privacy of data. As new security standards and regulatory requirements are developed and adopted by the industry, Adobe reviews them and adopts those with relevance to our customers.

To support our ongoing compliance efforts, Adobe implemented an open-source framework of security processes and controls called the Common Controls Framework (CCF). CCF helps protect Adobe infrastructure, applications and services, as well as helps us comply with a number of industry-accepted best practices, standards, regulations and certifications. In creating the CCF, Adobe analyzed the criteria for the most common security certifications for cloud-based businesses and rationalized the more than 4,300 requirements down to Adobe-specific controls that map to 21 industry standards.

The Adobe Common Controls Framework. Get more information about this diagram in the accordion section below

This funnel diagram shows the security standards and control requirements Adobe has rationalized to create common controls across various control domains.

The left side of the diagram is titled 20+ Standards, approximately 4300 Control Requirements (CRs). Under the title is the following list of standards, each with by a number representing control requirements:

• AICPA Trust Service Principles Service Organization Controls (SOC) – 40

• Cloud Computing Compliance Criteria Catalogue (BSI C5) – 120

• Cyber Essentials, UK -24

• Critical Security Controls (CIS V8) – 150

• FedRAMP Tailored & Moderate – 320

• Financial Security Institute CSP Evaluation, Korea - 56

• Health Insurance Portability and Accountability Act (HIPAA) – 70

• InfoSec Registered Assessors Program, Australia (IRAP) – 880

• Information System Security Management and Assessment Program, Japan (ISMAP) - 1160

• ISO 27001:2022 & 27002:2022 – 110

• ISO 27017:2015 – 7

• ISO 27018:2019 – 26

• ISO 22301:2019 – 200

• Monetary Authority of Singapore (MAS) – 230

• Multi-Layer Protection Scheme, China (MLPS) – 300

• NIST Cybersecurity - 100

• Payment Card Industry Data Security Standard (PCI DSS v4) – 290

• Spain Esquema Nacional de Seguridad (ENS) – 100

• TXRAMP L1 - 120

The centre of the diagram shows a funnel labelled CCF Rationalization. The standards and controls listed on the left side of the graphic are represented by few yellow dots moving into the funnel. Few green dots are emerging from the funnel on the right side of the graphic. They represent the resulting common controls.

The right side of the diagram is titled Approximately 315 common controls across 25 control domains. Under the title is the following list of control domains, each with a number representing common controls:

• Asset Management – 11 Controls

• Backup Management – 5 Controls

• Business Continuity – 6 Controls

• Change Management – 4 Controls

• Configuration Management – 15 Controls

• Cryptography – 15 Controls

• Customer Managed Security – 4 Controls

• Data Management – 21 Controls

• Entity Management – 11 Controls

• Identity and Access Management – 39 Controls

• Incident Response – 8 Controls

• Mobile Device Management – 4 Controls

• Network Operations – 18 Controls

• People Resources – 10 Controls

• Privacy – 10 Controls

• Proactive Security – 4 Controls

• Risk Management – 8 Controls

• Security Governance – 17 Controls

• Service Lifecycle – 7 Controls

• Site Operations – 16 Controls

• System Design Documentation – 2 Controls

• Systems Monitoring– 32 Controls

• Third Party Management – 13 Controls

• Training and Awareness – 9 Controls

• Vulnerability Management – 23 Controls

Our Ongoing Efforts

Compliance is a continuous process that includes periodic internal audits, external assessments and continuous controls monitoring. Adobe is subjected to regular third-party audits and periodic reviews to ensure we consistently meet commitments. Adobe has also invested in developing an enterprise-wide governance, risk, and compliance (GRC) automation platform to help maintain an effective governance model for the compliance program.

Open-source and Ready to Use

The Common Controls Framework (CCF) has been open sourced (now at version 5.0) to help the broader security and risk management community achieve their own compliance goals. We regularly update the framework as regulations evolve or new industry standards are integrated into our compliance regime. We invite you to use this framework to help accelerate and standardize your own ongoing compliance efforts. Download CCF today and we always welcome feedback on its development.