The Adobe Common Controls Framework (CCF) Version 5.0 is Now Available | Adds Controls from PCI DSS v4.0, BSI C5, and More | by Renae Kang | Feb, 2024

By Rahat Sethi, Director of Technology Governance, Risk & Compliance

To address the evolving landscape of regulatory and security framework requirements, Adobe is excited to announce the latest version of our open-source Common Controls Framework (CCF). This new version was crafted with a focus on customer needs and assessor expectations by considering some of the industry-trending and security-focused best practices and frameworks.

What’s New in Adobe Common Control Framework Version 5.0?

Adobe CCF version 5.0 prioritizes the critical cloud and hybrid security controls required by organizations to meet the industry standards of public sector, healthcare, and financial services firms around the world. The new version of CCF has been updated with controls pertaining to the following frameworks:

• Payment Card Industry DSS v4.0: Security standard designed to protect payment card data
• Cloud Computing Compliance Criteria Catalogue (C5): Security standard developed by the German Federal office of Information Security for cloud service providers
• ISO/IEC 27017: International standard offering guidelines for information security controls specific to cloud services
• ISO/IEC 27018: International standard offering guidelines for protection of personally identifiable information (PII) in cloud services
• FedRAMP Moderate: U.S. Government cybersecurity standard for cloud services, which ensures a moderate level of security controls
• Japan’s Information System Security Management Systems and Assessment Program (ISMAP): Japanese government security framework for assessing the security of cloud service providers to participate in public sector projects
• Korean FSI CSP Evaluation: Cloud service provider self-evaluation to meet Regulation on Supervision of Electronic Financial Transactions (RSEFT)
• CIS Critical Security Controls Version 8 (CIS V8): Prioritized set of safeguards that help mitigate the most prevalent cyber-attacks against systems and networks
• U.K.’s Cyber Essentials: Guide for leaders of small businesses as well as leaders of local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices
• Monetary Authority of Singapore (MAS): Regulatory standards set by the Monetary Authority of Singapore to ensure the integrity and security of financial operations within the jurisdiction

Additional Updates in CCF v5.0

We’ve also added the following new control attributes to CCF version 5.0:

• Control Implementation Guidance: Provides guidance for users to understand how to implement required controls. Customers can customize this guidance based on the tools and technologies used within the organization.
• Control Testing Procedures: Provides guidance for security and risk management professionals to understand how to test controls at both the design and implementation levels.
• Control Type: Categorizing controls by type, including Preventive, Detective, or Corrective, provides organizations a clear perspective of the control’s impact when the control evades a risk associated with the potential occurrence of an information security incident.
• Control Theme: Control themes categorized by People, Process, and Technology help identify and align processes for better implementation and testing around the controls.
• Audit Artifacts: Examples of what auditors generally request while testing are provided to help substantiate their conclusions and findings during an audit.
• Policies and Standards Mapping: Recommended policies and standards help drive control requirements, enabling the governance of the control and providing guidance related to the control ownership within the organization.

Download the Open Source CCF v5.0

Organizations of all sizes and sectors can tailor the CCF to their unique security compliance objectives. Integrating the CCF into your compliance workflow will help your company achieve a more scalable security compliance posture for ongoing success. We invite you to download the newly released CCF v5.0 for your organization today.

For more information about the Adobe CCF, please visit the Adobe Trust Center.

To share feedback, questions, or collaborative inquiries about the framework, contact us at opensourceccf@adobe.com.