Aligning security standards and compliance strategies with frequently changing cybersecurity laws and regulations is challenging for most organizations. Especially when achieving compliance with the many existing requirements is already a time-consuming, resource-heavy process. 

The Adobe Tech GRC Team developed the Common Controls Framework (CCF) to support organizations’ ongoing compliance efforts. The Adobe CCF consolidates popular industry-accepted best practices, standards, regulations, and security certifications into a single compliance framework, providing better visibility of overall security compliance. 

Besides the CCF Adobe is well known for its products such as Adobe Illustrator, Adobe Photoshop, and Adobe Express.

This article explains the Adobe CCF’s structure and how to implement it in your organization. 

What is the Adobe Common Controls Framework?

The Adobe Common Controls Framework (CCF) is a foundational framework of security processes and controls. Adobe first developed the CCF to help protect its infrastructure, applications, and services and to maintain compliance with industry standards and requirements. 

The CCF was originally used by Adobe’s product operations and engineering teams. Adobe has now made the framework open source to help risk management teams from any organization.

The Adobe CCF consolidates more than 1,350 requirements from 13 recognized standards specific to Adobe into 288 Control Requirements (CRs), spanning 21 Control Domains. 

Which Industry Standards Map to Adobe CCF?

Adobe CCF maps security controls to over ten industry standards, including:

  1. ISO 27001
  2. ISO 22301
  3. PCI DSS
  4. NIST CSF
  5. GLBA
  6. FERPA
  7. HIPAA Security Rule
  8. GDPR
  9. Privacy Shield
  10. SOX
  11. HITRUST
  12. SOC 2 (AICPA TSC A, C, and CC)
  13. FedRAMP Tailored
  14. BSI C5
  15. Information Security Registered Assessors Program (iRAP)
  16. Spain Esquema Nacional de Seguridad (Spanish ENS)

What are the Adobe CCF’s Control Requirements and Domains?

The 288 CCF controls are split across 21 domains:

  1. Asset Management - 11 Controls
  2. Business Continuity - 5 Controls
  3. Backup Management - 5 Controls
  4. Configuration Management - 15 Controls
  5. Change Management - 6 Controls
  6. Data Management - 32 Controls
  7. Entity Management - 49 Controls
  8. Identity and Access Management - 49 Controls
  9. Incident Response - 9 Controls
  10. Mobile Device Management - 4 Controls
  11. Network Operations - 19 Controls
  12. People Resources - 6 Controls
  13. Risk Management - 8 Controls
  14. System Design Documentation - 3 Controls
  15. Security Governance - 23 Controls
  16. Service Lifecycle - 7 Controls
  17. Systems Monitoring - 30 Controls
  18. Site Operations - 16 Controls
  19. Training and Awareness - 6 Controls
  20. Third-Party Management - 13 Controls
  21. Vulnerability Management - 21 Controls

The Adobe Common Controls Framework is available at adobe.com, along with a whitepaper about how Adobe secures its digital experiences using the CCF. 

Adobe CCF’s Control Requirements and Domains

Benefits of Adobe CCF Controls Mapping

Risk and compliance teams can benefit from control mapping in their enterprise risk management (ERM) initiatives. 

Cybersecurity risk is just one of several risks included in an ERM program. Further, there are many subsets of security risk, such as data security, network security, cloud security, and remediation processes. Organizations must implement, maintain, and review all of these requirements on top of the other types of risks included in their ERM framework

Control mapping allows organizations to quickly identify the high-level needs of their cybersecurity programs, providing ERM committees with a baseline of standards for aligning risk management with broader business objectives.

How To Implement the Adobe Common Control Framework 

1. Understand Your Compliance Requirements

Every industry has different legal and regulatory requirements. For example, healthcare organizations and financial institutions face much stricter cybersecurity standards than most industries. 

Organizations must first identify all their compliance requirements to prevent double-handling during the control mapping process. From here, you can customize the Adobe CCF to add or remove your specific compliance requirements.

2. Create a Single Source of Truth for Risk and Control Data

All industries must comply with several cyber laws and regulations. Centralizing risk and control data is crucial to ensuring the mapping process is accurate and efficient. Using an automated platform is the best way to aggregate data into a single source of truth. 

How UpGuard Can Help

UpGuard’s Risk Profile dashboard provides a high-level summary of your organization’s security posture and cyber risks from six different categories to provide key insights at a glance. Learn more.

3. Map Evidence to Existing Frameworks

Your organization likely already has an industry framework in place, such as NIST CSF and SOC 2. You can replicate the evidence used against these frameworks to map to Adobe CCF’s controls and identify areas of compliance. 

You must also ensure your vendors also comply with the relevant laws or regulations, or you will likely face non-compliance. With most organizations having hundreds or thousands of service providers, managing manual security questionnaires and control mapping is usually a complicated and time-consuming process. 

How UpGuard Can Help

UpGuard offers a library of pre-built security questionnaires for recognized security frameworks, including ISO 27001 and NIST CSF. UpGuard's Compliance Reporting feature can map your vendors’ compliance against these standards. Learn more.

4. Identify Compliance Gaps

After mapping your organization’s internal and third-party compliance against your existing frameworks, you can now identify any areas of non-compliance. You should prioritize these risks by following the risk treatment processes outlined in your ERM program. Third-party risks may prove harder to visualize across your entire inventory but are equally important to address.

How UpGuard Can Help

UpGuard’s Vendor Risk Matrix visualizes your vendors’ risk level against their business impact, allowing you to identify and remediate risks of the most concern. Learn more.

5. Maintain Compliance with Security Requirements

Effective compliance management ensures your organization’s workflow, information security policy, and IT initiatives align with all compliance requirements. Organizations must continuously monitor the attack surface for security risks or risk falling out of compliance with requirements. 

Ensure your ERM program mandates regular internal and third-party compliance audits and remediate any identified risks immediately to remain compliant.

How UpGuard Can Help

UpGuard continuously monitors the entire attack surface, including third parties, allowing you to detect and remediate vulnerabilities immediately. Learn more.

Learn how UpGuard can help you maintain compliance with industry standards >

Ready to see
UpGuard in action?