Cisco Cloud Controls Framework

Accelerating SaaS product security certifications to maximize market access.

What is the Cloud Controls Framework?

The Cisco Cloud Controls Framework (CCF) is a comprehensive set of international and national security compliance and certification requirements, aggregated into a single framework. In addition to the control mapping, the CCF also contains guidance on implementation and audit artifacts.

The Cisco CCF will be updated as security compliance frameworks and regulations evolve. To benefit from this framework, please review, evaluate, and tailor it to reach your compliance goals.

Contact us to learn more and get answers to your questions.

View certified Cisco solutions

Cloud Controls Framework
Complete this form to download the file

* required fields

Email Address

Country / Region

Company

First Name

Last Name

Job Title

I want to speak to the Cisco Security & Trust Organization about CCF

Yes

No

Phone

Phone Extension

Please provide a brief description of what you would like to discuss.

I would like to receive email communications about products & offerings from Cisco & its Affiliates.

I understand I can unsubscribe at any time.

Cisco may use the information above to call me about the latest offers, promotions and news regarding Cisco products and services. You can unsubscribe at any time. See Cisco’s Online Privacy Statement to learn more.

Address 1

Overview

One sample domain showing an overview of the fields in the Cloud Controls Framework. Download the framework for a complete mapping.

Domain Title	Control Title	Control Reference	Control Wording	Control Type	Applicable Framework
Audit Compliance	Control Self-Assessments	CCF 1	Independent Control self-assessments are performed by independent auditors, at least annually, to gain reasonable assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings and tracked to resolution. Independent control self-assessments are reviewed by management and stored in a central repository and maintained.	Process	SOC 2 (A/C/S) 2017, SOC 2 Privacy, ISO 27001, ISO 27701 Processor & Controller, ISO 27017 Provider & Customer, ISO 22301 ISO 27018, BS1 C5, Fedramp Tailored, Spanish ENS Basic, Medium, & High, ISMAP, PCI, Saudi CCC, EU Code of Conduct, NIST 800-171, IRAP, EUCS Basic, Substantial, & High, NIST 800-218 SSDF, SecNumCloud, ISO 27001 (2022), TX RAMP Level 1 & 2, CSA Star Level 1 & 2, FedRAMP Moderate & High, NCSC, NIST 800-53 Low, Moderate, & High, SOC 2 (A/C/S) 2022, NIS Directive, CCCS Medium, PCI v4
Audit Compliance	Security Policy Audit	CCF 2	At least quarterly, organization reviews shall be performed with approved documented specification to confirm personnel are following security policies and operational procedures pertaining to: • log reviews • firewall rule-set reviews • applying configuration standards to new systems • responding to security alerts • change management processes	Process	PCI, EUCS Basic, Substantial, & High, NIST 800-218 SSDF, SecNumCloud, FedRAMP Moderate & High, NCSC, NIST 800-53 Low, Moderate, & High, CCCS Medium, PCI v4
Audit Compliance	Customer Audits	CCF 3	If applicable, corporate documented procedures regarding customer-requested audits shall be defined, documented and transparently communicated to the customer; and where applicable, the mandated auditor.	Process	EU Code of Conduct, EUCS Basic, Substantial, & High, FedRAMP Moderate & High, NCSC, NIST 800-53 Low, Moderate, & High, CCCS Medium
Audit Compliance	Audit Program	CCF 4	A three-year audit program is in place which defines the scope and frequency of audits in accordance with change management, policies, and risk assessment results.	Process	SecNumCloud
Audit Compliance	Review of Audit Plan	CCF 5	Privacy and protection of personally identifiable information is ensured as required in relevant legislation and regulation where applicable.	Process	ISMAP
Audit Compliance	KPI Audit	CCF 6	Key performance indicators (KPI's - OFI, Minor, Major, pass, low, or high) are included as part of independent control self assessment performed by independent auditors at least annualy.	Process	ISMAP

Sorry, no results matched your search criteria(s). Please try again.

Standards Mapped

Global frameworks mapped in the Cloud Controls Framework.

Country/Region	Framework Name	Description
Global Frameworks
Global	CSA STAR - New	The CSA STAR CCM is a cybersecurity framework for cloud vendors, offering best practices and controls.
Global	ISO IEC 27001:2013	ISO 27001 is an international standard for information security management systems to protect confidential data.
Global	ISO IEC 27001:2022 - New	ISO 27001 is an international standard for information security management systems to protect confidential data.
Global	ISO/IEC 27017:2015	ISO 27017 provides guidelines for cloud service information security controls, complementing the ISO 27001 standard.
Global	ISO/IEC 27018:2019	ISO 27018 establishes guidelines for protecting personal data in cloud environments, enhancing privacy and compliance.
Global	ISO/IEC 27701:2019	ISO 27701 extends ISO 27001 to privacy management, setting guidelines for personal information protection and compliance.
Global	ISO 22301:2019	ISO 22301 specifies requirements for a business continuity management system to plan, establish, and improve resilience.
Global	PCI-DSS v3.2.1	PCI DSS v3.2.1 provides security standards for cardholder data to reduce credit card fraud.
Global	PCI-DSS v4.0	PCI DSS v4.0 updates security requirements for payment environments, enhancing flexibility and supporting new technologies.
Global	SOC 2® 2017	SOC 2 is a framework for managing data with principles on security, availability, processing integrity, confidentiality, and privacy.
Global	SOC 2® 2017 (With Revised Points of Focus – 2022) - New	SOC 2 is a framework for managing data with principles on security, availability, processing integrity, confidentiality, and privacy.
Asia-Pacific Frameworks
Australia	IRAP (December 2021)	IRAP, the Information Security Registered Assessors Program, certifies individuals to assess Australian government security compliance.
Japan	ISMAP	ISMAP is Japan's Information System Security Management and Assessment Program for evaluating cloud service providers.
Saudi Arabia	CCC	Saudi CCC: The Saudi Cloud Cybersecurity Controls framework enhances cloud service security in Saudi Arabia.
Canadian Frameworks
Canada	CCCS - New	The Canadian Centre for Cyber Security (CCCS) provides national guidance on cybersecurity and cyber threat responses.
European Union (EU) Frameworks
European Union (EU)	CoC	The EU Code of Conduct for Cloud Providers aims to improve data security and processing efficiency.
European Union (EU)	ENISA NIS Directive - New	The NIS Directive is the EU's legislation for enhancing cybersecurity across critical infrastructure and essential services.
European Union (EU)	EUCS	The EU Cloud Services (EUCS) scheme enhances cloud service cybersecurity, aligning with EU cybersecurity certification framework.
European Union (EU)	NCSC - New	The UK's National Cyber Security Centre (NCSC) provides guidance and support to improve cybersecurity resilience.
European Union (EU)	SecNumCloud	SecNumCloud is France's security certification for cloud service providers, ensuring data protection and cybersecurity compliance.
Germany	C5	BSI C5: German Federal Office for Information Security's cloud computing compliance criteria for secure IT operations.
Spain	ENS	Spain's National Security Framework (ENS) sets standards for effective digital data protection in public administrations.
United States Frameworks
United States	FedRAMP LI-SAAS/Tailored	FedRAMP standardizes security assessment and authorization for cloud products and services used by U.S. government.
United States	NIST 800-171 - New	NIST 800-171 outlines requirements for protecting Controlled Unclassified Information in non-federal information systems and organizations.
United States	NIST 800-53 Rev. 4 - New	NIST 800-53 rev.4 provides comprehensive security and privacy controls for federal information systems and organizations.
United States	NIST 800-218 - New	NIST 800-218 (SSDF), offers guidance for secure software development practices to reduce vulnerabilities and improve security.
United States	TX-RAMP - New	TX-RAMP is Texas' cybersecurity framework, ensuring state agencies' cloud services meet defined security standards.

Sorry, no results matched your search criteria(s). Please try again.

Q&A

Why apply Cisco Cloud Controls Framework (CCF)?

This framework enables your organization to keep pace with the increasing complexity of market and customer demands. It provides a structured, “build-once-use-many” approach designed to help streamline and operationalize cloud compliance and certification. The CCF represents years of research from Cisco’s cloud compliance experts and can help your organizations better address the challenging compliance landscape and meet your market access goals.

What do I get with the CCF?

In addition to the control mapping to each of the standards referenced below, the CCF provides control narratives and supporting audit artifacts for every control in the CCF.

The narratives help provide guidance on activities and actions to implement and execute a control.

The audit artifacts offer a high-level understanding of what auditors typically request when testing the operating effectiveness of a control.

These narratives and artifacts are guidance for you to review, evaluate, and update according to your business needs and environment.

Why is Cisco making the CCF publicly available?

Strong cybersecurity is good for everyone. Efficient pathways to compliance and certification help organizations understand and address risk faster. Hopefully, this work helps to accelerate safer clouds for all.