As SaaS delivery continues to be prevalent and cyber risks evolve, service providers must continue to demonstrate their commitment to security, availability, confidentiality, and privacy. This has forced enterprises like Cisco and SaaS organizations globally to adapt and find swift and responsive ways to meet these challenges for our customers and in the markets where we do business. Cisco recognizes the challenge of maintaining security compliance requirements and is here to assist.
In May 2022, we announced the general availability of the Cisco Cloud Controls Framework (CCF) V1.0 for public use. The Cisco CCF provides a simple, straightforward way to gain global market access using a “build-once-use-many” approach for achieving multiple regional and international certifications, while offering scalability and easing compliance strain.
Today, we are proud to deliver the Cisco Cloud Controls Framework (CCF) V2.0 along with the CCF Overview Video that shares more about our approach. This version extends our original CCF with additional, globally-accepted, security compliance frameworks and certifications. It continues to provide a global SaaS product compliance and certification strategy and methodology that will help meet your customer requirements and the ever-changing regulatory demands.
Today, the Cisco CCF covers these security compliance framework and certification standards:
- SOC 2® – SOC for Service Organizations: Trust Services Criteria
- ISO IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27017:2015 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018:2019 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 27701:2019 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
- ISO 22301:2019 – Security and resilience — Business continuity management systems — Requirements
- Esquema Nacional de Seguridad (ENS)
- Infosec Registered Assessors Program (IRAP December 2021)
- Payment Card Industry Data Security Standard (PCI-DSS v3.2.1)
- Information System Security Management and Assessment Program (ISMAP)
- Cloud Computing Compliance Controls Catalogue (C5)
- EU Cloud Code of Conduct (CoC)
- Third Party Cybersecurity Compliance Certificate (CCC)
- The Federal Risk and Authorization Management Program (FedRAMP LI-SAAS/Tailored)
- National Institute of Standards and Technology (NIST) 800-171 (New)
- European Union Cybersecurity Certification Scheme on Cloud Services (EUCS) (New)
- SecNumCloud (New)
We will update the framework as regulations evolve and new industrial frameworks are integrated into our compliance process.
What’s more, the updated Cisco CCF includes revised narratives — guidelines for users to understand how to implement the necessary controls — and audit artifacts that provide examples of what auditors generally request when testing the operating effectiveness of controls. As part of this latest release, we have updated these narratives and artifacts based on Cisco’s own experience and assessments. We offer these narratives and supporting artifacts to you as guidance to review, evaluate, and update according to your business needs and environments.
We hope the Cisco CCF can help you achieve your market access goals, keep pace with your evolving customer demands, and continue to maintain a secure cloud infrastructure for all. After all, trust is hard to earn, but easy to break.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels