Customers globally are requesting – and often requiring – SaaS providers to demonstrate their commitment to security, availability, confidentiality, and privacy. While attaining global security certifications has become table-stakes for many to do business, it’s no easy feat. Many organizations struggle to keep pace with this resource- and time-intensive process.
As the complexity of market demand grows, SaaS providers need an efficient way to simplify and streamline efforts to attain security certifications. They are looking for methods and tools to help launch them on their journey to cloud compliance and broaden their global market access. A strategic compliance and risk management approach is as essential to the success of an organization as its product strategy. We understand these challenges and are here to help.
Announcing the Cisco Cloud Controls Framework (CCF)
We are proud to announce the general availability of the Cisco Cloud Controls Framework (CCF) V1.0 for public use.
The Cisco CCF is a rationalized framework with comprehensive control requirements taken from numerous, globally accepted, security compliance frameworks and certifications. It provides a structured, “build-once-use-many” approach for achieving multiple regional and international certifications, enabling market access and scalability, as well as easing compliance strain.
Today, the Cisco CCF V1.0 covers these security compliance framework and certification standards:
- SOC 2® – SOC for Service Organizations: Trust Services Criteria
- ISO IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27017:2015 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018:2019 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 27701:2019 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
- ISO 22301:2019 – Security and resilience — Business continuity management systems — Requirements
- Esquema Nacional de Seguridad (ENS)
- Infosec Registered Assessors Program (IRAP December 2020)
- Payment Card Industry Data Security Standard (PCI-DSS v3.2.1)
- Information System Security Management and Assessment Program (ISMAP)
- Cloud Computing Compliance Controls Catalogue (C5)
- EU Cloud Code of Conduct (CoC)
- Third Party Cybersecurity Compliance Certificate (CCC)
- The Federal Risk and Authorization Management Program (FedRAMP LI-SAAS/Tailored)
We will regularly update the framework as regulations evolve and new industrial frameworks are integrated into our compliance processes.
Along with the security controls, we are also making available ‘narratives,’ guidelines for users to understand how to implement the necessary controls, and ‘audit artifacts’ that include examples of what auditors generally request when testing the operating effectiveness of controls. The framework’s corresponding narratives and supporting audit artifacts offer guidance for you to review, evaluate, and tailor according to your needs, while integrating the Cisco CCF into your organization’s compliance regime.
Why make the Cloud Controls Framework freely available?
Customer demand for global SaaS security certifications is ever-increasing, as are the security risks we face. We are sharing the Cisco CCF with the broader security and risk management community as a guide to help you achieve your market access goals, keep pace with evolving customer demand, and continue to maintain a more secure cloud infrastructure.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels