Cisco Cloud Controls Framework

Accelerating SaaS product security certifications to maximize market access.

What is the Cloud Controls Framework?

The Cisco Cloud Controls Framework (CCF) is a comprehensive set of international and national security compliance and certification requirements, aggregated into a single framework. In addition to the control mapping, the CCF also contains guidance on implementation and audit artifacts.

The Cisco CCF will be updated as security compliance frameworks and regulations evolve. To benefit from this framework, please review, evaluate, and tailor it to reach your compliance goals.

Contact us to learn more and get answers to your questions.




Cloud Controls Framework
Complete this form to download the file
* required fields

I understand I can unsubscribe at any time.


One sample domain showing an overview of the fields in the Cloud Controls Framework. Download the framework for a complete mapping.

Domain Title Control Title Control Reference Control Wording Control Type Applicable Framework
Audit Compliance Control Self-Assessments CCF 1 Independent Control self-assessments are performed by independent auditors, at least annually, to gain reasonable assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings and tracked to resolution. Independent control self-assessments are reviewed by management and stored in a central repository and maintained. Process SOC 2 (A/C/S) 2017,
SOC 2 Privacy,
ISO 27001,
ISO 27701 Processor & Controller,
ISO 27017 Provider & Customer,
ISO 22301
ISO 27018,
BS1 C5,
Fedramp Tailored,
Spanish ENS Basic, Medium, & High,
Saudi CCC,
EU Code of Conduct,
NIST 800-171,
EUCS Basic, Substantial, & High,
NIST 800-218 SSDF,
ISO 27001 (2022),
TX RAMP Level 1 & 2,
CSA Star Level 1 & 2,
FedRAMP Moderate & High,
NIST 800-53 Low, Moderate, & High,
SOC 2 (A/C/S) 2022,
NIS Directive,
CCCS Medium,
PCI v4
Audit Compliance Security Policy Audit CCF 2 At least quarterly, organization reviews shall be performed with approved documented specification to confirm personnel are following security policies and operational procedures pertaining to:
• log reviews
• firewall rule-set reviews
• applying configuration standards to new systems
• responding to security alerts
• change management processes
Process PCI,
EUCS Basic, Substantial, & High,
NIST 800-218 SSDF,
FedRAMP Moderate & High,
NIST 800-53 Low, Moderate, & High,
CCCS Medium,
PCI v4
Audit Compliance Customer Audits CCF 3 If applicable, corporate documented procedures regarding customer-requested audits shall be defined, documented and transparently communicated to the customer; and where applicable, the mandated auditor. Process EU Code of Conduct,
EUCS Basic, Substantial, & High,
FedRAMP Moderate & High,
NIST 800-53 Low, Moderate, & High,
CCCS Medium
Audit Compliance Audit Program CCF 4 A three-year audit program is in place which defines the scope and frequency of audits in accordance with change management, policies, and risk assessment results. Process SecNumCloud
Audit Compliance Review of Audit Plan CCF 5 Privacy and protection of personally identifiable information is ensured as required in relevant legislation and regulation where applicable. Process ISMAP
Audit Compliance KPI Audit CCF 6 Key performance indicators (KPI's - OFI, Minor, Major, pass, low, or high) are included as part of independent control self assessment performed by independent auditors at least annualy. Process ISMAP

Sorry, no results matched your search criteria(s). Please try again.

Standards Mapped

Global frameworks mapped in the Cloud Controls Framework.

Country/Region Framework Name Description
Global Frameworks
     Global CSA STAR - New The CSA STAR CCM is a cybersecurity framework for cloud vendors, offering best practices and controls.
     Global ISO IEC 27001:2013 ISO 27001 is an international standard for information security management systems to protect confidential data.
     Global ISO IEC 27001:2022 - New ISO 27001 is an international standard for information security management systems to protect confidential data.
     Global ISO/IEC 27017:2015 ISO 27017 provides guidelines for cloud service information security controls, complementing the ISO 27001 standard.
     Global ISO/IEC 27018:2019 ISO 27018 establishes guidelines for protecting personal data in cloud environments, enhancing privacy and compliance.
     Global ISO/IEC 27701:2019 ISO 27701 extends ISO 27001 to privacy management, setting guidelines for personal information protection and compliance.
     Global ISO 22301:2019 ISO 22301 specifies requirements for a business continuity management system to plan, establish, and improve resilience.
     Global PCI-DSS v3.2.1 PCI DSS v3.2.1 provides security standards for cardholder data to reduce credit card fraud.
     Global PCI-DSS v4.0 PCI DSS v4.0 updates security requirements for payment environments, enhancing flexibility and supporting new technologies.
     Global SOC 2® 2017 SOC 2 is a framework for managing data with principles on security, availability, processing integrity, confidentiality, and privacy.
     Global SOC 2® 2017 (With Revised Points of Focus – 2022) - New SOC 2 is a framework for managing data with principles on security, availability, processing integrity, confidentiality, and privacy.
Asia-Pacific Frameworks
     Australia IRAP (December 2021) IRAP, the Information Security Registered Assessors Program, certifies individuals to assess Australian government security compliance.
     Japan ISMAP ISMAP is Japan's Information System Security Management and Assessment Program for evaluating cloud service providers.
     Saudi Arabia CCC Saudi CCC: The Saudi Cloud Cybersecurity Controls framework enhances cloud service security in Saudi Arabia.
Canadian Frameworks
     Canada CCCS - New The Canadian Centre for Cyber Security (CCCS) provides national guidance on cybersecurity and cyber threat responses.
European Union (EU) Frameworks
     European Union (EU) CoC The EU Code of Conduct for Cloud Providers aims to improve data security and processing efficiency.
     European Union (EU) ENISA NIS Directive - New The NIS Directive is the EU's legislation for enhancing cybersecurity across critical infrastructure and essential services.
     European Union (EU) EUCS The EU Cloud Services (EUCS) scheme enhances cloud service cybersecurity, aligning with EU cybersecurity certification framework.
     European Union (EU) NCSC - New The UK's National Cyber Security Centre (NCSC) provides guidance and support to improve cybersecurity resilience.
     European Union (EU) SecNumCloud SecNumCloud is France's security certification for cloud service providers, ensuring data protection and cybersecurity compliance.
     Germany C5 BSI C5: German Federal Office for Information Security's cloud computing compliance criteria for secure IT operations.
     Spain ENS Spain's National Security Framework (ENS) sets standards for effective digital data protection in public administrations.
United States Frameworks
     United States FedRAMP LI-SAAS/Tailored FedRAMP standardizes security assessment and authorization for cloud products and services used by U.S. government.
     United States NIST 800-171 - New NIST 800-171 outlines requirements for protecting Controlled Unclassified Information in non-federal information systems and organizations.
     United States NIST 800-53 Rev. 4 - New NIST 800-53 rev.4 provides comprehensive security and privacy controls for federal information systems and organizations.
     United States NIST 800-218 - New NIST 800-218 (SSDF), offers guidance for secure software development practices to reduce vulnerabilities and improve security.
     United States TX-RAMP - New TX-RAMP is Texas' cybersecurity framework, ensuring state agencies' cloud services meet defined security standards.

Sorry, no results matched your search criteria(s). Please try again.


Why apply Cisco Cloud Controls Framework (CCF)?

This framework enables your organization to keep pace with the increasing complexity of market and customer demands. It provides a structured, “build-once-use-many” approach designed to help streamline and operationalize cloud compliance and certification. The CCF represents years of research from Cisco’s cloud compliance experts and can help your organizations better address the challenging compliance landscape and meet your market access goals.

What do I get with the CCF?

In addition to the control mapping to each of the standards referenced below, the CCF provides control narratives and supporting audit artifacts for every control in the CCF.

The narratives help provide guidance on activities and actions to implement and execute a control.

The audit artifacts offer a high-level understanding of what auditors typically request when testing the operating effectiveness of a control.

These narratives and artifacts are guidance for you to review, evaluate, and update according to your business needs and environment.

Why is Cisco making the CCF publicly available?

Strong cybersecurity is good for everyone. Efficient pathways to compliance and certification help organizations understand and address risk faster. Hopefully, this work helps to accelerate safer clouds for all.