Adobe CCF v5
Adobe Common Controls Framework - Open-source unified control framework mapping to 20+ compliance standards
This is a reference tool, not an authoritative source. For official documentation, visit www.adobe.com.
Framework data extracted from the Adobe CCF Open Source v5 Set Theory Relationship Mapping (STRM) files, licensed under Creative Commons . Attribution required per license terms.
317 All
AM — Asset Management (13 controls)
AM-01Inventory Management
AM-02Inventory Management: Applications
AM-03Inventory Reconciliation: ARP Table
AM-04Inventory Reconciliation: Logging
AM-05Inventory Labels
AM-06Media Marking
AM-07Asset Transportation Authorization
AM-08Asset Transportation Documentation
AM-09Use of Portable Media
AM-10Maintenance of Assets
AM-11Tampering of Payment Card Capture Devices
AM-12Component Installation: Inspection and Approval
AM-13Software bill of Material
BC — Business Continuity (6 controls)
BM — Backup Management (5 controls)
CFM — Configuration Management (15 controls)
CFM-01Baseline Configuration Standard
CFM-02Default "Deny-all" Settings
CFM-03Remote Access: Prohibited Protocols and Commands
CFM-04Data Execution Prevention
CFM-05Client Run Time Technologies
CFM-06Prohibited Activity Monitoring
CFM-07Configuration Checks
CFM-08Configuration Check Reconciliation: Logging
CFM-09Time Clock Synchronization
CFM-10Time Clock Configuration Access
CFM-11Default Device Passwords
CFM-12Process Isolation
CFM-13Collaborative Devices
CFM-14Software Installation
CFM-15Job Schedules
CHM — Change Management (4 controls)
CMS — Customer Managed Security (4 controls)
CRY — Cryptography (15 controls)
CRY-01Encryption Key Maintenance
CRY-02Encryption Key Distribution
CRY-03Encryption Key Storage
CRY-04Clear Text Key Management
CRY-05Encryption of Data in Transit
CRY-06Encryption of Data at Rest
CRY-07Approved Cryptographic Technology
CRY-08Key Repository Access
CRY-09Key Store Review
CRY-10Full Disk Encryption Access
CRY-11Key Custodians Agreement
CRY-12Approved Certificate Authorities
CRY-13Installation of Software: Certificate Verification
CRY-14Public Key Infrastructure-based Authentication
CRY-15Software Signing
DM — Data Management (22 controls)
DM-01Data Classification Criteria
DM-02Data Inventory
DM-03Terms of Service
DM-04Personal Information Access Requests
DM-05Personal Information Deletion Requests
DM-06External Privacy Inquiries
DM-07Test Data Sanitization
DM-08Personal Information Updates
DM-09Credit Card Data Restrictions
DM-10Primary Account Number Data Restrictions
DM-11Personal Information Inventory
DM-12Changes to Data at Rest
DM-13Data Processing Integrity
DM-14Secure Disposal of Media
DM-15Customer Data Retention and Deletion
DM-16Removal of PHI from Media
DM-17Secure Disposal of Media: Testing
DM-18Personal Information Retention and Deletion
DM-19Temporary Storage of Personal Information
DM-20Social Media
DM-21Publicly Accessible Content
DM-22Data Loss Prevention
EM — Entity Management (11 controls)
EM-01Board of Directors Structure and Purpose
EM-02Audit Committee
EM-03Organizational Structure
EM-04Operating Plans
EM-05Cyber Security Insurance
EM-06Internal Audit Function
EM-07Financial Control Review
EM-08Information Security Function
EM-09Information Security Compliance Review
EM-10Common Controls Framework
EM-11Service Agreement
IAM — Identity and Access Management (39 controls)
IAM-01Logical Access Provisioning
IAM-02Change of Access Notification
IAM-03Logical Access De-provisioning
IAM-04Logical Access De-provisioning: Notification
IAM-05Logical Access Review
IAM-06Role Change: Access De-provisioning
IAM-07Shared Logical Accounts
IAM-08Shared Logical Accounts: Group Member
IAM-09Shared Account Restrictions
IAM-10Role Change: People Resources Notification
IAM-11Temporary Account Termination
IAM-12Unique Identifiers
IAM-13Password Authentication
IAM-14Multifactor Authentication
IAM-15Authentication Credential Maintenance
IAM-16Session Timeout
IAM-17Session Limit
IAM-18Account Lockout: Cardholder Data Environments
IAM-19Account Lockout
IAM-20Login Banner
IAM-21Credentials Validation
IAM-22Password Authentication Standard: Federal Systems
IAM-23Privileged Session Management
IAM-24Zero Trust Enterprise Network
IAM-25Logical Access Role Permission Authorization
IAM-26Source Code Security
IAM-27Service Account Restrictions
IAM-28PCI Account Restrictions
IAM-29Least Privilege
IAM-30Virtual Private Network
IAM-31Virtual Private Network: Restrict Split-Tunneling
IAM-32Ability to Disable Remote Sessions
IAM-33Remote Maintenance: Authentication Sessions
IAM-34Remote Maintenance: Unique Authentication Credentials for each Customer
IAM-35Remote Maintenance: Authentication
IAM-36Remote Maintenance: Audit
IAM-37End-user Environment Segmentation
IAM-38End-user Access to Applications and Data
IAM-39Hardware Tokens
IR — Incident Response (8 controls)
MDM — Mobile Device Management (4 controls)
NO — Network Operations (18 controls)
NO-01Network Policy Enforcement Points
NO-02Inbound and Outbound Network Traffic: DMZ Requirements
NO-03Ingress and Egress Points
NO-04Non-disclosure of Routing Information
NO-05Dynamic Packet Filtering
NO-06Firewall Rule Set Review
NO-07Ingress and Egress Points: Fail Secure
NO-08Traffic Flow: Managed Proxy
NO-09Domain Name Services Security Extensions (DNSSec)
NO-10Email Spam Protection
NO-11Denial of Service (DOS)
NO-12Trusted Connections
NO-13Network Segmentation
NO-14Card Processing Environment Segmentation
NO-15Traffic Flow
NO-16Disable Rogue Wireless Access Points
NO-17Wireless Access Points
NO-18Authentication: Wireless Access Points
PR — People Resources (10 controls)
PRIV — Privacy (10 controls)
PRIV-01Privacy Program
PRIV-02Privacy Program Review
PRIV-03Privacy Readiness Review
PRIV-04Privacy Notice
PRIV-05Personal Information Notice and Consent: Additional Processing Activities
PRIV-06Notice of Personal Information Disclosure
PRIV-07PII Processing Agreements
PRIV-08Record of Processing Activity
PRIV-09Document Management Standard: HIPAA
PRIV-10Law Enforcement Requests
PS — Proactive Security (4 controls)
RM — Risk Management (10 controls)
SDD — System Design Documentation (2 controls)
SG — Security Governance (17 controls)
SG-01Policy and Standard Review
SG-02Exception Management
SG-03Document Control
SG-04Information Security Program Content
SG-05Procedures
SG-06Proprietary Rights Agreement
SG-07Review of Confidentiality Agreements
SG-08Information Security Program
SG-09Accessibility Program
SG-10Information Security Management System Scope
SG-11Security Roles and Responsibilities
SG-12Security Roles and Responsibilities: Risk Designations
SG-13Security Roles and Responsibilities: PCI Compliance
SG-14Information Security Resources
SG-15Management Review
SG-16Enterprise Data Catalog
SG-17Software Usage Restrictions
SLC — Service Lifecycle (7 controls)
SM — Systems Monitoring (32 controls)
SM-01Audit Logging
SM-02Secure Audit Logging
SM-03Audit Logging: Cardholder Data Environment Activity
SM-04Audit Logging: Cardholder Data Environment Event Information
SM-05Audit Logging: Service Provider Logging Requirements
SM-06Configuration Management: Remote Logging
SM-07Chain of Accountability
SM-08Audit Record Time Stamps
SM-09Log Reconciliation: CMDB
SM-10Audit Log Capacity and Retention
SM-11Enterprise Antivirus Logging
SM-12Security Monitoring Alert Criteria
SM-13Security Monitoring Alert Criteria Review
SM-14Log-tampering Detection
SM-15Unauthorized Devices Addition
SM-16Security Monitoring Alert Criteria: Guest, Anonymous and Temp Accounts
SM-17Security Monitoring Alert Criteria: VoIP Usage
SM-18Prohibited Activity Monitoring: Remote Access
SM-19Prohibited Activity Monitoring: Client Run Time Technologies
SM-20Security Monitoring Alert Criteria: Wireless Access Point
SM-21Security Monitoring Alert Criteria: Failed Logins
SM-22Security Monitoring Alert Criteria: Privileged Functions
SM-23Security Monitoring Alert Criteria: Audit Log Integrity
SM-24Security Monitoring Alert Criteria: Cardholder System Components
SM-25System Security Monitoring
SM-26Intrusion Detection Systems
SM-27System Monitoring Legal Opinion
SM-28Privileged Session Monitoring
SM-29Availability Monitoring Alert Criteria
SM-30Availability Monitoring Alert Criteria Review
SM-31System Availability Monitoring
SM-32Remote Access: Activity Log Audit
SO — Site Operations (16 controls)
SO-01Secured Facility
SO-02Physical Protection and Positioning of Cabling
SO-03Global Coordination of Critical Functions: Information Security Safeguards
SO-04Provisioning Physical Access
SO-05De-provisioning Physical Access
SO-06Periodic Review of Physical Access
SO-07Physical Access Role Permission Authorization
SO-08Monitoring Physical Access
SO-09Surveillance Feed Retention
SO-10Visitor Access
SO-11Physical Access Devices
SO-12Temperature and Humidity Control
SO-13Fire Suppression Systems
SO-14Power Failure Protection
SO-15Emergency Shutoff
SO-16Emergency Lighting
TA — Training and Awareness (9 controls)
TA-01General Security Awareness Training
TA-02Code of Conduct Training
TA-03Accessibility Training
TA-04Phishing Awareness
TA-05Developer Security Training
TA-06Payment Card Processing Security Awareness Training
TA-07Role-based Security Training: HIPAA
TA-08Role-based Security Training
TA-09Security Champion Training
TPM — Third-Party Management (13 controls)
TPM-01Third-Party Assurance Review
TPM-02Vendor Risk Management
TPM-03Forensic Investigations
TPM-04Privacy Risk Assessment
TPM-05Network Access Agreement: Vendors
TPM-06Vendor Non-disclosure Agreements
TPM-07Cardholder Data Security Agreement
TPM-08HIPAA Business Associate Agreement
TPM-09HIPAA Business Associate Subcontractor Agreement
TPM-10Network Service Level Agreements (SLA)
TPM-11Personal Information Processing and Transfer Agreement
TPM-12Approved Service Provider Listing
TPM-13Vendor Information Security Standard
VM — Vulnerability Management (23 controls)
VM-01Vulnerability Scans
VM-02Vulnerability Scans: Cardholder Data Environment
VM-03Vulnerability Scans: Audit Log Review
VM-04Vulnerability Scans: Trend Analysis
VM-05Approved Scanning Vendor
VM-06Application Penetration Testing
VM-07Application Penetration Testing: Cardholder Data Environment
VM-08Infrastructure Patch Management
VM-09Enterprise Antivirus
VM-10Enterprise Antivirus Tampering
VM-11Enterprise Antivirus Scope
VM-12Maintenance Tools: Inspect Media
VM-13Code Security Check
VM-14Code Security Check: Cardholder Data Environment
VM-15Third-Party Library Check
VM-16Non-disclosure of Error Detail
VM-17Embedded Authenticators
VM-18External Information Security Inquiries
VM-19External Alerts and Advisories
VM-20Third-Party Security Assessment
VM-21Security Testing Window
VM-22Vulnerability Remediation
VM-23Backlog Prioritization