Atlassian's Common Controls Framework
As with many companies, Atlassian has a number of international control standards that are applicable to our product development and our operations environments. We decided to evaluate the overlap between many of these independent standards, and ensure we have a single view of applying those standards to our internal environments. The primary environment where we apply these standards is our cloud-hosting platform, as we understand the need to show that we are taking appropriate efforts to protect our customers and their data. However, not all of the standards are applicable to all environments. For example, the focus for Sarbanes-Oxley (SOX) is the systems that support our financial report, of which our cloud services are secondary at best. Let's take a look at the standards we evaluate and why.
Applicable International Standards
Below is a list of standards that we have incorporated into our internal common controls framework:
Standard | Sponsor |
| ISO27001 | International Organization for Standardization |
| ISO27002 | International Organization for Standardization |
| ISO27018 | International Organization for Standardization |
| SOC2 | American Institute of Certified Public Accountants (AICPA) |
| NIST SP 800-53 Rev 4 | National Institute of Standards and Technology |
| FedRAMP | US Federal Government |
| CSA CCM | Cloud Security Alliance |
| HIPAA | US Federal Government |
| SOX 404 (IT) | US Federal Government |
| PCI DSS | PCI Security Standards Council |
Common Controls Framework
As you can see from the table above, there are a series of different and disparate requirements, many of which are applied to the same environments, systems or teams. In order to make it a bit easier to understand the overlap and the similarities from many of these standards for our teams, we evaluated each of the control requirements and identified where there was overlap - where each of the standards was essentially evaluating the same domain. As a result, we have a common controls framework that easily maps to each of the standards.
Conclusion
The organization of the Atlassian Common Controls Framework was important so our teams can utilize the mentality of "evaluate many times, perform once". Instead of asking multiple different teams, multiple different times, we used the efficiency of this framework to define where we would organize and apply controls so the entire company could understand the requirements and how each portion of our organization performs collectively to deliver trust to all of our customers.