1. Security Architecture Frameworks (SABSA & TOGAF)

By Cyber Analyst • 16 Jan 2026

As organizations scale digitally—embracing cloud computing, distributed workforces, software-defined infrastructure, and complex regulatory obligations—security can no longer be treated as a collection of isolated technical controls. Instead, cybersecurity must be architected, governed, and aligned with business objectives. This is the fundamental purpose of enterprise security architecture frameworks.

Security architecture frameworks provide structured methodologies to design, implement, and manage security in a way that is:

  • Consistent across the enterprise

  • Aligned with business goals and risk appetite

  • Auditable and compliant with standards

  • Adaptable to evolving threats and technologies

In this chapter, we focus on two of the most influential and widely adopted frameworks:

  • SABSA (Sherwood Applied Business Security Architecture)

  • TOGAF (The Open Group Architecture Framework)

Together, these frameworks illustrate two complementary perspectives: security-driven architecture and enterprise-wide architectural governance.

 

Security Architecture in the Context of Enterprise Strategy

Before exploring specific frameworks, it is essential to understand what security architecture actually represents within an organization.

Security architecture is not simply network diagrams, firewall rules, or identity systems. At the enterprise level, it is:

  • A blueprint for protecting business capabilities

  • A decision-making framework for prioritizing controls

  • A communication bridge between executives, architects, and engineers

A mature security architecture ensures that security investments are:

  • Justified by business risk

  • Designed holistically rather than reactively

  • Integrated into enterprise transformation initiatives

Frameworks like SABSA and TOGAF exist to formalize this discipline.

 

Overview of Security Architecture Frameworks

Security architecture frameworks provide:

  • Common language and terminology

  • Structured processes and viewpoints

  • Traceability from strategy to implementation

They reduce ambiguity and enable repeatability, especially in large or regulated environments.

Two dominant approaches emerge:

  • Security-centric frameworks, such as SABSA

  • Enterprise architecture frameworks, such as TOGAF, which incorporate security as a domain

Understanding both is critical for modern cybersecurity leaders.

 

SABSA: Business-Driven Security Architecture

- Origins and Philosophy of SABSA

SABSA was developed specifically to address a recurring failure in security programs: misalignment with business needs. Traditional security approaches often focus on technology first, leaving executives unconvinced of value.

SABSA reverses this logic. It starts with the business and works downward toward technical controls.

At its core, SABSA is:

  • Risk-driven

  • Business-focused

  • Lifecycle-oriented

Rather than asking “What security controls should we deploy?”, SABSA asks:

“What does the business need to protect, and why?”

 

- The SABSA Six-Layer Architecture Model

SABSA is structured around six architectural layers, each answering a specific question:

  • Contextual (Why) – Business objectives, risk appetite, regulatory drivers

  • Conceptual (What) – Security services and policies needed

  • Logical (How) – Security mechanisms and designs

  • Physical (With What) – Technologies and infrastructure

  • Component (Where) – Product selection and deployment

  • Operational (Who & When) – Processes, roles, and operations

This layered approach ensures traceability, meaning every security control can be justified by a business requirement.

 

- Business Attribute Profiling in SABSA

One of SABSA’s most distinctive contributions is Business Attribute Profiling. Business attributes include:

  • Confidentiality

  • Integrity

  • Availability

  • Accountability

  • Privacy

  • Resilience

Rather than treating these as abstract concepts, SABSA quantifies and prioritizes them based on business impact.

This enables:

  • Clear security requirements

  • Consistent risk decisions

  • Executive-level communication

 

- SABSA and Risk Management

SABSA aligns closely with formal risk management practices and standards such as ISO/IEC 27001.

Within SABSA:

  • Risks are identified in business terms

  • Controls are selected based on risk mitigation effectiveness

  • Residual risk is explicitly acknowledged and accepted

This makes SABSA particularly effective in regulated industries such as finance, healthcare, and critical infrastructure.

 

TOGAF: Enterprise Architecture with Security Integration

- Introduction to TOGAF

TOGAF is one of the most widely used enterprise architecture frameworks globally. Unlike SABSA, TOGAF is not security-specific. Instead, it provides a comprehensive framework for designing and governing enterprise-wide architecture.

TOGAF addresses four primary architecture domains:

  • Business Architecture

  • Data Architecture

  • Application Architecture

  • Technology Architecture

Security is treated as a cross-cutting concern, influencing all domains.

 

- The Architecture Development Method (ADM)

At the heart of TOGAF is the Architecture Development Method (ADM), a cyclical process that guides organizations through architecture creation and evolution.

The ADM ensures that:

  • Architecture aligns with business strategy

  • Changes are governed and controlled

  • Stakeholders are continuously engaged

Security requirements can be embedded at every stage of this cycle.

 

- Security Architecture in TOGAF

TOGAF includes a dedicated Security Architecture perspective, which focuses on:

  • Identity and access management

  • Trust relationships

  • Data protection mechanisms

  • Security governance

Rather than prescribing controls, TOGAF emphasizes architecture principles, such as:

  • Least privilege

  • Defense in depth

  • Secure by design

This makes TOGAF adaptable across industries and technologies.

 

- TOGAF and Governance Alignment

TOGAF integrates well with governance frameworks like:

  • COBIT 2019

  • ISO/IEC 27001

  • NIST frameworks

It provides the structural backbone to ensure that security architecture decisions are:

  • Documented

  • Approved

  • Enforced consistently

This governance strength makes TOGAF especially valuable in large enterprises.

 

Comparing SABSA and TOGAF

While SABSA and TOGAF are often contrasted, they are best understood as complementary rather than competing frameworks.

Key distinctions include:

  • SABSA is security-first, TOGAF is enterprise-first

  • SABSA emphasizes risk and business attributes, TOGAF emphasizes architecture governance

  • SABSA provides deep security specificity, TOGAF provides broad organizational integration

Many mature organizations use SABSA within a TOGAF governance structure, achieving both depth and breadth.

 

Alignment with Zero Trust Architecture

Modern security architecture increasingly adopts Zero Trust principles, as defined in NIST SP 800-207. Both SABSA and TOGAF support Zero Trust when applied correctly.

From a SABSA perspective:

  • Zero Trust requirements emerge from business risk analysis

  • Trust boundaries are explicitly defined and justified

From a TOGAF perspective:

  • Zero Trust is implemented as an architectural pattern

  • Governance ensures consistent adoption across domains

Frameworks provide the discipline needed to prevent Zero Trust from becoming a marketing term rather than an operational reality.

 

Integration with Standards and Compliance

Security architecture frameworks must support compliance, not compete with it.

Both SABSA and TOGAF align well with:

  • ISO/IEC 27001:2022 for information security management

  • COBIT for governance and control objectives

  • Regulatory frameworks such as GDPR, HIPAA, and PCI DSS

Framework-driven architecture simplifies audits by providing:

  • Clear documentation

  • Traceable decisions

  • Defined accountability

 

Educational Value for Cybersecurity Students

For students entering cybersecurity, learning security architecture frameworks develops:

  • Strategic thinking

  • Business communication skills

  • Risk-based decision-making

  • Systems-level understanding

These competencies are essential for roles such as:

  • Security architect

  • CISO advisor

  • GRC professional

  • Cloud and Zero Trust architect

Framework literacy distinguishes senior practitioners from purely technical specialists.

 

Architecture as the Foundation of Trust

Security architecture frameworks are not academic abstractions—they are practical tools for building trust in complex digital ecosystems.

SABSA teaches us to anchor security in business purpose and risk.
TOGAF teaches us to govern and scale architecture across the enterprise.

Together, they enable organizations to move from reactive security controls to intentional, resilient, and strategic security architecture—a foundational requirement for Zero Trust, cloud security, and modern enterprise resilience.

Category: CS21 - Enterprise Security Architecture & Zero-Trust Design

Tags: frameworks Enterprise Security Architecture Zero-Trust Design SABSA TOGAF