However, SABSA stepped in. "Wait," he said. "Before we lay a brick, what is the we are protecting? Is it Confidentiality of the King's wealth, or the Availability of funds for the people?"
| Aspect | SABSA | TOGAF | |--------|-------|-------| | | Sherwood Applied Business Security Architecture | The Open Group Architecture Framework | | Primary Focus | Security architecture (risk‑driven, business‑centric) | Enterprise architecture (holistic, cross‑domain) | | Core Philosophy | “Security by design, not bolt‑on” – security as an enabler for business | “Structured method for designing, planning, implementing, and governing enterprise architecture” | | Key Output | Security architecture artifacts (policies, standards, controls, metrics) | Enterprise architecture deliverables (architectures, roadmaps, governance frameworks) | | Origin | Mid‑1990s, John Sherwood | Mid‑1990s, The Open Group (based on TAFIM) | sabsa vs togaf
| Phase of TOGAF ADM | How SABSA Adds Value | |--------------------|------------------------| | | SABSA contextual layer helps define security principles, risk appetite, and business drivers. | | Phase A (Architecture Vision) | SABSA conceptual layer translates business risks into security goals and success criteria. | | Phase B (Business Architecture) | SABSA’s business view ensures security requirements are captured as functional / non‑functional requirements. | | Phase C (Data / Application) | SABSA logical & physical layers define security controls (e.g., data classification, encryption, access control). | | Phase D (Technology) | SABSA component layer specifies security infrastructure (firewalls, IDS, IAM). | | Phase E–F (Opportunities & Migration) | SABSA operational layer feeds into security project roadmaps and transitional architectures. | | Phase G (Governance) | SABSA’s assurance and metrics support ongoing security compliance and audit. | However, SABSA stepped in
| Feature | SABSA | TOGAF | |---------|-------|-------| | Domain | Security architecture | Enterprise architecture (all domains) | | Lifecycle process | Not prescribed | Yes (ADM) | | Core artifact | 6‑layer security matrix | Architecture deliverables (e.g., Architecture Definition Document) | | Risk model | Built‑in (business‑driven) | Referenced (not built‑in) | | Certifications | SABSA Foundation / Practitioner / Master | TOGAF 9 / 10 (Level 1 & 2) | | Industry recognition | High in security architecture | Very high in general enterprise architecture | | Best used as | Security design framework | Overall architecture process framework | Is it Confidentiality of the King's wealth, or
Use to run the architecture development lifecycle. Use SABSA inside TOGAF’s security‑related tasks to ensure the result is complete, traceable, and risk‑driven.