Skip to content

SABSA and TOGAF 101

SABSA and TOGAF are not competing frameworks. One governs enterprise architecture delivery, the other provides security engineering rigour. Here's how they fit together.

Wrong opening question: "SABSA or TOGAF?"

Right one: how do we run both so security is not bolted on after the build?

TOGAF is how large orgs design and govern enterprise architecture. SABSA is how you design security architecture that traces to business risk. One without the other leaves a gap that shows up late and expensive.

TOGAF: delivery engine

TOGAF centres on the Architecture Development Method (ADM) across business, data, application, and technology architecture. Repeatable. Governed. Good common language across stakeholders.

Security shows up as a cross-cutting concern. It does not give you deep security engineering. That gap is intentional.

Use it when you are designing or rationalising IT across domains. Example: a bank moving three legacy systems to cloud - ADM structures SLA, APRA outsourcing, data sovereignty, lift-vs-rebuild, and platform standards. It will not tell you which controls to apply. That is SABSA's job.

SABSA: risk-driven security

SABSA builds security architectures that enable business objectives. Core tool: a 6x6 matrix (What / Why / How / Who / Where / When across Contextual through Operational layers).

SABSA Master Matrix
SABSA matrix: business questions down to operational controls.

Practitioners reach first for Business Attribute Profiling (BAP): turn "we need to be agile" or "maintain client trust" into measurable attributes - confidentiality, availability, accountability, integrity - with owners and targets. Those flow down to encryption, backup, monitoring.

Same cloud migration: BAP turns "maintain corporate client trust" into 99.95% uptime for payments, four-hour RTO, full audit of data movement. Without BAP, trust stays a slide title.

Together

In 2011 The Open Group and the SABSA Institute mapped the integration: TOGAF owns delivery lifecycle; SABSA owns security rigour. SABSA layers align to ADM phases from vision through implementation governance.

"For too long, information security has been considered a separate discipline, isolated from the enterprise architecture." (The Open Group and SABSA Institute, 2011)

Enterprise architects: TOGAF is the vehicle; add SABSA for depth. Security architects: SABSA is home; use TOGAF so you are not stuck in a silo. New programme: put BAP in Phases A and B - course corrections are cheap then. By Phase E they are not.

Security reviewed only at go-live is not a framework choice. It is a schedule failure.

Olivier Reuland