·
SABSA and TOGAF 101
SABSA and TOGAF are not competing frameworks. One governs enterprise architecture delivery, the other provides security engineering rigour. Here's how they fit together.
Wrong opening question: "SABSA or TOGAF?"
Right one: how do we run both so security is not bolted on after the build?
TOGAF is how large orgs design and govern enterprise architecture. SABSA is how you design security architecture that traces to business risk. One without the other leaves a gap that shows up late and expensive.
TOGAF: delivery engine
TOGAF centres on the Architecture Development Method (ADM) across business, data, application, and technology architecture. Repeatable. Governed. Good common language across stakeholders.
Security shows up as a cross-cutting concern. It does not give you deep security engineering. That gap is intentional.
Use it when you are designing or rationalising IT across domains. Example: a bank moving three legacy systems to cloud - ADM structures SLA, APRA outsourcing, data sovereignty, lift-vs-rebuild, and platform standards. It will not tell you which controls to apply. That is SABSA's job.
SABSA: risk-driven security
SABSA builds security architectures that enable business objectives. Core tool: a 6x6 matrix (What / Why / How / Who / Where / When across Contextual through Operational layers).
Practitioners reach first for Business Attribute Profiling (BAP): turn "we need to be agile" or "maintain client trust" into measurable attributes - confidentiality, availability, accountability, integrity - with owners and targets. Those flow down to encryption, backup, monitoring.
Same cloud migration: BAP turns "maintain corporate client trust" into 99.95% uptime for payments, four-hour RTO, full audit of data movement. Without BAP, trust stays a slide title.
Together
In 2011 The Open Group and the SABSA Institute mapped the integration: TOGAF owns delivery lifecycle; SABSA owns security rigour. SABSA layers align to ADM phases from vision through implementation governance.
"For too long, information security has been considered a separate discipline, isolated from the enterprise architecture." (The Open Group and SABSA Institute, 2011)
Enterprise architects: TOGAF is the vehicle; add SABSA for depth. Security architects: SABSA is home; use TOGAF so you are not stuck in a silo. New programme: put BAP in Phases A and B - course corrections are cheap then. By Phase E they are not.
Security reviewed only at go-live is not a framework choice. It is a schedule failure.
Related
- Threat Modelling 101 for practical threat modelling frameworks
- Security vs. Compliance for why compliance is the floor and security is the priority