SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for developing risk-driven enterprise information security architectures that traceably support business goals. It is vendor-neutral and integrates cleanly with TOGAF for enterprise architecture. Its defining idea: security architecture must be derived from, and justified by, business requirements.
The six architecture layers
| Layer | View | Question it answers |
|---|---|---|
| Contextual | The business view | What does the business need and why? |
| Conceptual | The architect’s view | What is the security strategy and set of principles? |
| Logical | The designer’s view | What logical security services are required? |
| Physical | The builder’s view | What mechanisms and technologies realise them? |
| Component | The tradesman’s view | What specific products and tools are used? |
| Operational (Security Service Management) | The facilities-manager’s view | How is the architecture run and assured day to day? |
The SABSA matrix and six questions
SABSA structures each layer against six interrogatives — What (assets), Why (motivation), How (process), Who (people), Where (location) and When (time) — producing a comprehensive matrix that ensures nothing is missed.
Business Attribute Profiling
A signature SABSA technique: translate business requirements into a set of measurable "business attributes" (e.g., available, confidential, compliant, resilient), each with a metric and target. Security services then trace directly to the attributes they protect — making security decisions defensible to the business.
Applying SABSA (lifecycle)
- Capture business context, risk and opportunity; define business attributes.
- Develop the conceptual security strategy and architecture principles.
- Design logical security services traceable to attributes and risks.
- Select physical mechanisms and components to realise them.
- Operate, measure (against attribute metrics) and continually improve.
SABSA and other frameworks
| Framework | How SABSA relates |
|---|---|
| TOGAF | SABSA adds the security dimension and integrates with the TOGAF ADM |
| COBIT | COBIT governs; SABSA architects the security capability beneath governance |
| ISO 27001 | SABSA provides the architecture; ISO 27001 provides the management system and controls |
| NIST CSF | SABSA can structure how CSF outcomes are architected and traced to business needs |
Frequently asked questions
Need help with SABSA?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
