Knowledge Center / SABSA
The SABSA Institute · Global

SABSA (Security Architecture)

A business-driven framework and methodology for enterprise security architecture.

SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for developing risk-driven enterprise information security architectures that traceably support business goals. It is vendor-neutral and integrates cleanly with TOGAF for enterprise architecture. Its defining idea: security architecture must be derived from, and justified by, business requirements.

The six architecture layers

LayerViewQuestion it answers
ContextualThe business viewWhat does the business need and why?
ConceptualThe architect’s viewWhat is the security strategy and set of principles?
LogicalThe designer’s viewWhat logical security services are required?
PhysicalThe builder’s viewWhat mechanisms and technologies realise them?
ComponentThe tradesman’s viewWhat specific products and tools are used?
Operational (Security Service Management)The facilities-manager’s viewHow is the architecture run and assured day to day?

The SABSA matrix and six questions

SABSA structures each layer against six interrogatives — What (assets), Why (motivation), How (process), Who (people), Where (location) and When (time) — producing a comprehensive matrix that ensures nothing is missed.

Business Attribute Profiling

A signature SABSA technique: translate business requirements into a set of measurable "business attributes" (e.g., available, confidential, compliant, resilient), each with a metric and target. Security services then trace directly to the attributes they protect — making security decisions defensible to the business.

Applying SABSA (lifecycle)

  1. Capture business context, risk and opportunity; define business attributes.
  2. Develop the conceptual security strategy and architecture principles.
  3. Design logical security services traceable to attributes and risks.
  4. Select physical mechanisms and components to realise them.
  5. Operate, measure (against attribute metrics) and continually improve.

SABSA and other frameworks

FrameworkHow SABSA relates
TOGAFSABSA adds the security dimension and integrates with the TOGAF ADM
COBITCOBIT governs; SABSA architects the security capability beneath governance
ISO 27001SABSA provides the architecture; ISO 27001 provides the management system and controls
NIST CSFSABSA can structure how CSF outcomes are architected and traced to business needs
How CyberSigma helps
Our security-architecture practice uses SABSA principles to build a business-driven, risk-traceable architecture — profiling your business attributes and designing security services that the board can see the value of.

Frequently asked questions

How does SABSA relate to TOGAF?
TOGAF is a general enterprise-architecture framework; SABSA adds the security architecture dimension and integrates cleanly with TOGAF’s ADM. Many organisations use them together.
Is SABSA a certification for organisations?
SABSA offers individual certifications (e.g., SCF). Organisations adopt the methodology rather than becoming "SABSA certified".
Official documents

Need help with SABSA?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.