SABSA – In 3 Minutes

The basics of SABSA

SABSA is a framework for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives. It is an open standard, comprising a number of frameworks, models, methods and processes,  free for use by all, with no licensing required for end-user  organizations who make use of the standard in developing  and implementing architectures and solutions.


Although SABSA grew up in the information risk / assurance / security domain it is now widely recognized  as the leading methodology for developing business operational risk based architectures in general. SABSA is now the Open Group’s frame- work of choice for integrating with TOGAF® to fulfill not only the need for a security architecture development methodology but, more importantly, to apply SABSA’s Business Attributes Profiling method across the entire enterprise architecture domain as a means to engage with stakeholders and manage  business requirements. It adds value to the TOGAF ADM  by providing a robust, repeatable, consistent  process for aligning business requirements with the development of operational capabilities in the form of people, processes  and technology  solutions. It brings to TOGAF a defined method for ‘requirements management’, something that has been lacking in previous releases of TOGAF up to and including TOGAF version 9.

SABSA does not replace or compete with other risk-based standards  and methods – rather it provides an overarching framework that enables all other existing standards  to be integrated under the single SABSA framework, enabling joined up, end-to-end architectural solutions. Thus ISO 2700x, CobiT®, ISF SoGP®, ITIL®,  etc. and industry standards such as ETSI standards,  Basel III and Solvency II are all capable of being brought  together into a SABSA-based integrated compliance framework.

In terms of risk philosophy SABSA aligns fully with ISO 31000, COSO® and M_o_R®, all of which present the concept of risk as being one of uncertainty of outcome,  with risks embracing  both (positive) opportunities and (negative) threats.

To do business is to take risk by evaluating the risk/reward balance and setting risk appetite to a level that is comfortable for the risk taker. With this philosophy in mind, all business decisions are risk management decisions, and it is from this standpoint  that SABSA views the world. Risk is good for business, so long as it is maintained within the organization’s risk appetite. SABSA is the first architectural development methodology to introduce a reliable method for measuring risk appetite and monitoring operational performance against that appetite. It achieves this through application of the Business Attributes Profiling technique,  which produces as output a customized balanced  scorecard.

Other key features of SABSA include:

  • SABSA IPR is owned, governed and protected by The SABSA Institute.
  • The SABSA framework is not related  to any IT solutions supplier or other type of supplier and is completely  vendor-neutral.
  • The SABSA framework is scalable, that is, it can be introduced in a small scope and then rolled out to subsequent areas and systems, and thus implemented incrementally.
  • The SABSA framework may be used in any industry sector and in any organization whether privately or publicly owned, including commercial, industrial,  government, military or charitable organizations.
  • The SABSA framework can be used for the development of architectures and solutions at any level of granularity  of scope, from a project of limited scope to an entire enterprise architectural framework.
  • The SABSA framework is continually maintained and developed  and up-to-date versions are published from time to time.

For each horizontal layer there  is also a vertical analysis based on the six questions: What (assets)? Why (motivation)? How (process and technology)? Who (people)? Where  (location)? When (time)? This leads to a six-by-six cell matrix called the SABSA Master  Matrix

The sixth layer, the service management layer, is overlaid on the other five layers and further vertically analyzed  to produce the five-by-six cell SABSA Service Management Matrix.

Target audience of the method

CIO, CRO,  IT strategists and planners,  IT architects,  IT development managers  and project leaders, software managers  and architects,  network managers  and architects,  information security managers, advisors, consultants and practitioners, auditors.

Scope and constraints

SABSA is a generic architectural development framework that can be used for the operational-risk-based development and maintenance of operational capabilities in any type of business organization.


The SABSA model is generic and can be the starting point for any organization, but by going through  the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes the enterprise operational risk management architecture. SABSA is not a cookbook full of ready-to-cook recipes – rather it is a guiding framework for those who would be the chef de cuisine so that they can devise their own recipes to satisfy their customers’ appetites.


To gain the full benefits of SABSA an organization needs to move on from a small scope proof-of-concept project towards adopting SABSA on an enterprise-wide level. This of course requires buy-in and support at the most senior executive levels, which can be a challenge to those who champion the adoption of the framework.