TOGAF vs. SABSA: A Detailed Comparison

In the modern digital world, organisations always aim to improve efficiency to maintain a competitive edge over their industry counterparts. To do that, the individual departments in an organisation must understand the logical structure and component relationships. This need has encouraged IT organisations to adopt Enterprise Architecture (EA) Frameworks. The Open Group Architecture Framework (TOGAF) and Sherwood Applied Business Security Architecture (SABSA) are two instances of such EA Frameworks. Due to their prevalence as EA Frameworks, people often look to compare TOGAF vs SABSA.   

An EA Framework is a collection of processes, templates and tools that is used by software teams to plan and build large Enterprise Architecture systems. TOGAF and SABSA are two of the most relevant EA Frameworks right now, and they are often compared to each other on different parameters. In this blog, we will analyse TOGAF vs SABSA – their differences and determine if they can be implemented together. 

Table of Contents 

1) TOGAF and SABSA: A Brief Introduction  

2) TOGAF vs SABSA: What are the differences? 

   a) Enterprise vs Security Architecture 

   b) Guidance 

   c) Level of Detail 

   d) SABSA mapped to the TOGAF Framework 

3) Can you implement both - TOGAF and SABSA? 

4) Conclusion 

TOGAF and SABSA: A Brief Introduction 

Before we delve deeper into a detailed comparison of the two, we will briefly introduce SABSA and TOGAF.   

TOGAF is an Enterprise Architecture Framework that helps an organisation define its business goals. It also helps align an organisation’s business goals with architecture objectives around enterprise software development. It assists in organising the enterprise software development process systematically and aims to reduce errors, stay within budget, and align IT with business units. It also helps organisations implement software technology in a structured and organised manner, focusing on meeting business goals. In simpler terms, TOGAF helps businesses align their IT goals with business objectives while organising cross-departmental IT efforts.  

Sherwood Applied Business Security Architecture (SABSA) is an Enterprise Architecture Framework focusing on Information Security Architecture. It is a methodology that helps develop a risk-driven Enterprise Information Security Architecture to support critical business processes. SABSA enables the development of security infrastructure solutions that support critical business initiatives. Its main feature is that it derives everything from business security requirements, especially the requirements where security has an enabling function through which new business opportunities can be exploited. 


 

TOGAF vs SABSA: What are the differences? 

While the frameworks are both Enterprise Architecture Frameworks, they have several differences in what they provide to organisations. This section of the blog will provide a detailed comparison of the two frameworks.  

Enterprise vs Security Architecture 

The most important difference between the frameworks is what they provide to the organisation that implements them. While TOGAF is an Enterprise Architecture Framework that is modular in design, SABSA is considered a Security Architecture Framework.   

Guidance 

As mentioned before, SABSA is a specialised Security Architecture method, and SABSA does not have to account for the many Enterprise Architecture use cases. While TOGAF is a framework with a broader scope, SABSA provides you with instructions to do a singular job. SABSA consists of various techniques, approaches and templates considered the global standard in security.      

Level of Detail 

The contextual layer in SABSA presents the organisation with questions related to its enterprise vision and goals. However, in TOGAF, the Architecture to support strategy answers these questions. SABSA requires decisions to be made within the architecture's scope to support the strategy. 

SABSA mapped to the TOGAF Framework 

The TOGAF Framework provides the global standard for three central problems in Enterprise Architecture, namely – how to develop Enterprise Architecture, how to document an Enterprise Architecture and how to develop an Enterprise Architecture team.   

How to develop Enterprise Architecture?  

SABSA offers guidance on how to develop an Enterprise Security Architecture. The TOGAF Series Guide Integrating Risk and Security into the TOGAF Standard helps an organisation to implement the global standard in Enterprise Security Architecture.   

How to document an Enterprise Architecture? 

SABSA provides an organisation with a set of standard work products, such as matrices, models, and templates, to develop its Enterprise Information Security Architecture. However, it does not provide much insight into how the end-to-end Security Architecture is modelled. This is because the SABSA model is modelled on the Zachman Framework, which does not offer insight into architecture documentation.   

On the other hand, the TOGAF Series Guide Integrating Risk and Security into the TOGAF Standard offers insight into where different work products are produced. It must be noted that implementing the TOGAF Content Framework with SABSA work products will improve your Enterprise Architecture.     

Can you implement both - TOGAF and SABSA?
 

While both frameworks differ when implemented separately, it helps improve the organisation's efficiency when both are implemented together. The two architecture frameworks work smoothly when implemented together, as Security Architecture is part of Enterprise Architecture.  

While TOGAF is a broader framework covering all architecture domains, SABSA covers only one. While the former is an end-to-end Enterprise Architecture Framework, the latter is a specific method-supporting Enterprise Security Architecture. While both frameworks offer something different to the organisation, they mask each other’s drawbacks when implemented together.   

This idea led the SABSA Institute and The Open Group to collaborate on a couple of projects and bring the best of both worlds together. While the two frameworks were first amalgamated with the TOGAF and SABSA Integration Paper, it was followed by the TOGAF Series Guide on Integrating risk and security into TOGAF.  

Instead of putting the two frameworks up against each other, an organisation should aim to integrate the two to get the best out of both. TOGAF and SABSA, when implemented together, enhances your Enterprise Architecture with the best Security Architecture approach.

Conclusion

Overall, TOGAF and SABSA are two of the world's most prevalent Enterprise Architecture Frameworks. While TOGAF is an end-to-end Enterprise Architecture Framework that covers all architecture domains, SABSA supports Enterprise Security Architecture.   

However, instead of TOGAF vs SABSA, one should talk about TOGAF and SABSA. While the two frameworks have their differences, they can be optimised by implementing them together. Integrating both frameworks can help an organisation improve Enterprise Architecture while strengthening security at the same time.