Information Security Architecture Frameworks

This post explains what is an enterprise information security architecture framework, and summarizes some of the existing ones.

IT security architecture frameworks are sometimes related to enterprise architecture frameworks. You can read more about them on this post.

What is an Information Security Architecture Framework?

A framework is a basic structure underlying a system, concept, or text.

An architecture framework is a foundational structure that can be used for developing a broad range of different architectures.

Then, an information security architecture framework is an architecture framework specific to information security.

The architecture would be the specific solution, while the architecture framework would be a set of references to design the solution.

Enterprise information security architecture (EISA) is a subset of enterprise architecture that focus on information security.

What is the difference between an IS architecture framework and an IS framework?

I have never seen this question answered before, so I will try to explain what are my conclusion about the difference in plain words.

A framework denotes that it is a reference, not a final solution.

A information security framework would be a reference about how to implement information security, in its broader term.

Cybersecurity frameworks would be specific to cybersecurity instead of information security. Remember that the difference of information security and cybersecurity is that the first is a broader term for all type of information (written, digital, etc.) and the second is specific to digital.

The concepts of enterprise architecture were explained in the previous section.

As a conclusion, information security architecture frameworks is a subset of information security (or cybersecurity) frameworks, specific to architecture.

You can find cybersecurity frameworks that are not considered architecture frameworks on this post. The most populars of them are ISO-27000 series and NIST CSF.

Cybersecurity Mesh Architecture

Cybersecurity Mesh or Cybersecurity Mesh Architecture (CSMA) is a collaborative ecosystem of tools and controls to secure an enterprise.

List of IT Security Architecture Frameworks

The most popular are:

  • Open Security Architecture (OSA)

Other architectures frameworks, possibly unrelated:

  • Integrated Architecture Framework of Capgemini
  • MIKE2.0 / SAFE
  • MDA
  • NIH Enterprise Architecture Framework
  • SOMF
  • DoDAF
  • NIH Enterprise Architecture Framework


Sherwood Applied Business Security Architecture (SABSA) is an enterprise security architecture.
It is very theoretical and not used in real industry. 

It is also 1 of the 4 industry standards leveraged in CSA EA v2.

SABSA official website


Open Security Architecture (OSA).

OSA official website

You might also be interested in…

External references

  • “CISM Review Manual 15th Edition”, section “Architectural Approaches”, p. 51; ISACA (2016)
  • “CISM Review Manual 15th Edition”, section 1.11.2 “Enterprise Information Security Architecture(s)”, pp. 57-58; ISACA (2016)
  • “PECB ISO/IEC 27001 Lead Implementer courseware”; PECB
  •  “What is the difference between NIST, CIS/SANS 20, ISO 27001 Compliance Standards?“; Kedar Ghule; Cloudanix Blog
  • Alexander S. Gillis; “Enterprise architecture”; TechTarget

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *