Enterprise IT Security Architecture Framework

This post explains what is an enterprise information security architecture framework, and summarizes some of the existing ones.

List of Enterprise IT Security Architecture Frameworks

What is an Information Security Architecture Framework?

Enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of organizations.

Enterprise information security architecture (EISA) is a subset of enterprise architecture that focus on information security.

A framework is a basic structure underlying a system, concept, or text.

An architecture framework is a foundational structure that can be used for developing a broad range of different architectures.

Then, an information security application framework is an architecture framework specific to information security.

The architecture would be the specific solution, while the architecture framework would be a set of references to design the solution.

What is the difference between a IS architecture framework and a cybersecurity framework?

I have never seen this question answered before, so I will try to explain what are my conclusion about the difference in plain words.

A framework denotes that it is a reference, not a final solution.

A information security framework would be a reference about how to implement information security, in its broader term.

Cybersecurity frameworks would be specific to cybersecurity instead of information security. Remember that the difference of information security and cybersecurity is that the first is a broader term for all type of information (written, digital, etc.) and the second is specific to digitial.

The concepts of enterprise architecture were explained in the previous section.

As a conclusion, information security architecture frameworks is a subset of information security (or cybersecurity) frameworks, specific to architecture.

You can find cybersecurity frameworks that are not considered architecture frameworks on this post. The most populars of them are ISO-27000 series and NIST CSF.

List of Enterprise IT Security Architecture Frameworks

The most popular are:

  • Zachman Framework

Alternative architectures are:

  • Open Security Architecture (OSA)
  • E2AF
  • Integrated Architecture Framework of Capgemini
  • MIKE2.0 / SAFE
  • MDA
  • NIH Enterprise Architecture Framework
  • SOMF
  • DoDAF
  • FEA
  • NIH Enterprise Architecture Framework

Zachman Framework

Zachman framework for Enterprise architecture.

Zachman framework official webiste


TOGAF stands for The Open Group Architecture Framework.

Developed by the Open Group.

SAP Enterprise Architecture Framework would be an extension of TOGAF.

TOGAF official website


COBIT is an acronym for Control Objectives for Information and related Technology. It is developed by ISACA.

COBIT is a framework for IT management and governance. Thus, it is not specific for security, but it includes one process called “Manage Enterprise Architecture” that deals this topic.

It can also be considered an audit framework, as auditors may use COBIT control objectives, management guidelines, and maturity models to evaluate the effectiveness of IT processes and controls.

AS of 2024, latest version is COBIT 2019 (released in 2018), but COBIT 5 (released in 2012) is still popular.

COBIT official website


Sherwood Applied Business Security Architecture (SABSA) is an enterprise security architecture.
It is very theoretical and not used in real industry. 

SABSA official website


Open Security Architecture (OSA).

OSA official website


E2AF is an acronym for Extended Enterprise Architecture Framework.

E2AF was published in 2006 by the Institute For Enterprise Architecture Developments (IFEAD), whose president was Jaap Schekkerman. The official website of IFEAD is down, but you can access its archive version from this external link.

Considering that latest version of E2AF is from 2006 and that IFEAD web is down, I can conclude that this framework is no longer maintained. Anyway, I have seen it still quoted in some sources.

The E2AF Essentials Guide can be still viewed from this external link.

Information Security Architecture

Cybersecurity Mesh or Cybersecurity Mesh Architecture (CSMA) is a collaborative ecosystem of tools and controls to secure an enterprise.

You might also be interested in…

External references

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *