This post explains what is an enterprise information security architecture framework, and summarizes some of the existing ones.

List of Enterprise IT Security Architecture Frameworks

What is an Information Security Architecture Framework?

Enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of organizations.

Enterprise information security architecture (EISA) is a subset of enterprise architecture that focus on information security.

A framework is a basic structure underlying a system, concept, or text.

An architecture framework is a foundational structure that can be used for developing a broad range of different architectures.

Then, an information security application framework is an architecture framework specific to information security.

The architecture would be the specific solution, while the architecture framework would be a set of references to design the solution.

What is the difference between a IS architecture framework and a cybersecurity framework?

I have never seen this question answered before, so I will try to explain what are my conclusion about the difference in plain words.

A framework denotes that it is a reference, not a final solution.

A information security framework would be a reference about how to implement information security, in its broader term.

Cybersecurity frameworks would be specific to cybersecurity instead of information security. Remember that the difference of information security and cybersecurity is that the first is a broader term for all type of information (written, digital, etc.) and the second is specific to digitial.

The concepts of enterprise architecture were explained in the previous section.

As a conclusion, information security architecture frameworks is a subset of information security (or cybersecurity) frameworks, specific to architecture.

You can find cybersecurity frameworks that are not considered architecture frameworks on this post. The most populars of them are ISO-27000 series and NIST CSF.

List of Enterprise IT Security Architecture Frameworks

The most popular are:

• Zachman Framework
• TOGAF
• COBIT
• SABSA

Alternative architectures are:

• Open Security Architecture (OSA)
• E2AF
• AGATE
• Integrated Architecture Framework of Capgemini
• IDABC
• MIKE2.0 / SAFE
• MDA
• NIH Enterprise Architecture Framework
• OBASHI
• SOMF
• MODAF
• DoDAF
• FEA
• NIH Enterprise Architecture Framework

Zachman Framework

https://www.zachman.com/about-the-zachman-framework/

Zachman Framework for Enterprise architecture.

TOGAF

https://www.opengroup.org/togaf

TOGAF stands for The Open Group Architecture Framework.

Developed by the Open Group.

SAP Enterprise Architecture Framework would be an extension of TOGAF.

COBIT

https://www.isaca.org/resources/cobit

COBIT is an acronym for Control Objectives for Information and related Technology. It is developed by ISACA.

COBIT is a framework for IT management and governance. Thus, it is not specific for security, but it includes one process called “Manage Enterprise Architecture” that deals this topic.

Latest version is COBIT 2019 (released in 2018), but COBIT 5 (released in 2012) is still popular.

SABSA

https://sabsa.org/

Sherwood Applied Business Security Architecture (SABSA) is an enterprise security architecture.
It is very theoretical and not used in real industry. 

OSA

https://www.opensecurityarchitecture.org/

Open Security Architecture (OSA).

E2AF

E2AF is an acronym for Extended Enterprise Architecture Framework.

E2AF was published in 2006 by the Institute For Enterprise Architecture Developments (IFEAD), whose president was Jaap Schekkerman. The official website of IFEAD is down, but you can access its archive version from this external link.

Considering that latest version of E2AF is from 2006 and that IFEAD web is down, I can conclude that this framework is no longer maintained. Anyway, I have seen it still quoted in some sources.

The E2AF Essentials Guide can be still viewed from this external link.

Information Security Architecture

Cybersecurity Mesh or Cybersecurity Mesh Architecture (CSMA) is a collaborative ecosystem of tools and controls to secure an enterprise.

You might also be interested in…

• IT Security Frameworks for Organizations
• Information Security Controls
• How to get CISSP-ISSAP certification

External references

• “CISM Review Manual 15th Edition”, section 1.11.2 “Enterprise Information Security Architecture(s)”, pp. 57-58; ISACA (2016)
• “PECB ISO/IEC 27001 Lead Implementer courseware”; PECB
•  “What is the difference between NIST, CIS/SANS 20, ISO 27001 Compliance Standards?“; Kedar Ghule; Cloudanix Blog
• Alexander S. Gillis; “Enterprise architecture”; TechTarget