Design Frameworks & Methodologies

Security architecture has several frameworks, standards, and methodologies that exist for security architects to utilize in their design.  The belief is that these should complement and overlap each other to be effective in the design.  At ISA United we are framework, standard, and methodology agnostic. We encourage the use of frameworks to provide the focus and strength in the design.

Security by Design (SbD)

Security by Design (SbD) is a security assurance approach that integrates security into the design and planning prior to the development of any solution, technology, and product that can save time, money, and reduce risk.

Security by design or secure by design is an approach to software, hardware, network development that seeks to make systems as free of vulnerabilities and impervious to attack as possible through such measures as continuous testing, authentication safeguards, and adherence to best security practices.

Using security by design creates a repeatable review approach to the design and planning stage of a solution, therefore, integrating security prior to the development stage. Security architects use design frameworks, standards, and methodologies such as: 


The Open Group Architecture Framework (TOGAF) is a business architecture method that provides an integrated framework for enterprise software development. It simplifies the development procedure through a systematic approach for minimizing errors, maintaining timelines, staying within budget, and aligning IT with individual business units to produce high-quality results. TOGAF is internally free for organizations to use, but not for commercial purposes. However, business organizations can use certain tools, software, or training programs certified by The Open Group.

The Gap Analysis method is often used to validate architecture developed by the TOGAF Architecture Development Method. The core concept here is to evaluate an inconsistency between the Baseline Environment and the Target Environment; that is, items that have been left out, omitted inadvertently, or not defined. TOGAF offers a Gap Analysis Matrix that can help you identify the differences between your baseline and target and create gap elements in the repository, which may then be addressed and assigned as tasks; the gap elements can then be prioritized for use in other activities, as well as creating and managing Gap Analysis Matrix profiles.


SABSA stands for the Sherwood Applied Business Security Architecture. It provides a framework for designing quality security engineering programs and mitigating business risks. Nevertheless, it can also be responsible for providing the appropriate security infrastructure for important organizational ventures. The primary feature of the SABSA model is the derivation of profit-generating security opportunities through an analysis of the corporate business requirements for security, especially for instances where security has a prominent enabling function through which new products and services can be developed and exploited. SABSA framework consists of a six-layered architecture: contextual security structure, conceptual security structure, logical security structure, physical security structure, and component security structure.

In its attempt to categorize and classify the different viewpoints that make up each layer of the security architecture, the SABSA analysis matrix has been defined and derived to address six inquiry-based models: What? The assets to be protected, Why? The motivation for wanting to apply security, How? The processes and functions needed to achieve security, Who? The people and organizational aspects of security, Where? The locations where security is applied, and When? The time-related aspects of security. The 6 X 6 matrix covers all relevant security questions to facilitate confidence that the security architecture will be complete.


Open Security Architecture (OSA) is a framework for creating security architectures for safe functions and technical security controls. It provides a full overview of security risks, principles, components, and standards involved in architectural decisions that ensure that security architectures are built effectively. The OSA framework is not only a hacking tool; it's a comprehensive framework that can be used by security officers and consultants in a wide variety of activities, from using strategies for instituting company-wide security plans to assessing, managing, and maintaining an existing set of controls.