Integrating Risk and Security within a TOGAF® Enterprise Architecture

The TOGAF® Standard

---

Provide feedback on this page

---

Table of Contents

Preface

1 Introduction

1.1 How does this Guide Support the TOGAF Standard?

1.2 What about Risk Management?

1.3 Where is the Controls Checklist?

2 Relationship to Other IT Security and Risk Standards

2.1 ISO/IEC 27001:2013: Information Security Management

2.2 ISO 31000:2009: Risk Management – Principles and Guidelines

2.3 National Cybersecurity Frameworks

2.4 COBIT®

2.5 O-ESA

2.6 O-ISM3

2.7 Open FAIR

2.8 SABSA®

3 Enterprise Security Architecture

3.1 Enterprise Risk Management

3.1.1 Definition of Risk

3.1.2 Core Concepts for Enterprise Risk Management

3.2 Information Security Management

3.2.1 Security

3.2.2 Privacy

3.2.3 Core Concepts for Information Security Management

3.2.4 Operational Security Processes

4 Security as a Cross-Cutting Concern

5 Security and Risk Concepts in the TOGAF ADM

5.1 Preliminary Phase

5.1.1 Business Drivers/Business Objectives

5.1.2 Security Principles

5.1.3 Risk Appetite

5.1.4 Key Risk Areas/Business Impact Analysis

5.1.5 Security Resource Plan

5.2 Phase A: Architecture Vision

5.3 Phase B: Business Architecture

5.3.1 Security Policy Architecture

5.3.2 Security Domain Model

5.3.3 Trust Framework

5.3.4 Risk Assessment

5.3.5 Business Risk Model/Risk Register

5.3.6 Applicable Law and Regulation Register

5.3.7 Applicable Control Framework Register

5.4 Phase C: Information Systems Architectures

5.4.1 Security Services Catalog

5.4.2 Security Classification

5.4.3 Data Quality

5.5 Phase D: Technology Architecture

5.6 Phase E: Opportunities and Solutions

5.6.1 Risk Mitigation Plan

5.7 Phase F: Migration Planning

5.8 Phase G: Implementation Governance

5.8.1 Security Audit

5.8.2 Security Training and Awareness

5.9 Phase H: Architecture Change Management

5.10 Requirements Management

5.10.1 Business Attribute Profile

5.10.2 Control Objectives/Security Objectives

5.10.3 Security Standards

5.11 The TOGAF Architecture Content Metamodel

5.12 Use of the ArchiMate® Modeling Language

4 Security as a Cross-Cutting Concern

Security Architecture is a cross-cutting concern, pervasive through the whole Enterprise Architecture. It can be described as a coherent collection of views, viewpoints, and artifacts, including security, privacy, and operational risk perspectives, along with related topics like security objectives and security services. The Security Architecture is more than a dataset; it is based on the ISM and ERM processes.

The TOGAF ADM covers the development of the four architecture domains commonly accepted as subsets of an Enterprise Architecture: Business, Data, Application, and Technology. The Security Architecture interacts with all four of them and is therefore called cross-cutting.

Figure 5: Security as a Cross-Cutting Concern through the Architecture

As a cross-cutting concern, the Security Architecture impacts and informs the Business, Data, Application, and Technology Architectures. The Security Architecture may often be organized outside of the architecture scope, yet parts of it need to be developed in an integrated fashion with the architecture. These touch-points will be explained in the next chapter.

return to top of page