SABSA Executive Summary

What is SABSA?

SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives.

It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks.

The SABSA framework and methodology is used successfully around the globe to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management. SABSA has evolved since 1995 to be the ‘approach of choice’ for organisations in 50 countries and in sectors as diverse as Banking, Homeless Management, Nuclear Power, Information Services, Communications Technology, Manufacturing and Government.

SABSA ensures that the needs of your Enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure. Although copyright protected, SABSA is an open-use methodology, not a commercial product.

SABSA is comprised of a series of integrated frameworks, models, methods and processes, used independently or as an holistic integrated enterprise solution, including:

  • Business Requirements Engineering Framework (known as Attributes Profiling)
  • Risk and Opportunity Management Framework
  • Policy Architecture Framework
  • Security Services-Oriented Architecture Framework
  • Governance Framework
  • Security Domain Framework
  • Through-life Security Service Management & Performance Management Framework

The SABSA Institute develops and maintains the method and certifies and accredits the professional Architects who use it in approximately 50 countries around the world.

Why is SABSA so Successful?

The SABSA Institute

SABSA is governed by The SABSA Institute. In the United Kingdom an “Institute” is not an ordinary company: it has a protected and highly-regulated status that guarantees:

  • SABSA intellectual property can never be sold
  • SABSA will always remain vendor-neutral
  • SABSA will be free-use in perpetuity
  • SABSA will have ongoing development to meet the needs of business
  • SABSA’s community can obtain true competency-based professional certifications that provide trust and confidence to peers and employers of an architect’s capabilities

Unique Selling Points

Feature Advantage
Business-driven Value-assured
Risk & Opportunity Balanced Prioritised and proportional responses
Comprehensive Scalable scope
Modular Agility for ease of implementation & management
Open Source Free use, open source, global standard
Auditable Demonstrates compliance to relevant authorities
Transparent Two-way traceability

Each of the seven primary features and advantages can be interpreted and customised into key “elevator pitch” messages and unique selling points (USPs) for specific stakeholders or customers. The example below was created for eight stakeholders at a global financial institution:

Competency-Based Professional Certification

Real ‘professionals’ (such as pilots and doctors) are not certified by their professional bodies by knowledge-based multiple choice tests. They are required to actively demonstrate the application of their skills and achieve career progression by ‘doing’ not ‘knowing’.

Certification by the SABSA Institute is competency-based and delivers to stakeholders the assurance, trust and confidence that a professional has demonstrated the skill and ability to use the SABSA method in the real world.

How is SABSA Used?

SABSA is comprised of a series of integrated frameworks, models, methods and processes, used independently or as an holistic integrated enterprise solution. It is widely applied in:
  • Enterprise Security Architecture
  • Individual Security Solutions
  • Enterprise and Solutions Architecture
  • Seamless security integration and alignment with other frameworks including TOGAF, ITIL, Zachman, DoDAF
  • Business-driven, traceable toolkits for modelling and deploying security standards and references such as ISO 27000 series, NIST and CObIT
  • Governance, Compliance & Audit
  • Business Requirements Engineering
  • Risk & Opportunity Management
  • Information Assurance
  • Business Continuity
  • Policy Architecture
  • Security Service Management
  • Security Performance Management, Measures & Metrics
  • Secure Systems Design & Development
  • Over-arching decision-making framework for fully integrated end-to-end solutions

Who Uses SABSA?

As SABSA is free-use and registrations not required, we do not have a definitive list of user organisations. However, we do know the profiles of the thousands of professionals who have qualified as SABSA Chartered Architects in nearly 50 countries, on every continent and from every imaginable business sector.

SABSA has evolved as a standard (formal and de facto) all over the world. It has been deployed, customised and incorporated as a government architecture standard and framework in:

  • Whole-of-Government Services Architecture
  • Defence & Intelligence communities
  • Standards Bodies

SABSA certification is widely requested by employers globally and is a mandatory requirement for Security Architects and Enterprise Architects alike in numerous large-scale and national financial sector bodies.

SABSA is also widely referenced in other security and IT certification programmes and throughout the tertiary academic world.

Where is SABSA Used?

SABSA is used all over the world and the Institute has certified SABSA Chartered Architects in nearly 70 countries.

When is SABSA Used?

SABSA is a ‘Through-Life’ method and framework: it applies throughout the entire lifecycle from Business Requirements Engineering to management of the solutions delivered.