At first, they clashed. TOGAF thought SABSA was too theoretical; SABSA thought TOGAF was too focused on the "stuff" and not the "risk."
TOGAF tells you how to build any architecture (including security) in a structured, repeatable way. sabsa vs togaf
In real‑world enterprise environments, , not competitive. At first, they clashed
| Aspect | SABSA | TOGAF | |--------|-------|-------| | | Sherwood Applied Business Security Architecture | The Open Group Architecture Framework | | Primary Focus | Security architecture (risk‑driven, business‑centric) | Enterprise architecture (holistic, cross‑domain) | | Core Philosophy | “Security by design, not bolt‑on” – security as an enabler for business | “Structured method for designing, planning, implementing, and governing enterprise architecture” | | Key Output | Security architecture artifacts (policies, standards, controls, metrics) | Enterprise architecture deliverables (architectures, roadmaps, governance frameworks) | | Origin | Mid‑1990s, John Sherwood | Mid‑1990s, The Open Group (based on TAFIM) | | Aspect | SABSA | TOGAF | |--------|-------|-------|
: Use TOGAF ADM as the process engine and SABSA as the security design method embedded inside it.
While SABSA and TOGAF are often discussed as competing frameworks, they serve distinct purposes: TOGAF is a comprehensive framework, while SABSA is a specialized Security Architecture methodology . Choosing between them is often a "false choice," as the industry standard is to integrate them to create a secure, business-aligned enterprise. SABSA vs. TOGAF: Core Differences