Reading the security architect three ways

Part of the series: Getting it organized properly. Notes from a field still finding its shape.

The role

The phrase security architect is widely used and rarely clear. Two practitioners using the term will often find they are describing materially different work. The term does not specify the work.

Role ambiguity is a familiar feature of architecture practice. Enterprise and solution architecture carry it too. Security architecture adds its own complication: it is a relatively young specialty in a field where the importance of security is still rising. The role is still settling, and different organizations describe it differently.

Read together from a CISSP vantage, three frameworks answer different questions about the role, and the security architect is best understood by reading all three.

Three frameworks

Each was chosen for what it represents rather than for completeness.

CISSP from ISC2 is the dominant senior security certification and the vantage this piece is written from.

TOGAF from the Open Group is the dominant enterprise architecture standard. Its treatment of security is worth examining because it sets the terms most architects work within.

SABSA from the SABSA Institute appears to be alone in being purpose-built for security architecture as a discipline.

CISSP itself points outward to SABSA. The Exam Outline lists SABSA as one of the security control frameworks a CISSP candidate is expected to know, and again under risk frameworks. The frameworks are not in opposition. CISSP names SABSA as part of what a senior security professional should understand.

Each takes a different approach to defining what an architect is and does. Reading them side by side shows where they agree, where they diverge, and which questions each one is best placed to answer.

The role view

The three frameworks take different stances on what a role even is.

CISSP does not name architect roles. It organizes bodies of knowledge that a senior security professional is expected to hold and leaves the question of who holds them to other sources. This is a scope choice. The certification is about knowledge, not org charts.

TOGAF names a full set of architect roles and the competencies each one holds. Security is treated as a quality of every architect's work rather than as the work of a single specialist.

SABSA names the security architect as a role and defines it through the artifacts that role produces. It also defines six views (Business, Architect, Designer, Builder, Tradesman and Facilities Manager) which describe perspectives on the work rather than separate roles.

Three frameworks, three answers to the same question. Trying to align them at the role level produces little more than confirmation that they were designed for different purposes. The more revealing comparison is at the level of skills, where all three describe the same underlying work in their own vocabularies.

The skill view

The required reading is skills. All three frameworks describe skills, though they structure them differently.

CISSP organizes its body of knowledge into eight domains and, beneath each, a set of task statements derived from ISC2's Job Task Analysis. These task statements are the closest thing CISSP has to a skill taxonomy. They describe what a CISSP-certified professional is expected to do, and they are published in the Exam Outline (see sources cited).

SABSA describes the work through a six-by-six matrix. Six layers (Contextual, Conceptual, Logical, Physical, Component, Operational) cross six columns (Assets/What, Motivation/Why, Process/How, People/Who, Location/Where, Time/When). Each cell names an artifact or concern. The matrix is the skill structure.

TOGAF takes a different route. Its seventy-one skill subcategories are scored against six architect roles using a four-level proficiency scale, where level 1 is Background and level 4 is Expert.

The table below uses the eight CISSP domains as a spine and shows what each framework names against that spine.

Reading this table by row shows that the three frameworks describe overlapping but not identical territory. Two CISSP domains have no TOGAF security skill named for them at all.

TOGAF treats assessment and operations as outside the architect's scope by design. A clearer view of the asymmetry comes from stepping back. Three buckets capture what the frameworks address.

🟢 Owns this | 🟠 Touches it | 🔴 Out of scope

Each framework owns a bucket. Some touch the other or leave them out of scope. This is not a gap in any framework. It is a consequence of what each was built to do. CISSP certifies what a security professional must know. TOGAF describes how architects work together at the enterprise level. SABSA names what a security architect produces. The buckets reflect three different questions, and the answers do not compete.

A note on the CISSP vantage. ISC2 covers some of this ground separately through ISSAP, a CISSP concentration for security architecture with four domains of its own. ISC2 does have a position on security architecture as a specialism, just not within CISSP itself.

What this means

The role name does not carry the work. The skills do.

For a security architect working from a CISSP background, this changes how to reach for each framework.

CISSP gives the knowledge base. It defines what a security professional must know, with eight domains and task statements drawn from a Job Task Analysis. It is the cleanest spine when the question is what does a security architect need to know.

TOGAF gives the architect-general skills. These are the soft skills, the change skills, the modeling and decision-making skills any architect at any enterprise table needs to hold, regardless of specialism. TOGAF is where they are named and scored. It is the reference when the question is how does a security architect work alongside others.

SABSA gives the role itself. It names the security architect, defines the artifacts that role produces, and provides a matrix that ties motivation through to operation. It is the framework with an answer when the question is what does a security architect actually do.

The three frameworks are not competitors. They answer different questions, and the security architect role is best described by using all three. Reading from inside CISSP, the most useful thing to say about SABSA is that it picks up where CISSP leaves off.

Organizing this is harder than naming it. The work is collective and slow. The field gets organized by many people writing carefully about what they can see clearly. This article is one small contribution to that work.

• Jacco Meijer
• |
• May 15, 2026

Two Capabilities on the same back-plane

Security lives on the full back-plane of Enterprise Architecture and crosses the boundary of two perspectives of Capability

read more

Sources cited

• ISC2. The Official ISC2 CISSP CBK Reference, 6th Edition. 2021. Domain structure as updated in the CISSP Certification Exam Outline, effective 15 April 2024.
• ISC2. ISSAP Certification Exam Outline.
• The Open Group. TOGAF Standard, 10th Edition. Architecture Roles and Skills Series Guide. 2024.
• The SABSA Institute. SABSA Certification Roadmap and SABSA White Paper (W101, 2009 revision).