ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > ESA: What Is It and How Does it Work?

ESA:  What Is It and How Does it Work?

Rassoul Ghaznavi Zadeh, CISM, COBIT Foundation, SABSA, TOGAF
| Published: 8/28/2017 3:48 PM | Category: Security | Permalink | Email this Post | Comments (4)

Rassoul Ghaznavi ZadehEnterprise security architecture (ESA) is the methodology and process used to develop a risk-driven security framework and business controls. The focus of an enterprise architect should be to align information security controls and processes with business strategy, goals and objectives.

Normally, developing an effective ESA is achieved following these steps:

  • Defining the business’s goals and objectives
  • Understanding business risk and threats
  • Understanding compliance, regulation and legal requirements
  • Identifying the appropriate framework and architecture vision
  • Identifying the appropriate security controls (gap analysis)
  • Managing and implementing the security controls
  • Monitoring and evaluating the security controls
  • Assessing and identifying gaps before repeating the cycle

The previously mentioned steps are considered a part of ESA life cycle management. It is important to note that ESA is not a one-off task but a continuous process.

ESA Life Cycle Management

Guidance on How to Choose Architecture Framework and Controls
Consider the following steps when selecting a framework:

  • Pick a framework that is relevant to your business and applicable regulations (e.g., US National Institute of Standards and Technology [NIST] Cybersecurity Framework, International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC], COBIT).
  • Customize the controls to fit your business’s purpose and align them with goals and objectives. Make sure all business risk and threats are managed with appropriate controls. Tune and finalize the framework and document the requirements

Guidance on Business Risk Identification
Business risk identification is a fundamental part of setting up an architecture. One way to identify business risk is to look at current threats to your business goals and objectives.

However, I suggest you start your business risk identification with business attribute profiling. Business attribute profiling is a useful concept introduced by the SABSA framework and can be used to identify business risk.

To begin your business attribute profiling, you need to identify all attributes that are important to your business. For example, you may find that industry regulation compliance, assured customer privacy and assured customer satisfaction are important. Once you have established the important attributes for your business, you can find the risk associated with each corresponding attribute. 

Guidance on Gap Analysis
Gap analysis needs to be performed to identify the requirements to progress the current architecture to the desired architecture. Normally, maturity models, like the Capability Maturity Model Integration (CMMI), can be used to identify the current level of maturity for each control and their respective required level of maturity. After this is established, a relevant migration plan can be created and implemented.

Read Rassoul Ghaznavi Zadeh’s recent Journal article:
Enterprise Security Architecture—A Top-Down Approach,” ISACA Journal, volume 4, 2017.


EA in Agile environment

Hi Rassoul, thanks for sharing! Good article. I would like to ask for your opinion here. When an organization operated in an Agile way, changes come fast which typically decreases the time needed to go through the whole cycle of the process. So in an Agile environment, where in the described process do you see the strongest need to focus? Thank you.
Stanislava041 at 9/7/2017 2:40 AM


Hi Rassoul,

Do you have more about the life-cycle you show here? Is it yours? Is it copied or based on something?

Maurice499 at 9/15/2017 4:46 AM



Sorry for my late response.
I don't really believe there would be the difference in an agile environment in terms of gap assessment, defining architectural controls and lifecycle management. However; the main difference is operational and service management and ability to respond fast. Agile environments are where governance plays a big role and operational risk management is a key.
I guess with the method that I explain in my article on the Journal, having a different business model, attributes and risks could have an impact on how you define risks and manage them. How to respond to the agility of the environment could be part of the overall architecture design.
I am sorry, I know it is not a black or white response, but detail understanding of the business operation and trying to be aligned is fundamental.
rasoolg at 9/19/2017 7:07 AM



The lifecycle demonstration is something that I came up with. It is not far from models like Togaf but simpler and security focused.
there is a bit of more explanations on my article in the Journal.
rasoolg at 9/19/2017 7:09 AM