The SABSA (Sherwood Applied Business Security Architecture) model is a widely accepted framework for developing risk-driven enterprise information security architectures. The model includes six layers: Contextual, Conceptual, Logical, Physical, Component, and Operational. Among these, Contextual architecture is the topmost layer and is designed specifically to align the security architecture with the business ' s goals, drivers, and requirements.
In detail, the Contextual architecture layer answers questions such as:
What is the business trying to achieve?
Who are the stakeholders?
What are the critical business assets?
What are the risk appetite and tolerance levels?This layer sets the foundation for all subsequent layers and ensures that the security strategy directly supports business objectives and strategic direction.
This makes Option A: Contextual architecture the correct answer, as it focuses on aligning the security architecture with business requirements and drivers.
Relevance to ISO/IEC 27001:2022While the SABSA model is not explicitly part of ISO/IEC 27001:2022, it complements the ISO standard, particularly in how it supports the design and implementation of an effective Information Security Management System (ISMS) aligned with business strategy.
Under ISO/IEC 27001:2022, the following clauses support the alignment of security architecture with business requirements:
Clause 4.1 – “Understanding the organization and its context”: " The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended results of its ISMS. "
Clause 4.2 – “Understanding the needs and expectations of interested parties”: " The organization shall determine the interested parties that are relevant to the ISMS and the requirements of these interested parties. "
These clauses emphasize the importance of understanding the broader business environment, stakeholder expectations, and strategic business drivers—exactly what the SABSA Contextual layer is designed to address.
In summary, the Contextual architecture layer in SABSA aligns directly with the intent and structure of ISO/IEC 27001:2022 Clause 4, making it the correct and verified choice for this question.
