Enterprise Architects can use the ArchiMate® language to model Enterprise Risk Management (ERM) and security concepts and relationships. This widely accepted open standard provides the modeling constructs to describe and interconnect business and technical architectures. Applying the ArchiMate language to represent risk and security concepts results in the ideal vehicle to consider these aspects in an integral way. The ArchiMate language fits well with other Enterprise Architecture (EA) frameworks and standards, such as the TOGAF® standard and the Zachman framework, as well as enterprise security management frameworks such as the Sherwood Applied Business Security Architecture (SABSA).
Through its Motivation extension, the ArchiMate language makes it possible to link control measures to security requirements, principles, and goals, as well as to the results of a risk analysis. On the other hand, ArchiMate models can be linked to design languages for business processes and IT solutions such as BPMN and UML. These linkages enable precise gathering of a set of broadly accepted risk and security concepts, analysis of their semantics, and consensus regarding the most important ones of the full scope of enterprise risk.
This White Paper, a joint project of The Open Group ArchiMate Forum and The Open Group Security Forum, demonstrates this approach and identifies opportunities for future work that would enhance it.