OSA Taxonomy

The OSA Taxonomy depicts the entities and relationships that are relevant for OSA. The taxonomy helps to understand how OSA is related to other security concepts, and allows us to consider how we will develop OSA in the future.


Your browser does not support SVG files! We recommend you upgrade to the latest version of Firefox so you receive a metamodel with hyper-linked controls.


You will note from the diagram that the main value that OSA brings you is in relating controls to security architecture, by helping to identify common patterns that occur when you design security architectures to solve security challenges in IT systems. There are hyper links to definitions in the SVG version of the diagram.

Currently OSA is focused on controls, and patterns

We have some mappings in the catalog to other control frameworks and policy sets such as ISO and COBIT, but plan to add more, for example PCI-DSS, FSA, APRA. We also want to create a consistent set of generic polices (or principles and control objectives) as we think that ISO and ISF SOGP are not consistent enough, and COBIT is not granular enough for IT Security control objectives.

Our threat catalog is still taking shape, and while we plan to supplement the control catalog with tests this has not been started.

We also believe we have some exciting ideas for helping you formulate IT strategy as part of your Information Security Management System planning, that will make it easier to prioritise and plan investments to ensure you maintain appropriate security levels and meet your business goals.