We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / TOGAF
The Open Group · Global

TOGAF

The leading enterprise architecture framework and method (ADM).

Introduction: TOGAF as an Enterprise Architecture Discipline

The Open Group Architecture Framework (TOGAF) is the world's most widely adopted enterprise architecture (EA) framework, used by more than 80 per cent of the Global 50 and a large majority of the Forbes Global 200. Unlike a security or privacy standard, TOGAF is not a control catalogue that dictates 'thou shalt encrypt'; it is a method and a common language for planning, designing, governing and realising the target architecture of an enterprise across its business, data, application and technology dimensions. It answers the recurring executive question: 'How do we make sure our technology investments actually deliver the business outcomes we intend, in a repeatable and governed way?'

For CyberSigma clients, TOGAF matters because architecture is where security, privacy and resilience are either designed-in or bolted-on. A firm that treats PCI DSS, DPDP, ISO 27001 or CERT-In obligations as afterthoughts to an ungoverned architecture pays for it repeatedly in rework, audit findings and breach exposure. TOGAF provides the governance spine onto which security and compliance requirements can be hung as architecture principles, constraints and building blocks. This guide is written from the perspective of an auditor assessing whether an organisation's enterprise architecture capability is real, mature and delivering value, rather than a shelf-ware certificate. It maps every part of the framework so that an assessment team can verify conformance point by point and gather defensible evidence.

The current baseline of the standard is TOGAF 10 (the TOGAF Standard, 10th Edition), released by The Open Group in April 2022. TOGAF 10 restructured the material into a compact set of Fundamental Content documents plus a modular library of Series Guides, replacing the older single-volume TOGAF 9.2 structure. Where this guide references chapters or phases it uses TOGAF 10 terminology, and notes 9.2 equivalents where organisations are mid-migration.

Copyright and licensing note
TOGAF and the TOGAF Standard are registered trademarks of The Open Group. The normative text of the TOGAF Standard, 10th Edition, is copyright of The Open Group and is licensed for use under The Open Group's terms. This CyberSigma guide is an original, independent commentary and assessment aid; it paraphrases concepts for audit purposes and does not reproduce The Open Group's copyrighted text. Certification of individuals (TOGAF Foundation / TOGAF Practitioner) and certification of tools and services is administered solely by The Open Group. Always work from a licensed, current copy of the standard when performing formal conformance work.

What is TOGAF

TOGAF is a framework for developing and governing enterprise architecture. Its beating heart is the Architecture Development Method (ADM), a step-by-step, iterative cycle for producing architectures. Around the ADM sit a set of supporting components: the ADM Techniques, Applying the ADM guidance, Architecture Content (the metamodel and deliverables), Enterprise Architecture Capability and Governance, and the Architecture Development Method itself as the core process. In TOGAF 10 these are the 'Fundamental Content' pieces, supplemented by the TOGAF Library — a body of Series Guides covering agile, security, digital, business architecture and reference models such as the TOGAF Technical Reference Model (TRM) and the Integrated Information Infrastructure Reference Model (III-RM).

An enterprise architecture in TOGAF is expressed across four architecture domains: Business Architecture, Data Architecture, Application Architecture and Technology Architecture (the latter three collectively termed Information Systems Architectures, with Data and Application often grouped). The ADM drives a project through phases that develop each domain in turn, manage the transition from a Baseline (as-is) to a Target (to-be) architecture, and govern implementation and change. Cross-cutting these are the Enterprise Continuum (a way of classifying and reusing architecture and solution assets from generic Foundation Architectures through to Organisation-Specific Architectures) and the Architecture Repository that physically stores them.

TOGAF is deliberately method-agnostic about tools and technology choices. It does not prescribe a particular modelling notation (though it is frequently used alongside ArchiMate, also from The Open Group), a particular vendor stack, or a particular delivery methodology (it is compatible with waterfall, agile and product-oriented delivery). Its value is in the discipline it imposes: every architecture change should trace to a business driver, be governed by principles, pass through an Architecture Board, be captured in an Architecture Definition Document and Architecture Requirements Specification, and be controlled by an Architecture Contract with the implementers.

Key TOGAF concepts an assessor must recognise

  • Architecture Development Method (ADM): the eight phases (A to H) plus the Preliminary Phase and a central Requirements Management activity.
  • Architecture Vision, Architecture Definition Document (ADD) and Architecture Requirements Specification (ARS): the principal work products.
  • Building Blocks: Architecture Building Blocks (ABBs) describe required capability; Solution Building Blocks (SBBs) are the implementable components.
  • Enterprise Continuum and Architecture Repository: classification and storage of reusable assets.
  • Architecture Governance and the Architecture Board: the decision and control mechanism.
  • Architecture Contract, Architecture Compliance review and Change Management: the mechanisms that keep delivery aligned to the architecture.
  • Stakeholder Management, Architecture Views and Viewpoints: ensuring the architecture communicates to each audience.
  • Gap Analysis, Migration Planning and Transition Architectures: how an enterprise moves from baseline to target.

Who Must Comply (and Who Should Adopt)

TOGAF is a voluntary framework — there is no legal mandate to 'comply' as there is with DPDP or PCI DSS. Compliance in a TOGAF context means (a) an organisation choosing to align its EA practice with the framework, and (b) individual projects being assessed against the organisation's architecture through the TOGAF Architecture Compliance process. However, many organisations effectively require TOGAF alignment through procurement, governance mandates or sector expectations. The following table clarifies who is in scope.

Stakeholder / organisation typeWhy TOGAF applies to them
Large enterprises undergoing digital transformationNeed a governed method to align multi-year IT and business change; TOGAF provides the roadmap and governance.
Government and public-sector bodiesMany national and state e-governance programmes mandate an EA framework; TOGAF (or derivatives) is a common baseline for interoperability.
Financial services and regulated firmsRegulators expect demonstrable architecture governance, change control and traceability; TOGAF evidences this discipline.
System integrators and consultanciesClient contracts frequently require TOGAF-certified architects and TOGAF-conformant deliverables.
Organisations pursuing ISO/IEC 42010 architecture description conformanceTOGAF's views/viewpoints model aligns with ISO/IEC 42010 expectations.
Individual enterprise, solution and domain architectsProfessional credibility and hiring frequently depend on TOGAF Foundation / Practitioner certification.
CIO / CTO offices and PMOsPortfolio and programme governance benefit from ADM-driven roadmaps and capability increments.
Vendors of EA toolingTools may seek The Open Group 'TOGAF-certified tool' status to serve the market.

Levels of conformance

The Open Group defines two conformance postures for products and services: 'TOGAF Conformant' and 'TOGAF Certified'. For internal practice, an organisation typically self-assesses whether its EA capability follows the ADM and produces the mandated deliverables. Individuals are certified at TOGAF Foundation (knowledge) and TOGAF Practitioner (applied) levels under the current certification programme, with Enterprise Architecture Practitioner and Team credentials in the modular certification portfolio.

Structure of TOGAF

TOGAF 10 is organised as Fundamental Content plus the TOGAF Library (Series Guides). The Fundamental Content is the enduring core; the Library is the extensible, guidance layer. The table below sets out the principal structural components an assessor will encounter, mapped to their role in an EA capability.

Component / familyPurpose in the framework
Introduction and Core ConceptsDefines EA, the ADM cycle, and the relationship between architecture domains and the Enterprise Continuum.
Architecture Development Method (ADM)The core iterative process: Preliminary, Phases A-H, and Requirements Management.
ADM TechniquesSupporting techniques: architecture principles, stakeholder management, business scenarios, gap analysis, migration planning, risk management, interoperability, business transformation readiness assessment.
Applying the ADMGuidance on iteration, levels of architecture, security integration, using the ADM at different scopes.
Architecture ContentThe Content Metamodel, architecture artefacts (catalogues, matrices, diagrams) and deliverables such as the ADD and ARS.
Enterprise Architecture Capability and GovernanceEstablishing the architecture function, the Architecture Board, governance framework, compliance, contracts and the maturity model.
Enterprise Continuum and RepositoryClassification (Foundation, Common Systems, Industry, Organisation-Specific architectures) and the Architecture Repository.
TOGAF Library — Reference ModelsTechnical Reference Model (TRM), Integrated Information Infrastructure Reference Model (III-RM).
TOGAF Library — Series GuidesAgile, Security, Digital, Business Architecture, Information/Data Architecture, Government, Risk and Security integration guidance.
Architecture Governance domainsArchitecture, IT, Business and Corporate governance as nested contexts within which EA operates.

The four architecture domains

Architecture domainWhat it describes
Business ArchitectureBusiness strategy, governance, organisation, capabilities, value streams and key business processes.
Data ArchitectureStructure of the organisation's logical and physical data assets and data management resources.
Application ArchitectureA blueprint of the individual application systems, their interactions and relationships to business processes.
Technology ArchitectureThe software and hardware capabilities (infrastructure, middleware, networks, platforms) required to support the deployment of business, data and application services.

Master Assessment Checklist

This is the core of the guide. It enumerates every phase of the ADM, every supporting technique, every governance function and every mandated deliverable, with 'What to verify' and 'Typical evidence' columns so that an assessment team can walk the entire framework without gaps. An organisation claiming TOGAF alignment must be able to satisfy each row for the architectures it produces. Where a row is 'not applicable', that decision must itself be documented as an architecture governance record.

Preliminary Phase — Establishing the Architecture Capability

What to verifyTypical evidence
The organisational context and 'architecture footprint' (who does architecture, where) is defined.Organisation chart of the EA function, stakeholder map, sponsoring executive charter.
Architecture principles are defined, ratified and maintained.Signed Architecture Principles catalogue with rationale and implications per principle.
The Architecture Framework (tailored TOGAF) and governance framework are established.Tailored ADM/method document, governance operating model, terms of reference for the Architecture Board.
Tools and repository for architecture work are selected and configured.EA tool selection record, Architecture Repository structure, metamodel configuration.
Request for Architecture Work process and templates are defined.Template Request for Architecture Work, intake workflow, prioritisation criteria.

Phase A — Architecture Vision

What to verifyTypical evidence
A Request for Architecture Work has been received and accepted with clear scope.Approved Request for Architecture Work, scope statement, constraints and assumptions log.
Stakeholders, concerns and business requirements are identified.Stakeholder Map matrix, concerns catalogue, communications plan.
Business goals, drivers and strategic constraints are confirmed.Business goals/drivers catalogue traced to strategy documents.
Baseline and target architectures are described at a high level.Architecture Vision document with high-level baseline/target sketches.
Business value and risk of the engagement are assessed; capability increments outlined.Business value assessment, initial risk register, business transformation readiness assessment.
A Statement of Architecture Work is produced and approved.Signed Statement of Architecture Work with schedule, resources and deliverables.

Phase B — Business Architecture

What to verifyTypical evidence
Baseline Business Architecture is described to the required level of detail.Baseline business capability map, value streams, org/actor catalogue, process catalogue.
Target Business Architecture is developed.Target business capability map, target value streams, target org/function models.
Gap analysis between baseline and target is performed.Business gap analysis matrix identifying additions, deletions and changes.
Candidate architecture roadmap components are identified.Roadmap candidate list, work packages, dependency notes.
Impact on the wider architecture landscape is assessed and views produced for stakeholders.Business architecture views/viewpoints, stakeholder review sign-off.
Business Architecture components of the ADD and ARS are updated.Updated Architecture Definition Document (business section), business requirements in the ARS.

Phase C — Information Systems Architectures (Data)

What to verifyTypical evidence
Baseline Data Architecture is documented.Baseline data entity catalogue, data dissemination diagrams, logical data model.
Target Data Architecture is developed with data management principles applied.Target logical/physical data models, data lifecycle diagrams, data governance principles.
Data security, privacy and classification requirements are integrated.Data classification scheme, privacy-by-design records, DPDP/ISO 27001 data controls mapping.
Gap analysis and roadmap components for data are produced.Data gap analysis matrix, data-related work packages.
Data Architecture views are produced and reviewed with stakeholders.Data architecture views, data steward review records.

Phase C — Information Systems Architectures (Application)

What to verifyTypical evidence
Baseline Application Architecture is documented.Application portfolio catalogue, application/function matrix, application communication diagram.
Target Application Architecture is developed independent of specific technology.Target application components, interface catalogue, application/data matrix.
Application interoperability and integration requirements are defined.Interoperability requirements, interface/API catalogue, integration patterns.
Gap analysis and application roadmap components are produced.Application gap analysis matrix, application work packages.
Application Architecture views are produced and reviewed.Application architecture views, stakeholder sign-off.

Phase D — Technology Architecture

What to verifyTypical evidence
Baseline Technology Architecture is documented.Technology portfolio/standards catalogue, platform decomposition, environments diagram.
Target Technology Architecture is developed, referencing the TRM where used.Target technology components, TRM mapping, network/platform diagrams.
Non-functional requirements (performance, availability, security, scalability) are addressed.NFR catalogue, capacity/resilience models, security architecture controls.
Gap analysis and technology roadmap components are produced.Technology gap analysis matrix, technology work packages.
Technology Architecture views are produced and reviewed.Technology architecture views, infrastructure/security review records.

Phase E — Opportunities and Solutions

What to verifyTypical evidence
Consolidated gaps across domains are grouped into work packages.Consolidated gap analysis, work package definitions.
Transition Architectures are defined where a direct move is not feasible.Transition Architecture set showing intermediate states.
Solution Building Blocks and delivery options (buy/build/reuse) are evaluated.SBB catalogue, make-vs-buy analysis, reuse from Enterprise Continuum.
Business value and dependencies of work packages are assessed.Value/effort matrix, dependency map, initial implementation strategy.
Architecture Roadmap is drafted.Draft Architecture Roadmap with sequenced increments.

Phase F — Migration Planning

What to verifyTypical evidence
Implementation and Migration Plan is finalised and integrated with portfolio/programme plans.Approved Implementation and Migration Plan aligned to PMO plans.
Cost/benefit and risk assessment of the migration is completed.Business case, cost-benefit analysis, migration risk register.
Transition Architectures are prioritised and sequenced.Prioritised Transition Architecture sequence with success criteria.
The Architecture Roadmap and Implementation Plan are finalised.Finalised Architecture Roadmap, resource and funding plan.

Phase G — Implementation Governance

What to verifyTypical evidence
An Architecture Contract governs each implementation project.Signed Architecture Contract(s) between architecture function and delivery teams.
Architecture Compliance reviews are conducted at defined gates.Compliance review reports, deviation/waiver register.
Implementation-time governance decisions are recorded.Architecture Board minutes, dispensations, change decisions.
Solutions are deployed in line with the Target Architecture and Transition Architectures.Deployment records mapped to architecture, as-built confirmation.

Phase H — Architecture Change Management

What to verifyTypical evidence
Change requests to the architecture are captured and triaged (simplification/incremental/re-architecting).Architecture change log with classification of each request.
Technology and business change monitoring feeds the architecture.Change monitoring reports, environment scans, value realisation reviews.
Governance decides whether changes trigger a new ADM cycle.Change decision records, Requests for Architecture Work spawned from change.
Architecture Repository is kept current after changes.Repository version history, baseline updates.

Requirements Management (central to all phases)

What to verifyTypical evidence
Architecture requirements are captured, stored and version-controlled throughout the cycle.Architecture Requirements Specification with unique requirement IDs.
Requirements are prioritised and their impact assessed at each phase.Requirements impact analysis, prioritisation records.
Requirements traceability from business drivers to building blocks is maintained.Requirements traceability matrix (driver to requirement to ABB/SBB).
Changes to requirements are governed and communicated.Requirements change log, stakeholder notifications.

ADM Techniques

What to verifyTypical evidence
Architecture principles are defined, applied and tested against decisions.Principles catalogue with statement/rationale/implications; principle-conformance checks.
Stakeholder management is performed with a documented approach.Stakeholder power/interest analysis, engagement plan.
Business scenarios are used to derive and validate requirements.Business scenario documents linking actors, processes and technology.
Gap analysis technique is applied consistently across domains.Gap analysis matrices for each domain.
Migration planning techniques (implementation factor assessment, consolidated roadmap) are applied.Implementation factor catalogue, consolidated gaps/roadmap.
Interoperability requirements are determined and reconciled.Interoperability matrix and requirements.
Business transformation readiness is assessed and risks managed.Readiness assessment (BTEP-style), risk register with mitigations.
Risk management is embedded (initial, residual, monitoring).Architecture risk register with impact/frequency and residual risk.

Architecture Content and Metamodel

What to verifyTypical evidence
A Content Metamodel governs the artefacts produced.Documented/tailored metamodel, artefact catalogue.
Deliverables (ADD, ARS, Roadmap, Contracts) follow defined templates.Populated ADD and ARS, contract templates.
Catalogues, matrices and diagrams are produced per phase.Actual catalogues (e.g. principles, applications), matrices, diagrams.
Building Blocks (ABBs and SBBs) are defined and reused.Building block register with ABB/SBB classification and reuse links.

Enterprise Continuum and Architecture Repository

What to verifyTypical evidence
Assets are classified along the Enterprise Continuum (Foundation, Common Systems, Industry, Organisation-Specific).Continuum classification of repository assets.
The Architecture Repository is structured (Landscape, Standards Information Base, Reference Library, Governance Log, Requirements Repository).Repository structure documentation and contents.
A Standards Information Base (SIB) records mandated standards.SIB with technology/security standards and their status.
Reuse of existing assets is evidenced in new work.Traceability from new SBBs to reused continuum assets.

Architecture Governance and the Architecture Board

What to verifyTypical evidence
An Architecture Board is established with clear terms of reference and membership.Architecture Board charter, membership list, meeting cadence.
Architecture governance framework covers processes, content, context and repository governance.Governance framework document, RACI for governance activities.
Architecture Compliance is assessed (irrelevant to fully conformant, and grades in between).Compliance assessment reports with conformance grading.
Waivers, dispensations and deviations are formally governed and time-bound.Waiver register with expiry, approver and remediation plan.
Governance decisions are logged and auditable.Architecture Governance Log / Board minutes.

Security and risk integration (TOGAF Security Series Guide)

What to verifyTypical evidence
Security stakeholders and requirements are engaged from Phase A onwards.Security stakeholder entries, security concerns in the Architecture Vision.
Security architecture is developed across business, data, application and technology domains.Security views, control mappings to ISO 27001 / NIST / PCI DSS.
Risk-driven security requirements feed the ARS and are governed.Security requirements with IDs, risk treatment decisions.
Security compliance is verified in Phase G governance.Security compliance review, penetration/assurance evidence.

Scoping

Scoping an architecture engagement is a first-class TOGAF activity, addressed principally in the Applying the ADM guidance. A frequent cause of failed EA programmes is boiling the ocean — attempting to model the entire enterprise at full depth. TOGAF instead advises scoping along four dimensions so that each iteration is achievable and delivers value.

Scoping dimensionAssessment consideration
Breadth (enterprise coverage)Which parts of the enterprise are in scope: whole enterprise, a segment/domain, or a single capability?
Depth (level of detail)Strategic (context-setting), Segment (portfolio), or Capability (project-level) architecture depth.
Time period (architecture horizon)How many Transition Architectures and how far into the future the target reaches.
Architecture domainsWhich of Business, Data, Application and Technology are covered in this iteration.

An assessor should confirm that scope is explicitly declared in the Statement of Architecture Work, that it aligns with the sponsor's mandate, and that out-of-scope areas are recorded so downstream teams understand the boundaries. Iteration is expected: TOGAF supports architecture at Strategy, Portfolio, Project and Solution Delivery levels, each with its own appropriate depth.

Implementation Approach

Adopting TOGAF is itself an enterprise change and should be run as a phased programme. The phases below give a pragmatic, auditor-friendly rollout. Each phase lists the key activities and the deliverables that evidence completion.

Phase 1 — Establish the Architecture Capability

Activities: secure executive sponsorship; define the EA operating model and organisation; tailor TOGAF to the enterprise (which phases, techniques and deliverables apply); select an EA tool and stand up the Architecture Repository; ratify an initial set of Architecture Principles.

Deliverables: EA charter and operating model; tailored ADM/method; Architecture Principles catalogue; Architecture Board terms of reference; configured repository and metamodel.

Phase 2 — Pilot on a Bounded Engagement

Activities: choose a high-value, contained business problem; run a full ADM cycle (Phases A-F) at appropriate depth; produce real artefacts; capture lessons learned; refine templates.

Deliverables: Architecture Vision and Statement of Architecture Work; populated ADD and ARS; gap analyses; Architecture Roadmap and Implementation and Migration Plan for the pilot.

Phase 3 — Institutionalise Governance

Activities: operationalise the Architecture Board cadence; embed Architecture Compliance reviews into the delivery lifecycle and portfolio gates; introduce Architecture Contracts; establish the waiver/dispensation process; connect EA governance to corporate, IT and business governance.

Deliverables: governance framework and RACI; compliance review checklist; contract templates; governance log; integration points with PMO and change advisory boards.

Phase 4 — Scale Across the Enterprise

Activities: extend architecture coverage to further segments and capabilities; build reusable building blocks and reference architectures; populate the Standards Information Base; introduce iteration across strategy, portfolio and project levels.

Deliverables: enterprise capability map; reference architectures and building block library; Standards Information Base; multi-level Architecture Roadmap.

Phase 5 — Measure, Optimise and Mature

Activities: measure EA value delivery and stakeholder satisfaction; run architecture maturity assessments; feed change management (Phase H) with monitoring; continuously improve principles, metamodel and governance.

Deliverables: EA KPI dashboard; maturity assessment reports; continuous improvement backlog; refreshed principles and repository.

Maturity / Capability Model

TOGAF references architecture maturity through capability-based models; The Open Group's Architecture Capability guidance and the widely used Architecture Capability Maturity Model (ACMM, originating from the US Department of Commerce and referenced in TOGAF) provide a five/six-level scale. The table below expresses the practical levels an assessor uses to grade an EA function.

LevelCharacteristics and evidence
0 — NoneNo EA process; architecture is ad hoc and undocumented; no principles, no board.
1 — InitialSome architecture activity exists but informal, project-specific and inconsistent; deliverables vary widely.
2 — Under DevelopmentADM partially adopted; some principles and templates exist; governance is emerging but inconsistently applied.
3 — DefinedStandardised, documented ADM tailored to the enterprise; Architecture Board operational; compliance reviews performed; repository maintained.
4 — ManagedArchitecture is measured; metrics drive decisions; strong governance with contracts and waivers; reuse of building blocks is routine.
5 — Optimising / MeasuredContinuous improvement of the EA capability; architecture value is quantified and demonstrably influences strategy and investment; predictive and proactive change management.

Assessment and Audit Approach

A TOGAF assessment combines an Architecture Compliance review (of specific architectures/projects) with a capability review (of the EA function itself). The following ordered steps describe a defensible audit.

  1. Confirm scope and objectives with the sponsor: is this a capability maturity review, an architecture compliance review of a project, or both?
  2. Request and study the tailored TOGAF method and Architecture Principles to establish the organisation's own baseline of expectations.
  3. Review the Architecture Repository structure and sample its contents (ADD, ARS, roadmaps, governance log).
  4. Walk the ADM per engagement: verify each phase's inputs, steps and outputs against the master checklist above.
  5. Assess Requirements Management: test traceability from a business driver through requirements to building blocks and delivered solution.
  6. Evaluate governance: review Architecture Board minutes, compliance reviews, waivers and Architecture Contracts for a sample of projects.
  7. Assess security and risk integration across the domains and confirm alignment with the organisation's control frameworks.
  8. Grade capability maturity against the level model, with evidence for each level claimed.
  9. Interview stakeholders (sponsors, architects, delivery leads) to corroborate documentary evidence and test whether the practice is real, not shelf-ware.
  10. Produce findings graded (Irrelevant / Consistent / Compliant / Conformant / Fully Conformant or Non-Conformant), with prioritised recommendations and a remediation roadmap.

Evidence Request List

The following categorised list is what an assessor should request in advance. It doubles as a self-preparation checklist for the assessed organisation.

Capability and governance

  • EA charter, operating model and organisation chart.
  • Tailored TOGAF ADM / method documentation.
  • Architecture Principles catalogue with rationale and implications.
  • Architecture Board terms of reference, membership and recent minutes.
  • Architecture governance framework and RACI.
  • Architecture Capability maturity self-assessment (if any).

Method and deliverables

  • Sample Request for Architecture Work and Statement of Architecture Work.
  • Architecture Vision documents for representative engagements.
  • Architecture Definition Documents (ADD) covering business, data, application, technology.
  • Architecture Requirements Specifications (ARS) with requirement IDs.
  • Gap analysis matrices per domain.
  • Architecture Roadmaps and Implementation and Migration Plans.
  • Transition Architecture definitions.

Governance and delivery control

  • Architecture Contracts for in-flight projects.
  • Architecture Compliance review reports.
  • Waiver / dispensation / deviation register.
  • Architecture Governance Log and change log (Phase H).
  • Requirements traceability matrices.

Repository, standards and reuse

  • Architecture Repository structure and inventory.
  • Standards Information Base (SIB).
  • Building block register (ABBs and SBBs) and reference architectures.
  • Enterprise Continuum classification of assets.
  • Security and risk views, control mappings and risk registers.

Roles and Responsibilities

RoleKey responsibilities in a TOGAF practice
Chief / Enterprise ArchitectOwns the EA capability, method and principles; chairs or advises the Architecture Board; assures architecture value.
Architecture Sponsor (Executive)Provides mandate, funding and authority; approves Statements of Architecture Work; escalation point.
Architecture BoardGoverns architecture decisions, approves compliance, grants waivers, resolves deviations.
Business ArchitectDevelops Business Architecture (capabilities, value streams, processes); links strategy to structure.
Data / Information ArchitectDevelops Data Architecture, data governance, classification and data lifecycle.
Application ArchitectDevelops Application Architecture, interfaces, integration and application portfolio rationalisation.
Technology / Infrastructure ArchitectDevelops Technology Architecture, platforms, NFRs and standards.
Security ArchitectIntegrates security and risk across all domains; maps to control frameworks; assures compliance.
Solution ArchitectBridges architecture to delivery; defines Solution Building Blocks; ensures conformance during Phase G.
Programme / Portfolio Manager (PMO)Aligns the Implementation and Migration Plan with programme delivery and funding.
Delivery / Development TeamsImplement Solution Building Blocks under the Architecture Contract and compliance regime.

KPIs to Track

  • Percentage of change initiatives passing through an Architecture Compliance review before funding.
  • Architecture compliance conformance rate (share of projects graded Conformant or better).
  • Number and ageing of open waivers/dispensations (lower and younger is better).
  • Requirements traceability coverage (share of delivered features traceable to a governed requirement).
  • Reuse rate of Architecture and Solution Building Blocks across projects.
  • Reduction in application/technology portfolio redundancy (duplicate capabilities retired).
  • Time-to-decision at the Architecture Board (governance responsiveness).
  • EA maturity level trend over successive assessments.
  • Stakeholder satisfaction with architecture services.
  • Realised business value / benefits attributable to architecture-led change.
  • Percentage of security requirements integrated from Phase A rather than retrofitted.
  • Standards Information Base coverage and currency (share of technology governed by an approved standard).

Readiness Checklist

  • Executive sponsorship for enterprise architecture is secured and documented.
  • TOGAF has been tailored to the enterprise and the method is published.
  • Architecture Principles are ratified and actively applied to decisions.
  • An Architecture Board is operating with clear terms of reference.
  • An Architecture Repository is stood up and structured (landscape, SIB, reference library, governance log, requirements).
  • Templates for the ADD, ARS, roadmap and Architecture Contract exist and are in use.
  • Requirements Management provides end-to-end traceability.
  • Architecture Compliance reviews are embedded in the delivery lifecycle.
  • A waiver / dispensation process exists and is time-bound.
  • Security and risk are integrated from Phase A across all four domains.
  • Building blocks and reference assets are being reused via the Enterprise Continuum.
  • EA KPIs are defined, collected and reported to leadership.
  • An architecture maturity assessment has been performed and a baseline established.
  • Phase H change management monitors business and technology change into the architecture.

Common Gaps

  • Shelf-ware architecture: impressive documents that no delivery team actually follows because governance has no teeth.
  • Big-bang scoping: attempting to model the whole enterprise at full depth, producing nothing usable before momentum is lost.
  • Missing Requirements Management: no traceability from business drivers to building blocks, so architecture cannot be defended or reused.
  • Weak or absent Architecture Board: decisions made outside governance, waivers granted informally and never expiring.
  • Security bolted on late: security architecture retrofitted in Phase G rather than integrated from Phase A, causing rework and gaps.
  • No Enterprise Continuum discipline: assets not classified or reused, so every project reinvents the same building blocks.
  • Principles that are slogans: Architecture Principles lacking rationale and implications, so they cannot be applied to real decisions.
  • Repository neglect: baselines not updated after change (Phase H skipped), so the 'as-is' drifts from reality.
  • Confusing ADM with a waterfall project plan: treating phases as one-off gates instead of iterating across strategy, portfolio and project levels.
  • No maturity measurement: the EA function cannot demonstrate improvement or value, undermining continued sponsorship.
  • Over-tooling before capability: buying an expensive EA tool before establishing method, principles and governance.

TOGAF Mapped to Other Frameworks

FrameworkRelationship to TOGAF
ArchiMate (The Open Group)Modelling language commonly used to express TOGAF architectures; maps to the ADM domains and content metamodel.
ISO/IEC 42010Architecture description standard; TOGAF's views/viewpoints and stakeholder-concern model align with its requirements.
Zachman FrameworkA taxonomy (classification schema) for architecture artefacts; TOGAF provides the process (ADM), Zachman the ontology — complementary.
COBIT (ISACA)IT governance framework; TOGAF architecture governance nests within COBIT's enterprise governance of IT.
ITILService management; TOGAF technology/application architecture feeds ITIL service design and transition.
ISO/IEC 27001ISMS controls; integrated via the TOGAF Security guidance as security requirements and controls across the domains.
NIST Cybersecurity FrameworkRisk-based security outcomes; mapped into the security architecture developed within the ADM.
PCI DSSCardholder-data security controls; expressed as architecture constraints and control requirements in the ARS for in-scope systems.
DPDP Act 2023 / GDPRData protection law; privacy-by-design requirements captured in Data Architecture (Phase C) and governed as principles.
FEAF / DoDAF / MODAFGovernment/defence architecture frameworks; often derived from or compatible with TOGAF's ADM and content approach.
SABSABusiness-driven security architecture; frequently combined with TOGAF to deepen the security domain.
Scaled Agile (SAFe) / Agile deliveryTOGAF Agile guidance aligns ADM iterations with agile release trains and product-oriented delivery.
How CyberSigma helps
CyberSigma helps organisations turn TOGAF from a certificate into a working capability. Our CERT-In empanelled and PCI QSA-qualified architects run maturity assessments against the ADM and the capability model, stand up a tailored ADM, Architecture Principles, an Architecture Board and a governed repository, and embed Architecture Compliance reviews into your delivery lifecycle. Crucially, we integrate security, privacy and resilience from Phase A — mapping ISO 27001, PCI DSS, DPDP and NIST controls directly into your Business, Data, Application and Technology architectures so that compliance is designed-in, evidenced and audit-ready. Whether you are establishing an EA function, piloting your first ADM cycle, or scaling and measuring an existing practice, CyberSigma provides the assessment, remediation roadmap and hands-on architecture leadership to get you to a defensible, value-delivering enterprise architecture.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is TOGAF a security framework?
No — TOGAF is a general enterprise-architecture framework. Security architecture is typically layered on using SABSA, which integrates with the TOGAF ADM.

Need help with TOGAF?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.