Critical InfrastructureSecurity ArchitectureSecurity StrategyCompliance Advisory

Enterprise Security Architecture Model for Critical Infrastructure

Developed an enterprise security architecture model using ArchiMate notation to establish traceability from regulatory drivers through security principles, controls, and technical implementations. The model aligns NIST CSF, AESCSF, and ISO 27001 frameworks with organisational capabilities and threat scenarios.

The Challenge

Understanding the Problem

A critical infrastructure operator needed to demonstrate compliance with the Security of Critical Infrastructure Act (SOCI) and Australian Energy Sector Cyber Security Framework (AESCSF). The organisation had implemented various security controls across multiple systems but lacked a unified view of how these controls mapped to regulatory requirements, security principles, and business capabilities. Leadership required a structured approach to security governance that could trace security investments from strategic drivers through to technical implementations, while also enabling maturity assessment and gap analysis across security domains.

Our Approach

How We Helped

We developed an enterprise security architecture model using ArchiMate notation within a TOGAF-aligned methodology. The model established five security functions (Govern, Identify, Protect, Detect, Respond, Recover) aligned to NIST CSF v2.0, with 24 security principles distributed across these functions. Each principle was mapped to specific risk control objectives, technical controls from ISM and NIST 800-53, and security capabilities. The architecture incorporated STRIDE-LM threat modelling to link controls to specific threat vectors. Framework crosswalks were established between AESCSF, C2M2, and NIST CSF to enable compliance mapping across multiple regulatory requirements. A five-level maturity model (Incomplete, Initial, Developing, Managing, Optimising) was integrated to enable current-state assessment and target-state planning.

Results

Key Outcomes

01

Security architecture model with traceability from SOCI/AESCSF requirements to technical controls

02

24 security principles mapped across Govern, Identify, Protect, Detect, Respond, and Recover functions

03

Framework crosswalks enabling simultaneous compliance demonstration for AESCSF, C2M2, and NIST CSF

04

STRIDE-LM threat model integration linking controls to specific threat vectors and attack scenarios

05

Risk control objectives mapped to security capabilities and technical specifications

06

Five-level maturity model enabling gap analysis and remediation prioritisation

07

ArchiMate-based model enabling integration with enterprise architecture tooling

Facing similar challenges?

Get in touch to discuss how we can help your organisation.

Contact UsMore Case Studies

We take our confidentiality obligations seriously. The project descriptions on this page have been generalised to protect client identities. We are happy to discuss our experience and approach where appropriate during a confidential conversation.