← Foundations

How to Use OSA

A practical guide to using OSA patterns, controls, compliance mappings, and assessments.

OSA provides four interconnected resources: security patterns, a NIST 800-53 controls catalog, compliance framework mappings, and a self-assessment tool. This page explains how they fit together and how to get the most value from each.

The OSA Model

OSA connects security architecture to business objectives through a chain of relationships:

  • Business strategy drives IT strategy, which informs enterprise and solution architecture
  • Security architecture patterns define the proven control sets for specific architectural scenarios
  • Patterns reference NIST 800-53 Rev 5 controls, which are the implementation requirements
  • Controls map to 80 compliance frameworks spanning global standards (ISO 27001, NIST CSF 2.0, PCI DSS v4, SOC 2, CIS v8), regional regulations (DORA, NIS2, MAS TRM, APRA CPS 234), and sector-specific requirements across financial services, healthcare, energy, and insurance
  • Threats define what each pattern defends against, tied to real-world attack scenarios
  • Assessments let you measure your maturity against each pattern and benchmark against peers

This model means you can start from any entry point -- a compliance requirement, an architectural problem, a threat scenario, or a maturity assessment -- and navigate to the information you need.

Using Patterns

Patterns are the core of OSA. Each pattern addresses a specific security architecture scenario (zero trust, API security, cloud security, incident response, and so on) and provides:

  • An architectural diagram showing components, trust boundaries, and control placement
  • Key control areas with specific NIST 800-53 controls mapped to each
  • A threat model identifying what the pattern defends against
  • Real-world examples of the pattern applied in practice
  • References to authoritative sources (NIST, OWASP, vendor documentation)

Start with the OSA Landscape to see all 52 patterns mapped across 8 domains. Select the pattern closest to your architectural problem. Use the control areas as a checklist for your design, and the threat model to validate your risk coverage.

Patterns can be combined. A cloud deployment might reference Cloud Security (SP-025) for infrastructure, API Security (SP-030) for service boundaries, Modern Authentication (SP-032) for identity, and Security Monitoring (SP-031) for detection. The patterns are designed to compose.

Using Controls

The OSA controls catalog contains 315 NIST 800-53 Rev 5 controls across 20 families. Each control page shows:

  • The full NIST description and supplemental guidance
  • Which NIST baselines include the control (Low, Moderate, High)
  • Mappings to 80 compliance frameworks -- so you can see which ISO 27001 clause, PCI DSS requirement, or CIS control corresponds to each NIST control
  • Which OSA patterns reference the control

This is particularly valuable for compliance mapping. If an auditor asks how you address ISO 27001 Annex A 8.27 (Secure System Architecture and Engineering Principles), you can navigate to SA-08, see the NIST description, and trace it to the patterns where you have implemented it.

Using Compliance Mappings

OSA maps NIST 800-53 controls to 80 compliance frameworks covering global standards, regional regulations, and sector-specific requirements. This serves three use cases:

  • Compliance evidence: demonstrate how your NIST-based controls satisfy requirements across multiple frameworks simultaneously
  • Gap analysis: identify controls required by a framework you need to comply with, then check which patterns implement them
  • Framework comparison: understand how different frameworks overlap and where they diverge

The framework pages let you browse all mapped controls for a specific standard and navigate directly to the relevant NIST controls and OSA patterns.

Using Assessments

The self-assessment tool lets you score your implementation maturity for any pattern on a 1-5 scale across each control area. The tool then:

  • Identifies your gaps -- control areas where your maturity is below target
  • Generates a threat analysis showing which threats you are exposed to based on your gaps
  • Produces a report with prioritised recommendations
  • Benchmarks your scores against anonymous cross-industry averages contributed by other practitioners

Assessment data is encrypted client-side using AES-256-GCM before it reaches our servers. We cannot read your scores. See our privacy policy for details.

Common Workflows

Designing a new system

Start with the landscape to identify relevant patterns. Read each pattern's control areas and threat model. Use the controls as requirements for your design. Reference the compliance mappings to ensure you meet your regulatory obligations.

Assessing an existing system

Select the patterns that match your architecture. Run the self-assessment for each. The gap analysis will show where your implementation falls short, and the threat analysis will show the risk implications.

Preparing for an audit

Identify the compliance framework you are being audited against. Use the framework mapping pages to find the corresponding NIST controls. Navigate to the relevant patterns to see how those controls should be implemented. Use your assessment scores as evidence of maturity.

Training and education

Patterns are structured teaching material. Each one covers a specific domain with real-world context, authoritative references, and a clear threat model. The control areas break complex topics into manageable sections. Students and educators can use OSA as a freely available reference library.