The ESARIS Security Taxonomy (for Office or Enterprise IT)

Zero Outage Industry Standard uses the ESARIS Security Taxonomy as its classification and organization schema. It was designed for office or enterprise IT and is reviewed in brief in this chapter. In Figure 1, it is shown outlined by an amber box.

Figure 1: Hierarchy and ESARIS Security Taxonomy (amber)

The details are described in the document “ESARIS Security Taxonomy…”[5] released as Zero Outage Industry Standard. The Taxonomy comprises 31 areas for which security standards and measures need to be defined and implemented. Here are a couple of reasons why this Taxonomy has been introduced.

  • Complexity: IT security is a multifaceted and sometimes intricate subject. That’s why one schematic is required helping to manage this complexity and to digest the large number of security aspects and standards it classifies and organizes.
  • Specialization: Not everybody, not every team, not every company need to observe all possible security aspects. The Taxonomy helps to identify the content which is relevant in a given context. Only when it comes to customer facing (end-user) services, the whole picture needs to be observed, provided that the security standards for all areas are defined in a way that they take interdependencies into account.
  • Definition of scope and security target: The selection of relevant areas, topics and measures from the Taxonomy helps to specify the security requirements or features of the IT service, product or component under consideration. The selection method is called Provider Scope of Control and the basis for the next topic.
  • Supply chain management and contracting: User organizations must rely on IT service providers. IT service providers must rely on their partners and suppliers, and even those have their suppliers and vendors. Contracts are agreements which should describe all essential deliverables including IT security. The Taxonomy and the specification concept behind it serve as the basis for such contracting.
  • Speed and flexibility: IT services are produced on a large scale to meet market expectations on cost and quality. Cloud computing is a synonym for this. An almost comprehensive security specification of this environment would fill thousands of pages. A library is required comprising a large number of small documents. This approach scales but requires a Security Taxonomy. Monolithic documents cannot deliver the required information.
  • Language and integration: Many frameworks are easy to understand either for IT experts or for IT security specialists. Secure IT service provisioning requires the cooperation of the two. That’s why the Taxonomy uses IT slang. – Additionally, the Taxonomy fully integrates IT service management and IT security management for the first time. In this way, it paves the way to “secured by definition”.
  • Technical progress: Let’s consider this as the last example. One network security standard, for example, is useless. An IT service provider usually deals with about four types of networks which are totally different with respect to technology and security. Therefore, the Taxonomy splits them – an approach which is not common to many standards.

A more comprehensive rationale and more details about the structure can be found in the literature (refer to annex D). The Taxonomy appears clearly structured and understandable for any IT-aware person. This is why IT-related terms are preferably used.


[5] ESARIS Security Taxonomy – Synopsis, Scope and Content; Zero Outage Industry Standard, Release 1 about Security, February 2017, [1]