The Open Group · TOGAF-RS

The Open Group Certified: Integrating Risk and Security within a TOGAF® Enterprise Architecture Practice Test

This credential validates an individual's understanding of essential security and risk concepts in relation to the TOGAF® Architecture Development Method (ADM), including Enterprise Risk Management (ERM), Information Security Management (ISM), and Enterprise Security Architecture (ESA). It demonstrates knowledge of how IT security and risk standards such as ISO/IEC 27000, ISO 31000, and COBIT relate to the TOGAF standard.

Exam Details

Questions

600

Duration

180 minutes

Passing Score

Pass/Fail

Difficulty

Foundational

Last Updated

Jun 2026

Topics Covered

Security and Risk Concepts in TOGAF ADMEnterprise Security Architecture (ESA)Enterprise Risk Management (ERM)Information Security Management (ISM)IT Security and Risk Standards (ISO/IEC 27000, ISO 31000, COBIT)Security as a Cross-Cutting ConcernTOGAF Architecture Content Metamodel and ISM/ERM Relationships

The Open Group Certified: Integrating Risk and Security within a TOGAF® Enterprise Architecture Practice Exam Preparation

Use this TOGAF-RS practice exam to prepare for The Open Group Certified: Integrating Risk and Security within a TOGAF® Enterprise Architecture with realistic questions, detailed explanations, and focused study modes. The practice bank includes 600 questions for The Open Group TOGAF-RS, so you can review the exam steadily instead of relying on one long cram session.

As you practice, pay extra attention to recurring topics such as Security and Risk Concepts in TOGAF ADM, Enterprise Security Architecture (ESA), Enterprise Risk Management (ERM), Information Security Management (ISM), and IT Security and Risk Standards (ISO/IEC 27000, ISO 31000, COBIT). Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.

The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.

Exam Overview

The Open Group Certified: Integrating Risk and Security within a TOGAF® Enterprise Architecture is an awareness-level credential that validates foundational knowledge of how security and risk management integrate with the TOGAF® Architecture Development Method (ADM). It demonstrates that the holder understands the essential concepts of Enterprise Security Architecture (ESA), Enterprise Risk Management (ERM), and Information Security Management (ISM), and knows how these disciplines relate to each phase and artifact of the TOGAF ADM. The credential is part of the broader TOGAF Certification Portfolio built upon the TOGAF Standard, 10th Edition, and is designed to establish a common language between Security Architects and Enterprise Architects when developing risk-aware enterprise architectures.

The certification also covers how major IT security and risk standards — specifically the ISO/IEC 27000 family of standards, ISO 31000, and COBIT® — relate to and complement the TOGAF standard. Candidates learn why security and risk management must be treated as cross-cutting concerns that span the entire enterprise architecture lifecycle rather than being addressed in isolated phases. The credential is structured as a compact learning credential requiring approximately three hours of study, making it accessible as a standalone qualification or as a complement to broader TOGAF Enterprise Architecture certifications.

Official exam page

Who Should Take This Exam

This credential is designed for professionals who need a structured, foundational understanding of security and risk concepts in the context of enterprise architecture. Primary audiences include Enterprise Architects who want to incorporate security and risk practices into their TOGAF ADM work, Security Architects seeking to align their practice with enterprise architecture frameworks, and IT risk and compliance professionals who collaborate with architecture teams. It is equally relevant for individuals working with governance frameworks such as COBIT or standards like ISO/IEC 27001 and ISO 31000 who need to understand how these standards interact with the TOGAF methodology.

Because the credential is at the awareness level with no prerequisites, it is well-suited to those who are early in their enterprise architecture or security architecture careers, as well as experienced practitioners expanding their knowledge into adjacent disciplines. Program managers, IT auditors, and CISOs who need to communicate with architecture teams or evaluate security architecture outputs will also find the credential valuable.

Prerequisites

There are no formal prerequisites to sit for this credential. Candidates are not required to hold any prior TOGAF certification, though familiarity with the basic concepts of the TOGAF ADM — such as the architecture phases (Preliminary through Architecture Change Management) and core TOGAF terminology — will help candidates contextualize the security and risk content more effectively. No prior security certifications are required.

In practice, candidates will benefit from some exposure to enterprise IT environments and a general awareness of IT governance concepts. Those with experience in security operations, IT risk management, or enterprise architecture will find the material more immediately applicable. The Open Group offers a self-study option through its learning management system for candidates who wish to build prerequisite TOGAF knowledge before attempting this credential.

Exam Format

The assessment for this credential is delivered either through an Accredited Training Course (ATC) provider — in which case the assessment format is at the provider's discretion — or through The Open Group's own self-study online learning option, which includes a built-in assessment. The self-study path is available through The Open Group's online shop and learning management system. The credential requires a minimum of three hours of learning to be completed before the assessment is attempted. The Open Group awards a digital Open Badge via Credly and a certificate upon successful completion.

Where scenario-based questions are used, as is common across the TOGAF Certification Portfolio, each question presents a real-world scenario with four possible answers ranked from best to worst. Under this model, the best answer earns 5 points, the second-best 3 points, the third-best 1 point, and the worst answer 0 points. Specific details such as the total number of questions and a published numeric passing score are not publicly disclosed by The Open Group for this credential; candidates should confirm the precise assessment parameters with their chosen training provider or The Open Group's official exam portal. The overall credential is classified as a pass/fail award.

Skills Measured

1.Security and Risk Concepts in the TOGAF ADM: Understanding the essential principles of security and risk and how they map to each phase of the TOGAF Architecture Development Method, including how risk and security considerations are introduced, maintained, and governed throughout the architecture lifecycle.
2.Enterprise Security Architecture (ESA): Knowledge of what ESA is, how it is defined within the context of TOGAF, and how security architecture artifacts are developed, positioned, and maintained as part of an overall enterprise architecture practice.
3.Enterprise Risk Management (ERM): Understanding ERM concepts, including risk identification, assessment, and treatment approaches, and how ERM frameworks are applied within and aligned to the TOGAF ADM phases and architecture governance structures.
4.Information Security Management (ISM): Knowledge of ISM principles and how information security management functions relate to and integrate with TOGAF architecture development, including the roles of policies, controls, and management systems.
5.IT Security and Risk Standards (ISO/IEC 27000, ISO 31000, COBIT): Understanding how the ISO/IEC 27000 family of information security standards, the ISO 31000 risk management standard, and the COBIT governance framework relate to and complement the TOGAF standard.
6.Security as a Cross-Cutting Concern: Understanding why security and risk management must be treated as concerns that span all architecture domains (Business, Data, Application, Technology) and all ADM phases rather than being addressed only within the Technology Architecture.
7.TOGAF Architecture Content Metamodel and ISM/ERM Relationships: Knowledge of how the TOGAF Architecture Content Metamodel relates to Information Security Management and Enterprise Risk Management, including which metamodel entities and relationships are relevant to security and risk artifacts.

Study Tips

Use The Open Group's official self-study online course as your primary resource — it was authored to align precisely with the credential's learning outcomes and includes built-in quiz questions that mirror the assessment style.
Download and read the official publication 'Integrating Risk and Security within a TOGAF® Enterprise Architecture' (Open Group document G152), which is the authoritative reference text for all topics covered in this credential.
Map each chapter of G152 to a specific ADM phase and practice explaining how security and risk concerns are addressed in that phase — this reinforces the cross-cutting nature of security and helps anchor abstract concepts to familiar TOGAF structures.
Study the relationship table between the TOGAF Architecture Content Metamodel and ISM/ERM concepts specifically, as this is a distinct knowledge area that candidates without a strong TOGAF background often underestimate.
Review the key definitions and scope of ISO/IEC 27001, ISO 31000, and COBIT side by side, then practice articulating how each standard's concepts (e.g., risk appetite, information security controls, governance objectives) are referenced or incorporated within the TOGAF ADM.
If you do not already hold a TOGAF Foundation certification, spend time reviewing the TOGAF ADM phase objectives and key deliverables before beginning this credential's material, as the course assumes baseline familiarity with TOGAF terminology.
Practice with scenario-based questions if available from your ATC provider, focusing on selecting the 'best' architectural response to a security or risk situation rather than a technically correct but architecturally misaligned answer — the partial-credit scoring model rewards nuanced judgment.

Career Benefits

Earning this credential signals to employers that an architect or security professional understands how to embed risk and security thinking into enterprise architecture work from the outset, rather than treating them as compliance afterthoughts. It is particularly valued in organizations that have adopted TOGAF as their architecture framework and are seeking to align security governance with frameworks like ISO/IEC 27001 or COBIT. Roles that benefit directly from this credential include Enterprise Architect, Security Architect, IT Risk Manager, IT Governance Analyst, and Information Security Manager. Because it is an awareness-level credential, it is often pursued alongside or as preparation for higher-level TOGAF certifications rather than as a standalone career milestone.

The credential carries one point in The Open Group's TOGAF Certification Portfolio, contributing to broader TOGAF professional recognition. While salary data specific to this credential is not published, professionals who combine TOGAF certification with security and risk specialization are well positioned for senior architecture and governance roles. Industry demand for architects who can speak fluently across security, risk, and enterprise architecture continues to grow, particularly in regulated sectors such as financial services, healthcare, and government, where risk-aware architecture is a compliance requirement.

Sample Questions

5 sample questions with answers and explanations. Start a practice session to test yourself across all 600 questions.

Preview — answers shown

1. The risk management team at Woodgrove Financial has completed a risk assessment for their new online trading platform. Three residual risks have been identified: (1) A system outage risk that, if additional redundant infrastructure is deployed, would be reduced to within the organization's stated risk appetite; (2) A vulnerability in a legacy reporting module that can be fully decommissioned without any impact on trading operations; (3) A regulatory sanctions risk that, even after all feasible mitigations have been applied, still exceeds the board's stated risk appetite. Which combination of risk treatment options should be applied to risks 1, 2, and 3 respectively? (Select one!)

AMitigate, Accept, Transfer

BTransfer, Mitigate, Accept

CMitigate, Avoid, Escalate

DAccept, Avoid, Transfer

Explanation

For the system outage risk, mitigation is the correct treatment because deploying redundant infrastructure would reduce the risk to within the organization's risk appetite, making it a viable and proportionate response. For the legacy reporting module vulnerability, avoidance is correct because the module can be completely decommissioned without operational impact, eliminating the activity that generates the risk entirely. For the regulatory sanctions risk, escalation to senior management is the mandated treatment when residual risk exceeds the board's stated risk appetite even after all feasible mitigations have been exhausted. Accepting risks that exceed appetite contradicts the board's position and cannot be done unilaterally by the risk team. Transferring risk via insurance or third parties is a valid option when transfer is feasible, but the scenario does not indicate this option is available for the regulatory sanctions exposure.

2. During an enterprise risk management workshop at Fabrikam Financial Services, the risk team lead argues that only negative outcomes belong in the corporate risk register, stating that positive outcomes are strategic opportunities and fall under the remit of the strategy team rather than risk management. The enterprise architect challenges this position by citing the ISO 31000 definition of risk. Which statement most accurately reflects the ISO 31000 risk definition and its implication for enterprise risk registers? (Select one!)

AISO 31000 defines risk as the effect of uncertainty on objectives, explicitly recognising both negative effects (threats) and positive effects (opportunities), meaning an enterprise risk register should address both upside and downside risk

BISO 31000 defines risk as the probability of a harmful event occurring multiplied by its financial impact, confirming that risk registers should capture only threats with quantifiable monetary consequences

CISO 31000 defines risk as the likelihood that a control will fail to prevent an adverse event, so risk registers should focus solely on control deficiencies rather than broader business outcomes

DISO 31000 defines risk as inherent uncertainty within project execution contexts, restricting its scope to operational and project-level risks and excluding strategic opportunities from the risk management process

Explanation

ISO 31000 defines risk as the effect of uncertainty on objectives, a deliberately broad definition that encompasses both negative effects (downside risk, or threats that may harm objectives) and positive effects (upside risk, or opportunities that may benefit objectives). This dual nature means enterprise risk registers should capture and manage opportunities alongside threats rather than relegating positive uncertainty exclusively to strategic planning functions. Restricting risk registers to negative outcomes causes organisations to miss value-creating opportunities that could be actively exploited. Defining risk purely in terms of probability multiplied by financial impact is a narrow quantitative formulation inconsistent with ISO 31000's objective-centred framework. Limiting the standard's scope to project or operational contexts ignores its explicit application to strategic, operational, project, and compliance risks. Framing risk solely as control failure conflates risk identification with control assessment and is not consistent with ISO 31000's principles.

3. The IAM team at Contoso Bank is implementing multi-factor authentication for its customer-facing online banking portal. An analyst proposes a solution requiring customers to enter their account username, a password, and a memorable security phrase before gaining access. The security architect reviews the proposal and determines it does not constitute genuine multi-factor authentication. What is the correct explanation for the security architect's conclusion? (Select one!)

AKnowledge-based factors such as passwords are no longer considered valid authentication factors under current security standards

BMulti-factor authentication requires a minimum of four distinct credential elements to satisfy financial sector security requirements

CMulti-factor authentication must include at least one biometric factor to satisfy the definition of strong authentication

DA username, password, and memorable security phrase are all knowledge-based factors from the same authentication category, meaning only one factor category is represented

Explanation

True multi-factor authentication requires credentials drawn from at least two distinct authentication factor categories: something you know (knowledge factors such as passwords, PINs, and security phrases), something you possess (possession factors such as hardware tokens or smart cards), or something you are (biometric factors such as fingerprints or facial recognition). A username, password, and memorable security phrase are all knowledge-based factors belonging to the same category. Combining multiple credentials from a single category — regardless of how many items are required — does not constitute multi-factor authentication and remains single-factor authentication. There is no requirement for a minimum number of credential elements; the requirement is for elements drawn from categorically different factor types. Biometric factors are one valid category for MFA implementation but are not mandatory. Knowledge-based factors remain fully valid authentication mechanisms when properly combined with factors from at least one other category.

4. The architecture team at Northwind Healthcare is beginning Phase A (Architecture Vision) of a TOGAF ADM engagement to modernize its patient records infrastructure. The lead architect asks which security-specific activities should be performed during Phase A to ensure security is appropriately integrated into the Architecture Vision from the outset. According to G152 guidance on security activities in the ADM, which two activities belong in Phase A? (Select two!)

Multiple correct answers

AFormally document and publish the organization's risk appetite statement on behalf of the board of directors

BInclude a security vision statement within the Architecture Vision that establishes the security strategic direction for the engagement

CProduce the finalized security solution design for all technology domains identified in the scope

DIdentify security-relevant stakeholders including the CISO, risk management function, compliance and legal departments, and external regulators

EEstablish the security resource plan covering architect participation, tooling, and budget allocations for the full engagement

Explanation

According to G152, Phase A (Architecture Vision) has two primary security responsibilities. The first is incorporating a security vision into the Architecture Vision itself, providing a high-level statement of security strategic direction, security-related business goals, and high-level security requirements that will guide all subsequent architecture phases. The second is identifying security-relevant stakeholders, which includes the CISO and security leadership, the risk management function, compliance and legal departments, business unit security contacts, and external regulators whose requirements will shape the architecture. The risk appetite statement is established during the Preliminary Phase by the board of directors and senior management, not created or published during Phase A. Finalized security solution design occurs in much later phases after business, information systems, and technology architectures have been developed. The security resource plan covering budget and staffing is also a Preliminary Phase deliverable, not a Phase A output.

5. Northwind Global Services wants to demonstrate its commitment to enterprise risk management to clients and regulatory bodies. The risk governance committee proposes achieving an ISO 31000 certification to provide formal third-party validation of their risk management program. The Chief Risk Officer is asked to evaluate the feasibility of this proposal. What should the Chief Risk Officer advise? (Select one!)

AISO 31000 certification is available through accredited third-party certification bodies and requires a two-stage audit process similar to ISO 27001

BISO 31000 certification is available but is restricted to financial services organizations under specific regulatory guidance

CISO 31000 certification requires the organization to implement all risk assessment techniques defined in IEC 31010 before applying for audit

DOrganizations cannot obtain ISO 31000 certification because ISO 31000 is a principles and guidelines standard, not a certifiable management system standard; individual practitioners may obtain related certifications through third parties

Explanation

ISO 31000 is a risk management principles and guidelines standard that cannot serve as the basis for organizational certification. Unlike ISO 27001, which establishes auditable requirements for an Information Security Management System and explicitly supports formal third-party certification, ISO 31000 provides guidance only. Because it contains no auditable requirements — only principles and recommended practices — organizations cannot be certified against it. Individual practitioners can, however, obtain personal certifications related to ISO 31000 risk management through third-party training and certification organizations. Treating ISO 31000 as certifiable incorrectly equates its nature with that of ISO 27001. IEC 31010, the companion standard cataloging risk assessment techniques, does not impose a requirement to implement all techniques — organizations select only those appropriate to their specific context. ISO 31000 is a universally applicable standard designed for all types and sizes of organizations across every sector and industry, and carries no restriction to financial services.

$7.99

One-time access to this exam

Full access to all 600 questions

Or $15/mo for all 253 exams

Detailed explanations

Free preview stays available