CALL FOR 2025 SUB-STANDARDS IS OPEN
Welcome to the
Cybersecurity Architecture & Engineering
Technical Standards
(Coming Fall 2025)
Open Technical Standards for Modern Architecture & Engineering.
A community-driven initiative providing free, open technical standards for architects and engineers worldwide. These standards serve as a foundation for building defensible, resilient systems.
Coming Fall 2025
This book establishes ten parent technical standards—each defining the measurable architectural and engineering foundations for building secure, resilient, and scientifically defensible systems.
Unlike compliance frameworks that rely on documentation and audits, the D10S provides actionable, testable engineering specifications that practitioners can design, validate, and defend.
Each standard aligns with real-world enterprise architecture and is grounded in systems engineering principles, verification and validation (V&V) methodology, and defensible design practices.
Designed for architects, engineers, and technical leaders, this volume serves as both a reference guide and engineering companion for those advancing the profession beyond checklists, tools, and reactive defense.
It is the foundation for a modern cybersecurity architecture that is measurable, repeatable, and engineered for trust.
About Us
The First Cybersecurity Standards Development Organization (SDO)
For more than a century, traditional engineering disciplines have relied on structured standards—from ASME to IEEE—to ensure reliability, safety, and scientific rigor.
Cybersecurity has had no such home—until now.
ISAUnited develops, maintains, and publishes the Defensible 10 Standards (D10S)—the foundational Parent Standards for secure design across all major cybersecurity domains. These standards are developed, authored, and submitted by architects and engineers from across the world, representing diverse disciplines in IT, cloud, cybersecurity, and software engineering.
The Institute of Security Architecture United (ISAUnited.org) is the world’s first and only Security Standards Development Organization (SDO) dedicated exclusively to cybersecurity architecture and engineering. Our mission is to formalize cybersecurity as an engineering discipline by producing defensible, peer-reviewed standards that are actionable, measurable, and auditable.
Each standard is created through rigorous technical authorship, peer review by the Technical Fellow Society, and alignment with global engineering norms.
About The Project
The Defensible 10 Standards Initiative.
The Defensible 10 Standards Project (D10S) establishes a unified, 'one voice', engineering-based framework for cybersecurity. Each Parent Standard defines the core architecture, requirements, and measurable technical specifications for a major security domain.
Together, they form the foundation for defensible, testable, and interoperable enterprise security components, systems, and systems-of-systems.
Open Season: Each year, technical practitioners are invited to develop and submit Sub-Standards that expand and strengthen each Parent Standard.
This free, open contribution process ensures that the Defensible 10 Standards remain technically current, adaptable to emerging technologies, and reflective of real-world engineering practices, helping the cybersecurity architecture and engineering community continuously advance and modernize the profession.
News
Frequently Asked Questions
Q1: What are the Defensible 10 Standards (D10S)?
-
The Defensible 10 Standards (D10S) are the world’s first engineering-based cybersecurity architecture and engineering standards, developed and governed by ISAUnited.org.
-
They define measurable technical and architectural expectations for secure design across ten major cybersecurity domains—transforming cybersecurity from a compliance exercise into a true engineering discipline.
Q2: Who can contribute to the development of D10S Sub-Standards?
-
Any qualified technical practitioner—including cybersecurity architects, cloud engineers, software developers, systems engineers, or IT professionals—may contribute during Open Season.
-
Participation is open to both ISAUnited members and non-members worldwide.
-
All submissions undergo a formal vetting and peer-review process to ensure engineering integrity and professional quality.
Q3: Are the Defensible 10 Standards free to access and use?
-
Yes. The Defensible 10 Standards are open and publicly accessible for education, reference, and professional use.
-
ISAUnited’s mission as a Security Standards Development Organization (SDO) is to advance the field through freely available, defensible engineering practices.
-
Commercial integration into paid software, tooling, or managed services requires a separate ISAUnited commercial license.
Q4: How do these standards differ from existing frameworks like NIST or ISO?
-
While frameworks such as NIST and ISO define governance and compliance baselines, the Defensible 10 Standards define how to engineer security—not just how to audit it.
-
D10S provides measurable requirements, technical specifications, and verification criteria aligned with traditional engineering disciplines.
-
These standards fulfill what compliance frameworks cannot—defining the engineering precision, measurable criteria, and verification discipline required for defensible, evidence-based security assurance.
-
If your organization employs cybersecurity architects and engineers, their role is not to follow audit checklists—it is to design, build, and validate secure systems through technical architecture and engineering discipline. The D10S gives them the structure, language, and measurable criteria to do exactly that.
Q5: Are the Defensible 10 Standards (D10S) mandatory?
-
No - and Yes. The Defensible 10 Standards (D10S) are not regulatory or compliance mandates.
However, if your goal is to truly protect your organization, its customers, people, data, and future, then applying an engineering discipline to cybersecurity is absolutely mandatory. -
D10S is not about meeting audit checkboxes. It’s about building systems that can be verified, validated, and defended with evidence. These standards introduce the math, science, and engineering rigor that cybersecurity has lacked—replacing assumptions and dashboards with measurable design integrity and operational proof.
-
Today, auditors may not tell you to adopt D10S—but reality will.
Every breach, every data leak, and every operational failure is proof that compliance alone isn’t enough. ISAUnited believes that Verification and Validation (V&V) are no longer optional—they’re what separate compliance-ready architecture and infrastructure from defensible ones.
Q6: How do organizations or teams use the D10S in practice?
-
Organizations use the D10S as a technical and architectural reference framework to design, validate, and maintain defensible systems.
-
Each Parent Standard defines inputs (requirements) and outputs (technical specifications) with measurable verification criteria, allowing teams to build and test consistently.
-
For management and GRC teams, D10S adoption strengthens audit defensibility, design assurance, and measurable risk reduction through verifiable engineering standards.
Q7: What is the Open Season Process, and how does it work?
-
The Open Season Process is ISAUnited’s annual global initiative inviting practitioners and organizations to propose and develop new Sub-Standards.
-
Submissions undergo technical peer review by the ISAUnited Technical Fellow Society to ensure engineering precision, practical applicability, and defensibility.
-
Organizations may also sponsor or support contributors, reinforcing collaboration between enterprise practice and formal standards development.
Q8: The future of the Defensible 10 Standards (D10S) in partnerships, audits, and business integration?
-
ISAUnited’s long-term vision is to see Defensible Standards adopted across every part of the cybersecurity ecosystem — not just by practitioners, but by the organizations that measure, insure, and certify trust.
-
We are actively engaging with audit organizations, assurance bodies, and the cyber-insurance industry to align measurable engineering outcomes with risk quantification and underwriting practices.
-
Over time, D10S will help these industries distinguish between merely compliant systems and those that are technically defensible and verified.
-
By integrating Verification and Validation (V&V) into future partnerships, ISAUnited aims to create a common engineering language between security design, assurance, and business resilience.
-
While these collaborations are still in development, the direction is clear: the future of cybersecurity assurance will be engineering-based, and D10S will serve as the bridge between technical integrity and business accountability.
Contact Us
Have a question or need assistance? Our team supports practitioners and engineers developing and implementing the Defensible 10 Standards.