top of page

CALL FOR SUB-STANDARDS IS OPEN

OPEN TECHNICAL STANDARDS

Defensible 10 Standards
Define how cybersecurity systems are designed, built, tested, and validated using true engineering discipline.

Draft Parent Standards are now being released 2026.

VV_icon_edited.png
D10S_castle_wht.png

Engineered

Responsibly

THE DEFENSIBLE LOOP

A 6 phase engineering model that drives the Defensible 10 Standards

The Defensible Loop is ISAUnited’s engineering model for cybersecurity architecture and engineering. It was built from repeatable failure patterns observed across a decade of intrusions and data leaks, then reverse-engineered into a disciplined workflow that teams can execute in every security domain. The loop runs through 6 phases: Define, Design, Deploy, Detect, Defend, and Demonstrate, and it ends in proof. Each Defensible 10 Standard applies the same loop within its domain to ensure security work produces measurable outcomes, traceable decisions, and evidence that can be reviewed, validated, and trusted.

D10S-DLoop__wheel_pic.png

PUBLIC AWARENESS MESSAGE

Cybersecurity You Cannot See, Proof You Can Expect

This public awareness message explains why cybersecurity standards matter to ordinary citizens. Hospitals, schools, airports, water systems, and payment networks rely on cybersecurity every day. Defensible 10 Standards and the Defensible Loop help organizations turn security intent into measurable outcomes through discipline, validation, and evidence. Learn how engineering-grade standards support safer lives.

THE DEFENSIBLE 10 DIFFERENCE

Foundational Standards Need Engineering Proof

This ISAUnited Technical Research Center whitepaper compares widely used ISO and NIST publications against the Defensible 10 Standards using five engineering criteria: Technical Specificity, Verifiability, Artifact Output, Granularity, and Lifecycle Integration. It computes a normalized Engineering Orientation Index to make the boundary measurable, then shows why ISO and NIST remain essential baselines while D10S serves as the missing engineering layer that turns intent into requirements, technical specifications, verification and validation, and defensible evidence.

D10SvFndStds_QuadChart.png

Pending

THE BOOK

This book establishes ten parent technical standards—each defining the measurable architectural and engineering foundations for building secure, resilient, and scientifically defensible systems.

Unlike compliance frameworks that rely on documentation and audits, the D10S provides actionable, testable engineering specifications that practitioners can design, validate, and defend.


Each standard aligns with real-world enterprise architecture and is grounded in systems engineering principles, verification and validation (V&V) methodology, and defensible design practices.

Designed for architects, engineers, and technical leaders, this volume serves as both a reference guide and engineering companion for those advancing the profession beyond checklists, tools, and reactive defense.
It is the foundation for a modern cybersecurity architecture that is measurable, repeatable, and engineered for trust.

D10S_bookcover_v2_2025.png
The Book

About Us

The First Cybersecurity Standards Development Organization (SDO)

For more than a century, traditional engineering disciplines have relied on structured standards—from ASME to IEEE—to ensure reliability, safety, and scientific rigor.


Cybersecurity has had no such home—until now.

The Institute of Security Architecture United (ISAUnited.org) is the world’s first and only Security Standards Development Organization (SDO) dedicated exclusively to cybersecurity architecture and engineering.  Our mission is to formalize cybersecurity as an engineering discipline by producing defensible, peer-reviewed standards that are actionable, measurable, and auditable.

ISAUnited develops, maintains, and publishes the Defensible 10 Standards (D10S)—the foundational Parent Standards for secure design across all major cybersecurity domains. ​These standards are developed, authored, and submitted by architects and engineers from across the world, representing diverse disciplines in IT, cloud, cybersecurity, and software engineering.

Each standard is created through rigorous technical authorship, peer review by the Technical Fellow Society, and alignment with global engineering norms.

ISAUnited-red_trimmed.png
Image by Jonathan Kemper
isa united PNG.png

About The Project

The Defensible 10 Standards Initiative.

The Defensible 10 Standards Project (D10S) establishes a unified, 'one voice', engineering-based framework for cybersecurity. Each Parent Standard defines the core architecture, requirements, and measurable technical specifications for a major security domain.


Together, they form the foundation for defensible, testable, and interoperable enterprise security components, systems, and systems-of-systems.

Open Season: Each year, technical practitioners are invited to develop and submit Sub-Standards that expand and strengthen each Parent Standard.


This free, open contribution process ensures that the Defensible 10 Standards remain technically current, adaptable to emerging technologies, and reflective of real-world engineering practices, helping the cybersecurity architecture and engineering community continuously advance and modernize the profession.

Frequently Asked Questions

Q1: What are the Defensible 10 Standards (D10S)?

  • The Defensible 10 Standards (D10S) are the world’s first engineering-based cybersecurity architecture and engineering standards, developed and governed by ISAUnited.org.
  • They define measurable technical and architectural expectations for secure design across ten major cybersecurity domains—transforming cybersecurity from a compliance exercise into a true engineering discipline.

Q2: Who can contribute to the development of D10S Sub-Standards?

  • Any qualified technical practitioner—including cybersecurity architects, cloud engineers, software developers, systems engineers, or IT professionals—may contribute during Open Season.
  • Participation is open to both ISAUnited members and non-members worldwide.
  • All submissions undergo a formal vetting and peer-review process to ensure engineering integrity and professional quality.

Q3: Are the Defensible 10 Standards free to access and use?

  • Yes. The Defensible 10 Standards are open and publicly accessible for education, reference, and professional use.
  • ISAUnited’s mission as a Security Standards Development Organization (SDO) is to advance the field through freely available, defensible engineering practices.
  • Commercial integration into paid software, tooling, or managed services requires a separate ISAUnited commercial license.

Q4: How do these standards differ from existing frameworks like NIST or ISO?

  • While frameworks such as NIST and ISO define governance and compliance baselines, the Defensible 10 Standards define how to engineer security—not just how to audit it.
  • D10S provides measurable requirements, technical specifications, and verification criteria aligned with traditional engineering disciplines.
  • These standards fulfill what compliance frameworks cannot—defining the engineering precision, measurable criteria, and verification discipline required for defensible, evidence-based security assurance.
  • If your organization employs cybersecurity architects and engineers, their role is not to follow audit checklists—it is to design, build, and validate secure systems through technical architecture and engineering discipline.  The D10S gives them the structure, language, and measurable criteria to do exactly that.

Q5: Are the Defensible 10 Standards (D10S) mandatory?

  • No - and Yes.  The Defensible 10 Standards (D10S) are not regulatory or compliance mandates.
    However, if your goal is to truly protect your organization, its customers, people, data, and future, then applying an engineering discipline to cybersecurity is absolutely mandatory.

  • D10S is not about meeting audit checkboxes. It’s about building systems that can be verified, validated, and defended with evidence.  These standards introduce the math, science, and engineering rigor that cybersecurity has lacked—replacing assumptions and dashboards with measurable design integrity and operational proof.

  • Today, auditors may not tell you to adopt D10S—but reality will.
    Every breach, every data leak, and every operational failure is proof that compliance alone isn’t enough.  ISAUnited believes that Verification and Validation (V&V) are no longer optional—they’re what separate compliance-ready architecture and infrastructure from defensible ones.

Q6: How do organizations or teams use the D10S in practice?

  • Organizations use the D10S as a technical and architectural reference framework to design, validate, and maintain defensible systems.
  • Each Parent Standard defines inputs (requirements) and outputs (technical specifications) with measurable verification criteria, allowing teams to build and test consistently.
  • For management and GRC teams, D10S adoption strengthens audit defensibility, design assurance, and measurable risk reduction through verifiable engineering standards.

Q7:  What is the Open Season Process, and how does it work?

  • The Open Season Process is ISAUnited’s annual global initiative inviting practitioners and organizations to propose and develop new Sub-Standards.
  • Submissions undergo technical peer review by the ISAUnited Technical Fellow Society to ensure engineering precision, practical applicability, and defensibility.
  • Organizations may also sponsor or support contributors, reinforcing collaboration between enterprise practice and formal standards development.

Q8: The future of the Defensible 10 Standards (D10S) in partnerships, audits, and business integration?

  • ISAUnited’s long-term vision is to see Defensible Standards adopted across every part of the cybersecurity ecosystem — not just by practitioners, but by the organizations that measure, insure, and certify trust.

  • We are actively engaging with audit organizations, assurance bodies, and the cyber-insurance industry to align measurable engineering outcomes with risk quantification and underwriting practices.

  • Over time, D10S will help these industries distinguish between merely compliant systems and those that are technically defensible and verified.

  • By integrating Verification and Validation (V&V) into future partnerships, ISAUnited aims to create a common engineering language between security design, assurance, and business resilience.

  • While these collaborations are still in development, the direction is clear: the future of cybersecurity assurance will be engineering-based, and D10S will serve as the bridge between technical integrity and business accountability.

Contact Us

Contact Us

Have a question or need assistance? Our team supports practitioners and engineers developing and implementing the Defensible 10 Standards.

Supported by:

Research Center Main Logo-02.png

Training by:

new-1-blue-background_v2.png

Practitioner and Organizational Use

The Defensible 10 Standards (D10S) are published under a Creative Commons Attribution–NonCommercial 4.0 International License (CC BY-NC 4.0).


This license permits free use, adaptation, and internal implementation of the D10S by individual practitioners, educational institutions, and organizations for the purpose of research, training, architecture design, or internal security engineering.


Attribution to ISAUnited.org must be maintained in all uses, reproductions, or derivative works.

Commercial, Vendor, and Integration Use

The use, reproduction, or incorporation of the Defensible 10 Standards (D10S) or their content within commercial products, software, tooling, managed services, or for-profit offerings requires a separate commercial integration or redistribution license issued by the Institute of Security Architecture United (ISAUnited.org).


This includes but is not limited to:

  • Integration into commercial or subscription-based platforms or software tools

  • Use in vendor-branded frameworks or automated compliance products

  • Redistribution of modified or adapted versions for resale or commercial benefit

 

Requests for commercial licensing or integration agreements should be directed to:  info@isaunited.org

© 2026 The Defensible 10 Standards (D10S). Owned, operated, and maintained by the Institute of Security Architecture United (ISAUnited.org).

bottom of page