In the traditional view of the TOGAF Architecture Development Method (ADM), Requirements Management is often depicted as a central hub surrounded by the eight phases (Preliminary through H). However, it is not merely a phase; it is a continuous process that permeates every stage of the architecture lifecycle.
While other phases produce structural designs (Business, Data, Application, Technology), Requirements Management ensures that these designs remain aligned with stakeholder needs. It acts as the "quality control" and "scope management" engine of the ADM.

This guide zooms in exclusively on the Requirements Management process, detailing its two primary deliverables: Changed Requirements and the Requirements Impact Assessment. We will explore how these deliverables are created, what they contain, and how they trigger iterations across the ADM.
Requirements are rarely static. They evolve due to:
The Requirements Management process ensures that:
Changed Requirements are formal records of modifications to the original set of architecture requirements. These can be additions, deletions, or modifications to functional or non-functional requirements.
A robust "Changed Requirement" record should include:
| Component | Description | Example |
|---|---|---|
| Requirement ID | Unique identifier for tracking. | REQ-SEC-004 |
| Original Requirement | The initial statement. | "All user data must be encrypted at rest." |
| Changed Requirement | The updated statement. | "All user data must be encrypted at rest using AES-256, and keys must be managed by an external HSM." |
| Reason for Change | Justification for the modification. | "New regulatory mandate from Financial Conduct Authority (FCA) regarding key management." |
| Source | Who requested the change? | Compliance Officer, Legal Team |
| Priority | Critical, High, Medium, Low. | Critical |
| Status | Draft, Approved, Rejected, Implemented. | Approved |
| Date of Change | Timestamp for audit trails. | 2026-06-15 |
During Phase G (Implementation Governance), the security team discovers that the current encryption standard does not meet new industry best practices.
Changed Requirement Record:
The Requirements Impact Assessment is a analytical document that evaluates the consequences of a changed requirement. It answers the question: "If we accept this change, what else breaks, costs money, or takes time?"
A comprehensive Impact Assessment includes:
| Component | Description | Example |
|---|---|---|
| Affected ADM Phases | Which phases need revisiting? | Phase C (Data), Phase D (Technology) |
| Affected Building Blocks | Which ABBs/SBBs are impacted? | Customer Database ABB, Encryption Module SBB |
| Cost Implication | Estimated additional budget. | $50,000 for new HSM hardware and licensing. |
| Schedule Implication | Delay in timeline. | 3-week delay in Phase G completion. |
| Resource Implication | Additional staff/skills needed. | Need 1 Security Engineer for 2 weeks. |
| Risk Assessment | New risks introduced. | Risk of performance degradation due to encryption overhead. |
| Benefit Analysis | Value gained from the change. | Reduced risk of regulatory fines ($1M+ potential savings). |
| Recommendation | Approve, Reject, or Defer. | Approve with mitigation plan for performance. |
Following the encryption change above, the Enterprise Architect performs an impact assessment.
Requirements Impact Assessment Report:
How do these two deliverables interact with the ADM cycle?
A stakeholder or architect identifies a need for change.
The change is formally recorded in the Requirements Repository.
The architecture team analyzes the ripple effects.
The Architecture Board reviews the assessment.
If approved, the ADM cycles back to the relevant phase(s).
Deliverables in the affected phases are updated (e.g., Architecture Definition Document, Roadmap).
Do not manage requirements in spreadsheets alone. Use specialized tools (e.g., Jira, Confluence, IBM DOORS, Sparx EA) that support:
Not all requirements are equal. Use the MoSCoW method:
Ensure every requirement can be traced to:
Regularly review requirements with stakeholders to avoid late-stage surprises. Use prototypes and visualizations to validate understanding.
Always record why a requirement was changed or rejected. This provides an audit trail and helps future architects understand historical decisions.
Six months into the project, during Phase F (Migration Planning), a new data privacy law is passed requiring customer data deletion within 48 hours of request.
REQ-PRIV-007: "System must support automated deletion of all customer data across all databases and backups within 48 hours of a 'Right to be Forgotten' request."
Analysis:
Decision: Approved.
Action:
Requirements Management is the heartbeat of the TOGAF ADM. Without it, architecture becomes a rigid, outdated blueprint that fails to address real-world needs. By rigorously managing Changed Requirements and conducting thorough Requirements Impact Assessments, organizations can:
In essence, Requirements Management transforms the ADM from a linear process into a dynamic, responsive framework capable of delivering true business value in a complex, changing environment.