The control catalog in OSA is currently based upon NIST 800-53. There is a mapping available against ISO17799, and other prominent standards. We feel this is the best control catalog available for the IT industry. This catalog can be used without restriction.
By taking a single control catalog we allow you to clearly establish how you can meet the objectives of many standards, without having to repeatedly work out what controls are needed and how they can be implemented. In addition we map against threats and supply tests, so you can quickly establish whether a particular control is relevant for your situation, and can check it's working correctly (great for security reviews and audits).
The visual patterns are at the core of OSA and bring together security requirements for a use case e.g. remote access with the supporting controls from the catalog. They give you the basic building blocks to make your particular solution secure. We classify visual patterns by Industry, Threats, Regulations, and Architectures.
There are various techniques to assess the environment your solution will operate in order to determine the CIA requirements for the business processes the architecture supports. Currently we still feel that an Annual Loss Expectancy (ALE) calculation is sufficient to determine the amount you should be spending on the controls relative to the cost of the assets you are protecting. We would emphasize that availability is often the most expensive element to consider. You may want to look at the more complex methods, but in essence this step is all about a Cost Benefit Analysis for the controls identified.
The last step, here you tailor the controls in the pattern based on the environmental assessment, to finalise the specific controls and their implementation in the solution you are developing. Your architecture will at this stage be embedded into the wider solution architecture that is being developed.