cisa-d2-governance-management-quality-assurance-and-quality-management-of-it

Quality Assurance and Quality Management of IT

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Quality Assurance and Quality Management of IT

Quality Assurance and Quality Management (QA/QM) of IT is the systematic governance discipline of planning, executing, monitoring, and continuously improving IT processes, services, and systems to ensure they meet defined standards, organizational objectives, and regulatory requirements. Quality Assurance (QA) is process-focused — it prevents defects by embedding quality controls into development and operations activities before outputs are produced. Quality Control (QC) is product-focused — it detects defects in outputs through testing, inspection, and validation after outputs exist. Quality Management is the overarching governance framework that coordinates both disciplines across the full IT lifecycle, from strategy and design through development, operations, and retirement. Together, these three elements form a closed-loop accountability mechanism that connects IT outcomes to business expectations.

Where it stops · what it isn't

—QA/QM IS: a governance responsibility owned at leadership level (CIO/CISO), embedded across the IT lifecycle, and aligned to frameworks including ISO/IEC 20000, ISO 9000, CMMI, and ITIL 4
—QA/QM IS: structured around four pillars — quality planning, quality assurance (process-level), quality control (product-level), and continuous improvement
—QA/QM IS NOT: synonymous with software testing — testing is one QC tool within a broader governance system
—QA/QM IS NOT: a one-time audit or compliance checkbox — it is a continuous operating discipline embedded in all IT work
—QA/QM IS NOT: limited to IT development — it applies equally to IT operations, vendor management, security, data management, and infrastructure
—Do not conflate QA (preventing defects) with QC (detecting defects) — they are complementary but distinct activities with different ownership, timing, and methods

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

IT Governance and Management (CISA Domain 2)

REQUIRES

IT Performance Monitoring and MetricsIT Policies, Standards, and Procedures

ENABLES

IT Risk ManagementRegulatory Compliance (SOX, HIPAA, PCI-DSS, GDPR)Continuous Improvement and Organizational Maturity

RELATED TO

IT Strategy and Governance Frameworks

CONSTRAINS

Software Development and Change Management Processes

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.