cisa-d3-acquisition-development-system-development-methodologies

System Development Methodologies

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is System Development Methodologies

System development methodologies are structured frameworks that govern how information systems are planned, built, tested, deployed, and maintained. A methodology defines the sequence of activities, roles, artifacts, decision gates, and control checkpoints that transform business requirements into operational systems. In the CISA context, methodologies are not project management conventions — they are the architectural backbone of a control environment: each methodology embeds specific points where risks are identified, controls are validated, and audit evidence is generated. The three primary families are: (1) Sequential/Waterfall — linear phase-gate progression with heavy upfront documentation; (2) Iterative/Agile — time-boxed sprints delivering incremental functionality with continuous feedback; and (3) Hybrid (Water-Scrum-Fall) — waterfall governance framing with agile execution at the delivery layer. Emerging variants include DevOps/continuous delivery, RAD, and low-code/no-code platform models.

Where it stops · what it isn't

—IS: The governance and control framework surrounding how systems are developed — including methodology selection criteria, control integration architecture, audit evidence requirements, and regulatory mapping.
—IS: The discipline of matching methodology type to organizational risk profile, regulatory environment, and project characteristics.
—IS NOT: How to run Scrum ceremonies or write waterfall phase documents — those are methodology execution topics, not methodology governance.
—IS NOT: Project management methodology (PMI PMBOK, PRINCE2) — though overlap exists, CISA focus is control design and auditability, not schedule and resource management.
—IS NOT: Software engineering practices (coding standards, design patterns) — those are subsets of what methodologies govern, not the methodology itself.
—IS NOT: IT service management (ITIL) — ITIL governs changes post-deployment; SDM governs the development process itself.
—BOUNDARY: Low-code/no-code platforms and AI/ML model development are emerging edge cases where traditional SDM frameworks are insufficiently mapped to current ISACA guidance.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Systems Acquisition, Development, and Implementation (CISA Domain 3)

ENABLES

Control Identification and DesignBusiness Case and Feasibility AnalysisSystem Testing and Quality AssuranceImplementation, Configuration, and Migration Controls

REQUIRES

IT Governance Frameworks (COBIT, Risk IT)Internal Control Concepts (COSO)IT Risk Management Fundamentals

RELATED TO

Project Governance and ManagementChange Management Controls

CONSTRAINS

Regulatory Compliance Architecture (SOX, HIPAA, PCI-DSS, FedRAMP)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.