cisa-d3-acquisition-development-system-migration-infrastructure-deployment-and-dat

System Migration, Infrastructure Deployment, and Data Conversion

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is System Migration, Infrastructure Deployment, and Data Conversion

System Migration, Infrastructure Deployment, and Data Conversion is the governed process of transitioning information systems, underlying infrastructure, and organizational data from a source environment to a target environment—while maintaining data integrity, regulatory compliance, business continuity, and audit traceability throughout. From an ISACA CISA perspective, this is not a purely technical exercise: it is a high-risk implementation event requiring formal governance controls, documented decision gates, stakeholder sign-offs, and tested contingency plans. Three interlocking components must converge: (1) Infrastructure Deployment—provisioning and validating the target environment (hardware, network, cloud services, security controls) before any data moves; (2) Data Conversion—extracting, transforming, validating, and reconciling data from legacy formats to target formats while preserving completeness and accuracy; and (3) System Migration—the orchestrated cutover of business operations from source to target, including parallel-run periods, user acceptance testing, and rollback capability. Together, these form a single sequenced governance event with a defined start state, end state, and measurable success criteria.

Where it stops · what it isn't

—IS: Governance, control design, risk management, and audit oversight of transitioning systems and data from source to target environments.
—IS: Parallel-run management, cutover sequencing, rollback planning, data validation gates, and legacy decommissioning controls.
—IS: Compliance and audit trail requirements during data movement under GDPR, HIPAA, PCI-DSS, SOX, and FedRAMP.
—IS NOT: Platform-specific migration tooling (e.g., configuring AWS DMS or Azure Database Migration Service)—that is platform engineering, not CISA governance.
—IS NOT: Application development or software coding—this cubelet concerns the controlled deployment of already-developed or procured systems.
—IS NOT: Ongoing IT operations or change management after post-migration stabilization is complete—those fall under ITIL/ITSM domains.
—IS NOT: Business process reengineering, which may accompany a migration but is a separate organizational change discipline.
—Boundary case: Cloud-native migrations using continuous deployment pipelines blur the line between migration and release management—cutover governance principles still apply even when tooling differs.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Systems Acquisition, Development, and Implementation (ISACA CISA Domain 3)

REQUIRES

System Readiness and Implementation TestingIT Risk Assessment and Control DesignData Governance and Data Quality Management

ENABLES

Implementation Configuration and Release ManagementPost-Implementation Review

RELATED TO

System Development Methodologies and Controls

CONSTRAINS

Legacy System Decommissioning and Sunset Planning

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.