crisc-d4-it-security-data-life-cycle-management

Data Life Cycle Management

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Data Life Cycle Management

Data Life Cycle Management (DLCM) is the structured governance of data from creation or acquisition through active use, storage, archival, and final disposal — with risk controls integrated at every phase. In the ISACA CRISC framework, DLCM is an end-to-end operational discipline, not a single policy or tool. It ensures data is classified, protected, retained only as long as necessary, and destroyed in a verifiable, auditable manner. The seven canonical phases are: (1) Creation/Acquisition, (2) Classification, (3) Storage/Protection, (4) Active Use/Sharing, (5) Retention, (6) Archival, and (7) Disposal/Destruction. Risk management runs as a horizontal control layer across all seven phases — it does not concentrate only at creation or disposal. DLCM is distinct from data backup strategy, data quality management, master data management (MDM), and database administration, though each intersects with it.

Where it stops · what it isn't

—IS: Governance of data from creation to destruction, including classification, retention schedules, and secure disposal procedures
—IS: Risk-integrated controls applied at each lifecycle phase — access control, encryption, monitoring, and disposition verification
—IS: A policy framework spanning on-premises, cloud, SaaS, and hybrid environments
—IS NOT: Data backup and recovery strategy — backup is one storage mechanism within the lifecycle, not the lifecycle itself
—IS NOT: Data quality management or master data management (MDM) — DLCM governs existence and access, not accuracy or deduplication
—IS NOT: Database administration or schema management — DLCM operates at the governance layer above infrastructure
—IS NOT: A one-time compliance project — DLCM is a continuous operational discipline with recurring review cycles
—IS NOT: Limited to structured data — DLCM applies equally to unstructured data: emails, documents, media files, and SaaS records

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Technology and Security (CRISC Domain 4)

REQUIRES

Data ClassificationAccess Control Management

ENABLES

IT Operations ManagementRegulatory Compliance Management (GDPR, HIPAA, SOX, CCPA)Incident Response and Forensic Readiness

RELATED TO

Information Security ControlsThird-Party Risk Management

CONSTRAINS

Cloud Storage and Multi-Environment ArchitectureAI/ML Training Data Governance

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.