crisc-d4-it-security-system-development-life-cycle

System Development Life Cycle

isaca-crisc · framework · Production-ready

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is System Development Life Cycle

The System Development Life Cycle (SDLC) is a structured governance framework defining the phases, controls, and decision gates through which an information system passes—from initial business need through design, development, testing, deployment, operation, and retirement. From a CRISC risk-governance perspective, SDLC is not a coding methodology. It is the control architecture that ensures systems are built, changed, and decommissioned with appropriate risk oversight, auditability, and compliance integrity at every phase.

Where it stops · what it isn't

—IS: A risk governance and control framework applied across all phases of system creation and operation—encompassing requirements, design, development, testing, deployment, maintenance, and end-of-life.
—IS: Applicable to all development models—Waterfall, Agile, DevOps, cloud-native, and hybrid—with controls adapted to each model's iteration speed and deployment frequency.
—IS NOT: A software development methodology. CRISC practitioners evaluate and govern SDLC controls; they do not write code, conduct agile ceremonies, or perform technical architecture design.
—IS NOT: Limited to new system builds. SDLC governance applies equally to upgrades, integrations, migrations, and third-party or vendor-developed solutions.
—IS NOT: Synonymous with project management. SDLC defines phase-specific risk and quality controls; project management governs schedule, budget, and resource delivery within those phases.
—IS NOT: A one-time activity. Operational maintenance, patch management, and change control are ongoing SDLC activities throughout a system's entire service life.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

CRISC Domain 4: IT and Security

REQUIRES

Enterprise ArchitectureIT Change ManagementProject Management

ENABLES

IT Operations ManagementDisaster Recovery ManagementRegulatory Compliance (SOX, HIPAA, PCI-DSS, GDPR)

RELATED TO

Vendor and Third-Party Risk Management

CONSTRAINS

Agile and DevOps Delivery Practices

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.