Systems Development Lifecycle (SDLC)
Domain 3 — Information Systems Acquisition, Development and Implementation
Definition
SDLC is a structured framework for planning, designing, developing, testing, and deploying information systems. Common methodologies include waterfall, agile, and iterative models. IS auditors evaluate SDLC processes for adequate user involvement, security integration (DevSecOps), testing coverage, and stage-gate approvals before production release.
Real-World Audit Scenario
A software company I audited was using an agile methodology but had no formal security review in their sprint cycle. Features were developed, tested for functionality, and deployed — but nobody was reviewing code for security vulnerabilities. When we performed a static code analysis, we found 14 SQL injection vulnerabilities in the latest release. The developers were surprised because "security was never part of the definition of done." We recommended embedding a security review into the acceptance criteria for every user story.
Common Exam Trap
The exam may ask about SDLC phase gates or control points. In a waterfall model, the gate between development and testing requires signed-off test plans. In agile, security should be integrated into each sprint rather than bolted on at the end.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →