Systems Development Lifecycle
The Systems Development Lifecycle (SDLC) is a structured framework that defines the phases, activities, roles, and controls required to plan, create, test, deploy, and maintain an information system. Standard SDLC phases include feasibility study, requirements definition, system design, development, testing, implementation, and postimplementation review, though specific models — waterfall, iterative, agile — vary in how they sequence and overlap these phases. The SDLC embeds governance checkpoints, quality gates, and formal approvals at phase boundaries to ensure that business requirements are met and risks are controlled. For IS auditors, the SDLC is the primary control framework against which acquisition and development projects are assessed.
Boundaries
- IS A repeatable, phase-gated methodology governing the full lifespan of an information system from initial concept through decommissioning, with defined controls at each stage.
- IS NOT A specific software development methodology such as Scrum or Kanban; agile methods are implementation approaches that must still satisfy SDLC governance requirements.
Systems built without SDLC discipline routinely exceed budgets, fail to meet requirements, and introduce security vulnerabilities that are exponentially more expensive to remediate after deployment. Inadequate SDLC controls are among the leading causes of material IT project failures cited in audit findings and regulatory enforcement actions.
Who this affects
- IS Auditor: The auditor evaluates whether a project followed an approved SDLC, whether controls such as requirements sign-off, change management, and testing approvals were consistently applied, and whether deviations were authorized — each gap is an audit finding.
- IT Development Manager: The development manager relies on SDLC controls to manage scope creep, enforce testing standards, and provide evidence to auditors and regulators that the organization exercises disciplined software governance.
An SDLC operates through a series of formally defined phases, each producing specific deliverables — such as a feasibility study, functional specification, test plan, or implementation plan — that must be reviewed and approved before the next phase begins. Quality gates at phase boundaries ensure that defects are caught early, when remediation costs are lowest. Configuration management, version control, and change-control boards enforce integrity of deliverables as the system evolves from design artifacts through production code.
Feedback loops
- Defects discovered during testing feed back to the design phase, driving specification revisions before production deployment.
- Postimplementation review findings are formally input into the SDLC methodology, updating templates, checklists, and risk registers for future projects.
Applicability conditions, prerequisites, and boundary environments
Unlock →Trigger events, decision context, and timing patterns
Unlock →Structured practice exercise with assessment rubric
Unlock →▸ Use this from your AI agent (developer)
npx -y @grid42/cmmc-catalyst-mcp Free tier: 50 lookups · 10 coaching · 2 diagnostics/month. No credit card. See full pricing →