Systems design, build, and implementation

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a System Development Life Cycle program., CC ID: 11823
  • Initiate the System Development Life Cycle planning phase., CC ID: 06266
  • Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase., CC ID: 06267
  • Initiate the System Development Life Cycle implementation phase., CC ID: 06268
  • Establish and maintain technical documentation., CC ID: 15005
  • Establish and maintain end user support communications., CC ID: 06615


  • Standard § I.1 ¶ 2: Management is required to design and effectively operate processes with all the internal controls implemented. Practice Standard § III.4(2)[2].B.a: The IT general controls should be understood by the external auditors and the appropriateness of management's assessment should … (Standard § I.1 ¶ 2, Practice Standard § III.4(2)[2].B.a, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • An assessment should be conducted by the IT auditor to determine if the organization acquires or develops application systems with a controlled method that provides effective controls within and over the data and applications that are processed. (§ 5.3.6 ¶ 1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Each element of the IT audit universe should be linked to one of the following SDLC phases: feasibility study, analysis, design, implementation, testing, evaluation, and maintenance and production. (§ 6.8, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • After all automated processes have been identified by the auditor, the following questions need to be answered about applications that handle private information: "Were privacy issues identified in the requirements defining the application?; Have data classification standards been implemented in the… (§ 5.4 (Application Risks) ¶ 2, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • During the development and acquisition phase, specific security requirements for a new system should be identified. These requirements should comply with the existing policies and standards and/or new policies and standards should be developed based on the new system. (Pg 12-IV-17, Protection of Assets Manual, ASIS International)
  • § 7.1: The organization shall plan and develop processes for product realization, which shall be consistent with the other process requirements of the quality management system. § 7.3.1: The organization shall establish procedures for designing and developing products and plan and control this pro… (§ 7.1, § 7.3.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Organizational personnel should review the design process to ensure it is consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. (ID 1.2.4, AICPA/CICA Privacy Framework)
  • Products that are covered by this part shall comply with all applicable requirements. An agency shall ensure products comply with the requirements when developing, procuring, maintaining, or using electronic and information technology, unless it would impose an undue burden. (§ 1194.2(a), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • The organization must develop a system development life cycle (SDLC) methodology that provides a structured approach that is consistent with generally accepted concepts and practices; provides guidance to staff with different skills and experience levels; provides a way to control requirement change… (CSR 6.3.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • A System Development Life Cycle to manage systems is implemented. (PR.IP-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure that the system development life cycle process the organization uses includes information security, the life cycle meets the requirements of NIST Special Publication 800-64, and specific responsibilities and actions are defined for th… (SA-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)