What is SDLC?


SDLC may stand for either the System Development Life Cycle or the Software Development Life Cycle. The author typically refers to them as the System SDLC or Software SDLC for simplicity.

  • A system is a collection of related elements or components that work together to achieve a common purpose.
  • A life cycle is a collection of predefined stages and processes.

Information System

  • Information is useful data, or data with meaning, relevance, and purpose.
  • An information system typically comprises components such as 1) data, 2) computer systems, 3) operating systems, 4) software, 5) networks, 6) data centers, 7) people, 8) business processes, and so forth.
  • An information system and its components are either bought or made. Security engineering addresses security concerns across the system development life cycle (SDLC).
  • This post introduces the Peacock Model as a metaphor for the information system.

The Peacock


  • Software is a collection of computer instructions and data organized in a logical way to solve problems.
  • It exists in either the text-based script or binary-based machine code; the binaries entail the process of compiling the text-based source code to the binary-based executable.
  • A program is the generic term of a script or executable that persisted in the storage. When a program is loaded into the memory and executed by the processor, the program becomes a process.
  • Software used to solve business problems is typically called applications.

Systems Engineering

Systems Engineering is a discipline of applying knowledge to create or acquire a system that is composed of interrelated elements collaborating for a common purpose throughout the system development life cycle (SDLC), or system life cycle (SLC).

  • NIST SP 800-64 R2 proposes the NIST SDLC in terms of information systems. It is superseded by NIST SP 800-160 V1, which aligns with the more generic SDLC defined by ISO 15288. However, the author believes the legacy NIST SDLC still plays an important role in the CISSP exam. NIST SP 800-160 V1 is crucial to ISSEP.
  • ISO 15288 is a standard of Systems and software engineering — System life cycle processes. It applies to both systems and software engineering.

ISO 15288 - System Life Cycle Processes

Security Engineering

Security Engineering is a specialty discipline of systems engineering. It addresses the protection needs or security requirements throughout the system life cycle.


Software Development

  • The Software SDLC was as long as the period of the project taking months or years in the traditional waterfall model. However, it is much shorter nowadays. The life cycle is as short as an Agile iteration or Scrum sprint of weeks.
  • The life cycles are iterated or conducted repeatedly. In Agile, an iteration or sprint typically completes a life cycle that shall deliver the committed scope of software (or values/increment).
  • The life cycle in software development varies. There are many well-known methodologies and approaches available. However, the ISC2 official courseware, study guide, and even the CBK propose their software SDLC. We can just choose one out of them to develop software. ISO 15288 is also applicable to software development if you want.
  • However, when it comes to information systems, the NIST SDLC (system SDLC) can be treated as the standard for CISSP aspirants.


Leave a Reply