Drag each SDLC phase card into the correct numbered slot (ISC2 CBK 7-phase model).
Checks that the software conforms to its specifications and design documents at each phase. Internal, process-focused. Example: code review, design walkthroughs, unit tests against spec.
Confirms the finished product meets the user's actual needs and intended use. External, outcome-focused. Example: acceptance testing, user acceptance testing (UAT), operational testing.
Formal management decision to accept residual risk and authorize a system to operate. In U.S. federal/DoD: Authority to Operate (ATO). Done by the Authorizing Official (AO). Time-limited, risk-based.
Comprehensive technical evaluation of security controls to determine if they meet requirements. Precedes accreditation. Produces the Security Assessment Report (SAR) used by the AO.
| Concept | Question answered | Who owns it | SDLC phase | CISSP domain |
|---|---|---|---|---|
| Verification | Built to spec? | Developers / QA | Development & Testing | Domain 8 (SDLC) |
| Validation | Meets user need? | Users / QA / PM | Testing & Acceptance | Domain 8 (SDLC) |
| Certification | Controls adequate? | Security assessor (3rd party or internal) | Operations & Maintenance | Domain 3 (Security Arch) |
| Accreditation / ATO | Risk acceptable to operate? | Authorizing Official (AO/DAA) | Operations & Maintenance | Domain 1 (Risk Mgmt) |