Lifecycle policies in place
Demonstrate that formalized lifecycle policies exist, are enforced across asset classes, and define security requirements for each stage from provisioning through decommissioning.
Description
What this control does
Lifecycle policies define the requirements and procedures for managing technology assets, software, and data throughout their entire existence—from acquisition and deployment through operation, maintenance, and eventual decommissioning or disposal. These policies establish mandatory stages, approval gates, security baseline requirements, and retirement criteria to ensure assets are handled consistently and securely at every phase. Lifecycle policies prevent orphaned systems, unpatched legacy applications, and insecure disposal practices by enforcing structured transitions and accountability from cradle to grave.
Control objective
What auditing this proves
Demonstrate that formalized lifecycle policies exist, are enforced across asset classes, and define security requirements for each stage from provisioning through decommissioning.
Associated risks
Risks this control addresses
- Unmanaged end-of-life systems remain operational with unpatched vulnerabilities, exposing the organization to exploitation via known CVEs
- Decommissioned hardware is disposed of without secure data sanitization, leading to data leakage through discarded drives or devices
- Legacy applications persist without support contracts or security updates, creating compliance gaps and increasing attack surface
- Shadow IT proliferates due to lack of onboarding procedures, bypassing security controls and visibility
- Assets are deployed without baseline security configurations, enabling initial access through misconfiguration
- Lack of retirement criteria causes resource waste and license sprawl, increasing operational complexity and audit burden
- Transition gaps between lifecycle stages create windows where assets lack defined ownership or security responsibilities
Testing procedure
How an auditor verifies this control
- Obtain the organization's documented lifecycle policy or policies covering hardware, software, cloud services, and data assets
- Review each policy to verify it defines distinct stages (e.g., request, procurement, deployment, operation, maintenance, retirement, disposal) with security requirements per stage
- Identify the governance body or role responsible for approving lifecycle stage transitions and verify assignment in documentation
- Select a sample of 10-15 assets across multiple classes (servers, workstations, SaaS applications, databases) from the asset inventory
- For each sampled asset, trace evidence of lifecycle stage transitions through change tickets, procurement records, deployment checklists, and decommissioning logs
- Verify that decommissioning procedures include data sanitization requirements and validate completion records for at least 5 recently retired assets
- Interview asset owners and IT operations staff to confirm awareness of lifecycle policy requirements and their role-specific responsibilities
- Examine exception or waiver processes for assets operating beyond defined end-of-life dates and assess risk acceptance documentation
Where this control is tested