| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
System Migration, Infrastructure Deployment & Data Conversion
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series addresses the high-risk transition from a tested system to a live production environment, covering the mechanics and risks of data conversion, the three strategies for switching users to a new system, how maintenance and change control continue after go-live, and the formal certification and accreditation process.
What this episode covers
- Data conversion risks β why format differences, one-time execution, and missing input validation make conversion uniquely dangerous.
- Conversion planning steps β deciding what to convert by program versus by hand, cleansing data, setting success criteria, designing audit trails, and running a full dress rehearsal.
- Rollback planning β ensuring reversal tools exist before cutover so the original data can be restored if the new system fails.
- Three changeover strategies β parallel, phased, and abrupt, with safety versus speed trade-offs for each.
- Post-go-live maintenance β the auditor checks needed on change authorization, emergency procedures, change logs, and production access controls.
- End-user training β timing considerations, train-the-trainer sessions, and matching training to job roles.
- Certification and accreditation β the technical assessment versus the management authorization decision and who owns accountability.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
Why is data conversion considered especially risky during a system migration?
Data conversion is risky because old and new systems rarely share the same formats, structures, and coding schemes, so moving data while preserving its meaning and integrity requires careful planning. The task is usually a one-time event, and the input validation checks built into the new system are not yet available to catch errors. Audit trails and logs must be used to verify accuracy, and every step in the test environment must be recorded so it can be repeated exactly in production.
What are the three changeover strategies and their key trade-offs?
Parallel changeover runs old and new systems together until users trust the new one; it is the safest but doubles the workload. Phased changeover replaces one module at a time for a controlled transition, but it stretches the project duration and complicates support. Abrupt changeover switches everything on a single cutoff date, which is the fastest approach but carries the greatest risk if problems arise.
What is the difference between certification and accreditation of a system?
Certification is a thorough technical assessment in which an assessor checks how well the systemβs controls meet security requirements, and its results feed a risk reassessment. Accreditation is the management decision to authorize operation, where a senior official formally accepts the residual risk. By accrediting the system that official takes personal accountability for its security.
What should an auditor check in the ongoing maintenance phase after go-live?
The auditor should confirm that a method exists to authorize and track change requests and that emergency change procedures are defined. The change log should show every change was resolved, and access restrictions should be tight over production source code and modules. The auditor should also sample changes from the log to confirm they were documented, tested, and properly made, and verify that only one source version matches each production module.
π Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in System Migration, Infrastructure Deployment & Data Conversion.