334 ◾ Information Security Management Handbook
the application and the associated process designs for using the application. If the controls previ-
ous identified have not been implemented, then the application does not get to move forward in
the development cycle. If it is determined that a new control must be added because of an event
which affects the application security, then that control must be added into the development cycle.
While the SDLC provides a high degree of structure, many smaller organizations do not want
to follow one because they do incur cost. ey can slow down development time because of the
emphasis on identifying and meeting requirements. e problem is that the cost of fixing a bug
after the application is in production ...