Skip to main content

Purpose

This document defines Mindset AI Ltd’s software development lifecycle and shows how information security is integrated throughout the development process from initial concept through production operations.

SDLC Phases Overview

Mindset AI Ltd follows a 6-phase SDLC that integrates security, quality assurance, and change management at every stage:
PhasePurposeOutputs
Product documentProblem statement, Personas, Business justification, Risk reviewProduct document, Epic
UX planUser flows, interface concepts, rough UX guidelines, Initial security reviewUX documentation, Security notes
Specification documentDetailed feature requirements, acceptance criteria, functional specifications, Security requirementsSpecification document
Implementation planTechnical architecture, detailed design, implementation approach, Secure design architectureImplementation plan, Implementation issue tickets (Stories)
DeliveryImplementation, testing, deployment to production, Security testingProduct updates
OperationsOngoing monitoring, maintenance, incident response, continuous improvementOngoing product and process improvements

Phase 1: Product Document

Primary Focus: Problem statements, use cases, business justification Key Outputs:
  • Product vision and business case
  • Initial risk assessment (if material changes to security posture)
  • Data classification requirements
Applicable Policies:
  • Risk Management Policy
  • Data Management Policy

Phase 2: UX Plan

Primary Focus: User flows, interface concepts, rough UX guidelines Security Activities:
  • Privacy-by-design considerations (data minimization, consent flows)
  • Authentication and authorization requirements
  • Sensitive data display considerations
  • Accessibility and security balance
Key Outputs:
  • User flow diagrams
  • Interface concepts
  • UX guidelines with privacy considerations
Applicable Policies:
  • Secure Development Policy (privacy-by-design principles)
  • Data Management Policy (data handling in UI)
Gate Criteria: UX concept approval, security requirements identified

Phase 3: Specification Document (Requirements)

Primary Focus: Detailed feature requirements, acceptance criteria, functional specifications Security Activities:
  • Detailed security requirements definition
  • Threat modeling for new functionality
  • Data flow analysis and classification
  • Access control requirements
  • Integration security requirements
Key Outputs:
  • GitLab Epic with detailed requirements
  • Acceptance criteria including security requirements
  • Identified security controls to be implemented
Applicable Policies:
  • Secure Development Policy (secure engineering principles)
  • Access Control Policy (access requirements)
  • Data Management Policy (data classification and handling)
Gate Criteria: Requirements approved, security requirements documented, Epic created

Phase 4: Implementation Plan (Design)

Primary Focus: Technical architecture, detailed design, implementation approach Security Activities:
  • Application of secure-by-design principles
  • Architecture review for security implications
  • Cryptography approach (if applicable)
  • API security design
  • Infrastructure security requirements
  • Impact assessment for existing systems
Key Outputs:
  • Technical design documentation
  • Security architecture decisions
  • Implementation plan with security controls
  • Change impact assessment
Applicable Policies:
  • Secure Development Policy (secure engineering principles)
  • Cryptography Policy (encryption requirements)
  • Operations Security Policy (infrastructure standards)
  • Change Management Procedure (impact assessment)
Gate Criteria: Design approved, security architecture validated, implementation plan documented

Phase 5: Delivery (Development, Testing, Deployment)

Primary Focus: Implementation, testing, deployment to production This is the most controlled phase with multiple quality gates and security validations.

5.1 Development

Activities:
  • Code implementation following secure coding standards
  • Version control in GitLab
  • Local testing and security consideration
  • Commit to feature branch
Applicable Policies:
  • Secure Development Policy (coding standards, version control)
  • Change Management Procedure

5.2 Integration and Testing

Activities:
  • Merge request creation with impact assessment
  • Automated testing (unit tests, API tests where configured)
  • Security scanning (SAST, dependency scanning, container scanning)
  • Code review by qualified team member
  • Manual testing across environments (Development → Integration → Staging)
  • GitLab ticket state progression documenting test completion
Quality Gate: Merge Request Approval
  • All pipeline tests pass
  • Security scans complete (no critical/high vulnerabilities introduced)
  • Code review approval from team lead
  • Testing verified via GitLab ticket state and comments
  • Change impact assessment documented
Applicable Policies:
  • Change Management Procedure
  • QA Process Documentation
  • Secure Development Policy (vulnerability management)
  • Operations Security Policy (vulnerability SLAs)

5.3 Deployment

Activities:
  • Weekly deployment cycle
  • Cross-functional go/no-go decision
  • Production deployment per change management procedure
  • Monitoring and validation
  • Deploy review ticket creation (within 1 week)
Quality Gate: Production Deployment Approval
  • Staging validation complete
  • Weekly go/no-go approval from cross-functional team (Tech Leads, Product Managers, Test Leads)
  • Documented in #deployment-status Slack channel
  • Evaluation based on quality, performance, security, functionality
Applicable Policies:
  • Change Management Procedure
  • Deploy Review Process Guide
Emergency Changes (Hotfixes):
  • Expedited workflow: Branch from release → Test on staging → Deploy → Merge to develop
  • Same approval requirements but accelerated timeline
  • Post-implementation review required within 48 hours

Phase 6: Operations

Primary Focus: Ongoing monitoring, maintenance, incident response, continuous improvement Security Activities:
  • System monitoring and logging
  • Deploy review and validation (within 1 week of deployment)
  • Security incident monitoring and response
  • Vulnerability management and patching
  • Access reviews and compliance monitoring
  • Continuous improvement and lessons learned
Key Outputs:
  • Deploy review tickets documenting post-deployment validation
  • Incident response records (if applicable)
  • Vulnerability remediation tickets
  • Quarterly access reviews
  • Lessons learned and process improvements
Applicable Policies:
  • Deploy Review Process Guide
  • Operations Security Policy (monitoring, logging, vulnerability management)
  • Incident Response Plan
  • Access Control Policy (quarterly access reviews)
  • Change Management Procedure (continuous improvement)
Ongoing Activities:
  • Monitor system performance and security alerts
  • Respond to incidents per Incident Response Plan
  • Remediate vulnerabilities per Operations Security Policy SLAs
  • Review and update documentation
  • Capture lessons learned for process improvement

Security Integration Throughout SDLC

Security is implemented throughout the SDLC. See secure-software-development-practices.md for summary of practices followed and the secure-engineering-principles-and-planning.md for detailed requirements at each stage of the process, and practical guides for implementation.

Quality Gates Summary

GatePhaseCriteriaEvidence
Concept ApprovalProduct Document → UX PlanBusiness justification, initial risk reviewEpic/product docs
Requirements ApprovalSpecification → Implementation PlanSecurity requirements defined, Epic createdGitLab Epic
Design ApprovalImplementation Plan → DeliveryArchitecture reviewed, impact assessedImplementation plan
Merge Request ApprovalDevelopment → IntegrationTests pass, security scans clear, code reviewedGitLab MR, pipeline logs
Production DeploymentTesting → ProductionStaging validated, go/no-go approvalSlack #deployment-status, GitLab
Post-Deployment ValidationDelivery → OperationsDeploy review completedDeploy review ticket

Issue type breakdown

Issue/Ticket typeDefinition/Purpose
Epicsstrategic, large features
StoriesFunctional changes
BugsQuality issues
TasksBreakdown of functional changes if required
JobsActivities that do not result in technical change e.g. documentation, investigation
SpikeTechnical POC or exploration
Hot fixCritical patch
RollbackRollback actions and review
Deploy reviewDeployment review process

Roles and Responsibilities

RoleSDLC Responsibilities
CTOSDLC policy owner, design review, exception approvals
Product TeamProduct documents, specifications, acceptance criteria
UX TeamUser flows, interface design with privacy considerations
Tech LeadsArchitecture review, design approval, code review, go/no-go approval
DevelopersImplementation, testing, security best practices, GitLab documentation
DevOpsInfrastructure implementation, CI/CD pipelines, security scanning, deployment
Release ManagerDeployment coordination, go/no-go facilitation, deploy reviews
QA TeamTest planning, execution, validation, go/no-go input

Evidence and Audit Trail

The SDLC process produces comprehensive evidence for compliance auditing:
SDLC PhaseEvidence TypeLocation
Product/RequirementsEpic documentationGitLab Epics
SpecificationRequirements, acceptance criteriaGitLab Issues
DesignDesign docs, impact assessmentsGitLab, Google Drive
DevelopmentCode commits, commit messagesGitLab repository
TestingPipeline logs, test results, ticket statesGitLab CI/CD, Issues
Code ReviewMerge requests, approvalsGitLab MRs
Security ScanningSAST, dependency, container scansGitLab Security Dashboard
Deployment ApprovalWeekly go/no-go decisionsSlack #deployment-status
DeploymentDeployment logs, release tagsGitLab CI/CD, repository
Post-DeploymentDeploy review ticketsGitLab (type::deploy review)
OperationsMonitoring logs, incident recordsGCP, GitLab Issues

Relationship to Other Procedures

This SDLC Overview provides the framework. Detailed procedures are documented separately: Supporting policies:
  • Change Management Procedure
  • Secure Development Policy
  • Operations Security Policy
  • Access Control Policy
  • Data Management Policy
  • Risk Management Policy
  • Cryptography Policy

Continuous Improvement

The SDLC process is reviewed and improved through:
  • Deploy review lessons learned
  • Post-mortem analysis of incidents
  • Quarterly change management metrics review
  • Annual policy and procedure reviews
  • Feedback from development team
  • Audit findings and recommendations
Next Review: October 2026

Version History

VersionDateDescriptionAuthorApprover
1.0October 14, 2025Initial SDLC overviewWill EvansWill Evans
Document Owner: Will Evans, CTO
Effective Date: October 14, 2025
Version: 1.0
ISO 27001:2022 Controls: A.8.25 (Secure Development Lifecycle), A.8.32 (Change Management)