Blog · Day One

The IT cutover is the part of Day One that everyone sees fail.

A Day One IT readiness checklist is the operational discipline that ensures Newco’s employees can log in, the ERP can transact, the email domain works, and the security perimeter is in place. It is the most visible workstream on Day One because every employee tests it within the first hour. The checklist sits inside the broader Day One readiness framework and runs in five phases through the 90 day cutover runway.

5
Phases
90 Days
Runway
9 min
Read Time
2026
Last Updated
Section 01

Identity, access, and the directory cutover.

Identity is the foundation of every other IT decision. The directory that authenticates users determines what they can access, which mailboxes they can read, which files they can open, and which applications they can run. On Day One, Newco employees need to be authenticating against either a Newco directory or, more commonly, a seller directory under TSA that will migrate later.

The checklist for the directory cutover covers seven items. The Newco tenant exists and is licensed. The seller’s directory has Newco users tagged for migration. The seller’s identity provider can authenticate Newco users with Newco branding. The mailbox routing is configured. The single sign on chain is tested for the top 20 applications. The conditional access policies match the seller’s. The recovery procedures are documented.

The cutover itself happens in a maintenance window over a weekend before Day One. The window runs Saturday night to Sunday afternoon. During the window, the directory is in a frozen state. Users cannot reset passwords. New accounts cannot be provisioned. Existing sessions remain valid but new sessions go through a rerouted authentication flow.

A clean directory cutover is invisible to the user. A failed one is the first call to the help desk on Monday morning. The fix is end to end testing in a parallel environment before the live cutover. The pattern is consistent with the broader Day One cybersecurity work.

Section 02

Email, collaboration, and the new domain.

The email domain is the visible face of Newco on Day One. Most carve-outs adopt a new domain at separation. Some retain the seller’s domain under a transitional licensing arrangement. Either way, the email checklist covers domain registration, mail flow, calendar permissions, and external client access.

The seven items on the email checklist are as follows. The new domain is registered and has the right DNS records for SPF, DKIM, and DMARC. The mailbox migration plan is tested in a sandbox. The calendar shares between Newco users and remaining seller users are preserved or rebuilt. The external mail flow from Newco to customers and vendors is tested. The third-party application integrations on the mail platform are mapped. The retention policies are reset to Newco’s policy. The legal hold inventory is transferred.

Collaboration platforms are similar. Document libraries need to be migrated or shared under TSA. Team chat history needs to be either retained for compliance or archived. Meeting recordings carry data classification questions that the legal team needs to resolve before cutover.

External communication is the highest risk. A Newco employee sending email to a customer from a domain the customer does not recognize creates support tickets and lost deals. The fix is a coordinated external communication that goes out two weeks before Day One announcing the new domain. The cascade pattern is documented in Day One customer and vendor communication.

Section 03

ERP, business systems, and the application stack.

The ERP is the operational backbone. The Day One checklist depends on whether Newco is running a copy of the seller’s ERP under TSA, standing up a new ERP, or migrating to a different platform. In most carve-outs, the first option is the path because it minimizes Day One risk and pushes the ERP rebuild into the TSA term.

Where Newco runs a copy of the seller’s ERP, the checklist covers data clone, master data filtering, role mapping, and reporting access. The data clone is taken at a defined cutoff. Master data is filtered to Newco entities only. Roles are remapped to Newco employees. Reporting access is reauthorized. Each step has a test scenario that runs before cutover.

The application stack beyond the ERP is the long tail. CRM, procurement, expense management, HRIS, BI tools, ticketing, dozens of point applications. Each needs to be inventoried, classified by Day One criticality, and tested. The critical applications need to work on Day One. The non critical applications can transition through the TSA over the first 90 days.

The ERP cutover scenarios by underlying platform have specific patterns. Oracle, SAP, Workday, and NetSuite each carry their own carve-out playbook considerations. The platform specific patterns are captured across the carve-out IT separation playbook.

Section 04

Network, endpoint, and the security perimeter.

The network and security perimeter is invisible until it fails. The checklist covers VPN, firewall rules, endpoint protection, patch management, vulnerability scanning, and the SOC. On Day One, Newco needs a defensible perimeter that protects against the same threats the seller faced, configured to Newco’s scale and risk profile.

The first decision is whether to inherit the seller’s security stack under TSA or stand up Newco’s own. Most carve-outs do both. Some controls inherit from the seller for 12 to 24 months. Some controls are rebuilt immediately because the seller’s configuration does not fit Newco’s footprint. The split needs to be documented before cutover so that incident response paths are clear.

Endpoint protection is the most common Day One gap. Newco laptops sometimes ship with the seller’s management agent still installed but no longer reporting. The agent needs to be either repointed to a Newco management console or replaced with a Newco endpoint solution. The transition is tested on a pilot population before cutover.

The SOC handover is the most consequential. The team that monitors security events needs to know that Newco events flow through a Newco identifiable channel. Where the seller’s SOC covers Newco under TSA, the alerting rules need to be tuned to Newco’s footprint. Where Newco stands up its own SOC, the transition is more demanding. Both paths are covered in carve-out cybersecurity Day One.

Section 05

Data extracts, data quality, and the cutover plan.

Data is the highest risk item on the IT checklist. The data extract from the seller’s systems determines what Newco can do on Day One. Customer master data, vendor master data, item master data, employee master data, and transactional history all need to be extracted, filtered, transformed, and loaded into Newco’s configured systems.

The data quality checklist runs against each extract. Are the records complete. Are the references valid. Are the duplicates resolved. Are the categorizations correct. The check needs to happen in a sandbox at least 30 days before cutover. Issues found in the sandbox are remediated in the source system before the final extract.

The cutover plan sequences the data work over the cutover weekend. The seller’s system is locked at a defined cutoff. The final extract runs. Newco’s systems are loaded. Reconciliation reports run. Where the reconciliation fails, the rollback procedure restores the prior state. Where it succeeds, Newco enters Day One with clean data.

The cutover plan is documented as a runbook with named owners for each step. The runbook is rehearsed at least once before the live cutover. The rehearsal surfaces issues that the team did not anticipate. Most cutover plans go through three or four rehearsal cycles before they are stable. The discipline that runs alongside the IT cutover is covered in Day One finance readiness.

Section 06

Command center, hypercare, and the first week.

The Day One IT command center is the operational nerve center for the cutover. It runs from the Friday before Day One through the second week after. The command center brings together the buyer’s IT lead, the seller’s TSA lead, the carve out PMO, and the third-party advisors who supported the configuration work. The command center has a defined cadence, defined escalation paths, and defined go or no go decision rights.

The first 72 hours after cutover are hypercare. Help desk volume is two to four times normal. Walk in support is staffed. Senior IT leadership is on call. Issues that surface get triaged in real time. The pattern is highest volume on Monday morning, declining by Wednesday, returning to baseline by the second Monday.

The first week after Day One is when the operational baseline is established. The TSA service deliveries start. The invoice review starts. The SLA tracking starts. Where the cutover ran cleanly, the team can focus on the value creation work. Where it did not, the team is in remediation for the first 30 to 60 days.

A successful IT cutover is one where the operating partner does not have to take any escalations in the first week. The team handled the issues that arose. The TSA delivered the services it promised. The business continued to operate. That is the goal. The full operating discipline is built through the Day One readiness program.

Related Reading

More on Day One readiness.

Free Download

Get the buyer-side TSA Exit Playbook.

The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.

No spam. Unsubscribe in one click. · Read the overview first →

The IT cutover is the part of Day One that everyone sees fail.
Day One Readiness Program

Get the IT cutover right. The rest follows.

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.

White paper

The TSA Exit Playbook

Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.

Read the playbook →
White paper

The IT Separation Playbook

Stand up standalone IT before the TSA meter and the seller's dependencies compound against you.

Read the playbook →
The Day One Letter

Get buyer-side TSA intelligence every two weeks

One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.

Subscribe to The Day One Letter →