The organisation should establish and document a formal process for the development and major enhancement of electronic information systems to meet national regulatory requirements. This process ensures that systems are not put into use without the necessary approvals from the national cybersecurity authority.
When central systems are developed, the organisation managing the electronic information system should inform the national cybersecurity authority of matters affecting the security of the system. The initial notification should be made during the planning phase and subsequently upon reaching each defined project milestone.
The process should include the following steps:
- Classifying the system and its data according to the official security classification scheme.
- Submitting the classification to the national cybersecurity authority for approval before development begins.
- Informing the national cybersecurity authority of security relevant issues during the planning phase and at each milestone in the case of a central system.
- Including the authority approved security requirements in all development contracts.
- Verifying that all approved requirements are met before the system is put into production.
.svg)
