The organization's ICT system acquisition procedure must ensure testing and approval of all ICT systems before their initial use and after any maintenance activities.
Key requirements include:
- Ensuring that the level of testing is proportionate to the criticality of the associated business processes and ICT assets.
- Designing the testing processes to verify that new or modified ICT systems perform as intended, with a special emphasis on validating the quality of any software developed internally.
Additionally, specific requirements apply to certain types of entities:
Central counterparties (CCPs) must, as appropriate, involve the following stakeholders in the design and execution of the testing activities:
- Clearing members and clients,
- Interoperable central counterparties,
- Other interested parties.
Central securities depositories (CSDs) must, as appropriate, involve the following stakeholders in the design and execution of the testing activities:
- Users,
- Critical utilities and critical service providers,
- Other central securities depositories,
- Other market infrastructures,
- Any other institutions identified as having interdependencies under the CSD’s business continuity policy.
The organization contain security testing of software packages no later than at the integration phase.
