The process should
- respond to agreed business requirements/criteria
- be practical and efficient
- take into account user and staff considerations
- incorporate service management and performance capabilities
- consider security from the very beginning (noting that the development of security is an iterative process)
It should be well documented and progress through the phases should be authorised