The II 901 directive applies:
The recommandations descibed in this guide are intended in the first place to entities which are fully subject to II 901 directive. As the II 901 directive is also recommanded for all other public or private entity which implements a sensitive IS, those recommandations should usefully be declined to any other public or private entity dealing with a sensitive IS (e.g. IS hosting ‘business secret’ information, IS hosting ‘professional secrecy’ data…).
This guide has been conceived as a tool for entities which intend to implement an IT architecture compliant with II 901 directive. The reader’s attention is drawn to the fact that some area of II 901 directive are not covered in this guide (2).
This version of the guide do not address the issues raised when sensitive or RD data are hosted in cloud.
(1) The State administrative services as defined in this directive are the Central Administrative Services, the National Public Bodies, devolved State Services and Independent Administrative Authorities.
(2) Exemples of non included fields are: physical security or software developement lifecycle. As a result, it is not sufficient for an IS to be compliant to the recommandations of this guide to attest the compliance to the whole bunch of II 901 requirements. A complementary effort is required to attain the full compliance of the IS, in case a accreditation at sensitive or RD level is sought.
This guide is also available in French : « Recommandations pour les architectures des systèmes d’information sensibles ou Diffusion Restreinte »