Skip to main content
Digital Iceland Frontpage
Digital Iceland Frontpage

Digital Iceland

Guidelines for Modernising Government Information Systems

The technical principles and guidelines for the development and maintenance of information systems within the Ministry of Finance and Economic Affairs are intended to ensure interoperability, security, incremental modernisation and integration with the Government of Iceland's shared digital infrastructure. Their objective is to transform legacy information systems into replaceable, flexible and well-defined components within the broader public sector digital ecosystem.

The underlying principles are that all functionality should be accessible through well-defined Application Programming Interfaces (APIs), that reuse and security should be prioritised before new solutions are developed or implemented, that cloud-based solutions should be adopted where appropriate, that systems should be designed with users in mind, and that data exchange between systems should follow recognised standards.

When developing and maintaining information systems, they should be designed to operate independently of other systems wherever possible. This is achieved by implementing a standardised service layer around the information system, enabling other systems to interact with it without being dependent on its internal architecture or data storage. The objective is for the information system to function as a backend component that can be replaced in the future without affecting other systems.

Digital Iceland has published policies, terms and conditions, and technical guidelines covering the development, operation and integration of information systems. These shall be followed where applicable. The principles and guidelines set out in this document build upon that foundation and provide additional guidance specifically intended to support the modernisation of legacy information systems across the Icelandic public sector.

Guidelines

1. Public-facing digital services

  • Public-facing digital services shall be built on Digital Iceland's shared digital infrastructure and frontend solutions unless there are compelling professional or technical reasons not to do so.

  • New public-facing digital services shall be developed on Ísland.is where applicable.

  • When modernising legacy systems, existing digital services should, where possible, be migrated to Ísland.is.

  • The operation and development of organisation-specific frontend solutions should be reduced where equivalent functionality is available through Digital Iceland's shared solutions.

  • Public-facing digital services shall comply with the applicable digital accessibility requirements.

2. Architecture

  • Standardised and reusable software solutions should be adopted where appropriate.

  • A layered architecture shall be used, with a clear separation between the frontend, service layer and backend.

  • Systems shall be designed using loosely coupled components with clearly defined responsibilities.

  • Service-oriented or modular architectural approaches should be adopted where appropriate.

  • Digital Iceland's shared digital infrastructure shall be used where it meets the needs of the relevant service.

3. Service Layer

  • The development, implementation and operation of web services shall comply with Digital Iceland's current Web Services Policy.

  • The API-first principle shall be adopted, ensuring that all new functionality is made available through well-defined Application Programming Interfaces (APIs).

  • Information systems shall be encapsulated by a service layer so that other systems are not dependent on their internal architecture.

  • The service layer shall be designed to enable legacy information systems to be modernised or replaced with minimal impact on other systems and services.

4. Data

  • Data management shall comply with Digital Iceland's current guidelines on data governance and public data.

  • Consistent terminology and data definitions shall be maintained across public organisations and information systems.

  • Common standards-based data models shall be used where appropriate.

  • Data shall have a single authoritative source (Single Source of Truth) wherever practicable.

  • Business logic shall not be embedded in databases.

  • Direct database connections between systems shall be avoided.

5. Minimising Risk During Modernisation

  • Business processes shall be redesigned before software development or procurement decisions are made.

  • Business processes shall be modernised incrementally rather than through a single large-scale implementation.

  • New business functionality shall not be incorporated into legacy information systems unless there is a compelling operational need to do so.

  • New functionality shall be developed outside the legacy information system and integrated through well-defined Application Programming Interfaces (APIs).

  • Functionality shall be migrated progressively to modern solutions.

  • Each solution should have a clearly defined service boundary and well-defined responsibilities.

  • Closed or proprietary solutions that hinder interoperability shall be avoided.

  • Business operations shall remain uninterrupted throughout the modernisation process.

  • Changes shall not disrupt existing functionality.

  • Large-scale, complete system rewrites that introduce significant implementation risk shall be avoided.

6. Monitoring and Documentation

  • The system architecture, service layer and integrations between systems shall be documented.

  • Application Programming Interfaces (APIs) shall be documented in accordance with Digital Iceland's current guidelines.

  • Data models and ownership of key data assets shall be defined and documented.

  • System integrations shall be tested regularly to ensure that changes do not affect interoperability or service delivery.

  • Centralised monitoring shall be implemented through logging, metrics and alerting.

  • Regular health checks shall be defined for critical services.

  • Traceability of incidents, changes and service requests shall be ensured.

7. Software Delivery and Version Management

  • Version management shall be applied to Application Programming Interfaces (APIs) and services.

  • Standardised data exchange interfaces between systems shall be defined. Any changes to these interfaces shall follow a formal change management process.

  • Version numbers shall be used for all releases to ensure traceability.

  • All changes shall be deployed through a defined and automated release process and a Continuous Integration/Continuous Delivery (CI/CD) pipeline, where appropriate.

  • Separate environments shall be maintained for development, testing and production.

  • Changes shall be capable of being safely rolled back where necessary.

  • For commercial off-the-shelf (COTS) software, a controlled process shall be established for software updates, testing and deployment.

8. User Access Management

  • Standardised authentication based on recognised open standards shall be used.

  • Internal systems shall use a centralised identity service that complies with government requirements for authentication and access management.

  • Role-Based Access Control (RBAC) shall be implemented.

  • Access permissions shall be assigned based on roles or groups rather than individual users.

  • Users shall be granted only the access permissions necessary to perform their assigned responsibilities (principle of least privilege).

  • User access shall be traceable, auditable and time-limited where required by the nature of the work or operational circumstances.

9. Information Security

  • Digital Iceland's current information security guidelines, together with all other applicable legislation, regulations and policies governing government information systems, shall be followed.

  • Information security requirements shall be incorporated into the design, development, implementation and operation of software from the outset of each project (Security by Design).

  • Information shall be classified in accordance with the Government of Iceland's information classification requirements.

  • Personal data and other sensitive information shall be protected in accordance with applicable legislation and regulations.

  • Encryption shall be used for the transmission and storage of information where appropriate.

  • Regular risk assessments and security audits shall be carried out for information systems and services.

  • Security incidents shall be recorded, reported and managed in accordance with established incident response procedures.

10. Operating Environment

  • For commercial off-the-shelf (COTS) software, the operating environment and deployment process shall meet standards for automation, security and operational reliability equivalent to those applied to custom-developed software.

  • Government institutions and other public bodies are responsible for their operating environments. Where appropriate, new solutions shall utilise modern operating environments, such as container-based environments.

  • Infrastructure as Code (IaC) shall be used where appropriate.

  • Automated deployment and consistent configuration of operating environments shall be implemented where appropriate.

  • Automated and standardised deployment processes shall be used in production to facilitate consistent and repeatable deployments whenever required.

11. Service Management

  • Service Level Agreements (SLAs) shall be defined for all critical services.

  • A service owner shall be designated for each service and its operation.

  • Defined service management processes shall be established for operations, change management and incident management.

  • The performance, availability and quality of critical services shall be monitored on a regular basis.

  • Service levels shall be reviewed regularly, taking into account user needs, security requirements and operational experience.

12. Governance and Accountability

  • Accountability for the strategy, architecture, development, operation and modernisation of each information system shall be clearly defined.

  • An architecture board shall be established or designated to assess whether new solutions are aligned with the technical guidelines and the organisation's future IT strategy.

  • All new solutions and major changes shall undergo a technical assessment before development or procurement begins.

  • Security assessments and Data Protection Impact Assessments (DPIAs) shall be carried out where required by the nature of the project.

  • Compliance with the technical principles and guidelines, Digital Iceland's policies, and its shared digital infrastructure shall be ensured before investment is made in new solutions.

  • The status of information systems shall be reviewed regularly, and their modernisation shall be prioritised based on risk, operational requirements and expected benefits.

13. Performance Metrics

  • Performance metrics shall be defined at the outset of each modernisation project.

  • Performance metrics shall be reviewed regularly, and the results shall be used to prioritise future modernisation initiatives.

14. Use of Artificial Intelligence in Software Development

  • The use of artificial intelligence (AI) in the development, operation and modernisation of software shall comply with Digital Iceland's current guidelines on the use of AI in software development.

  • The impact of AI on security, privacy, traceability and software quality shall be assessed before it is introduced.

  • The use of AI shall be transparent, traceable and subject to appropriate human oversight.

  • AI solutions shall comply with the defined architecture, the Government of Iceland's shared digital infrastructure, and the applicable technical principles and guidelines.

Concluding Remarks

The purpose of these guidelines and principles is to ensure that the modernisation of government information systems is carried out in a secure and cost-effective manner through well-defined phases. By doing so, risks are reduced, interoperability is strengthened, and the foundation is laid for a flexible and sustainable digital ecosystem across the Icelandic public sector.

These guidelines build on, support and refer to the policies, terms and technical guidelines of the Ministry of Finance and Economic Affairs and Digital Iceland, as applicable. Where such policies and guidelines exist, they shall be followed. This document further defines the principles and technical guidance that specifically support the modernisation of legacy information systems across the public sector.

These principles and guidelines shall be reviewed regularly to reflect the continued evolution of Digital Iceland's shared digital infrastructure, policies and technical guidelines, ensuring that they remain aligned with the ongoing development of digital government and information technology in Iceland.

See more about policies, terms and guidelines of Digital Iceland.