First of all, when the application is developed, obviously people have to do testing and they have to do verification. Then, obviously, they have to make sure that it actually meets all the criteria. Only then does the IT security specialist authorize security for the applications.
There are many different aspects of developing applications. I'm not that familiar with the business and I don't do it personally, but there are different components of developing those applications.