Cloud Computing: Common Certifications (e.g. ISO 27000 ff) and their Role in GxP

Recommendation

13-15 December 2023

Computerised System Validation: GMP Compliant Documentation - Live Online Training

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualification / Validation

The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 6: Are common certifications (e.g., 27000ff) reliable evidence that a cloud service provider is suitable, or what requirements must a certification fulfill in order for it to play a role in the suitability of a CSP?- Requirements for Cloud Service Providers (CSP)

The fact that suppliers and service providers must have a quality assurance system is derived from EU-GMP Annex 11:

3.4 Quality system and audit information concerning suppliers or developers of software and systems used should be made available to inspectors upon request.

What kind of quality system it should be cannot be determined from Annex 11. However, German EFG 11 comments on this issue in their Votum V1100202 "Requirements for the retention of electronic data". It states:

In the following, requirements for the quality of the CSP and data integrity (for data in motion and at rest) are formulated, which are not explicitly found in the EU GMP Guideline in this way, but are considered reasonable from the point of view of EFG 11:

• CSPs that process confidential data or data with high availability requirements under their responsibility must have a certified ISMS (e.g., according to DIN 27001).

Whether this can be enforced from a legal perspective, however, remains to be seen.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart