Cloud Computing: Which Persons should participate in the Audit of a CSP and which Topics should be addressed?

Recommendation

13-15 December 2023

Computerised System Validation: GMP Compliant Documentation - Live Online Training

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualification / Validation

The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 10: Which persons (functions) should participate in the audit of a CSP and which topics should (must) be addressed? Topic:  Requirements for Supplier Evaluation and Supplier Audits

According to the vote 1100202* the following applies:
Persons are to be included in the audit who are sufficiently experienced in this special technology. In principle, at least one person should come from IT. The lead auditor will normally come from quality assurance.

According to the vote the following topics should be addressed:

• Security of the data centre
• Server security
• Network security
• Application and platform security
• Data security
• Encryption and key management
• ID and rights management
• Selection and training of staff
• Validation and qualification
• External services and subcontractors
• Maintaining the validated state (change management, configuration management, patch management, monitoring and reporting, incident management)

*Zentralstelle der Länder für Gesundheitsschutz bei Arzneimitteln und Medizinprodukten - Vote V1100202 of the group of experts 11 "Anforderungen an die Aufbewahrung elektronischer Daten" (Requirements for the storage of electronic data) - only available in German.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart