november 2018 anders vidstrup - senior it quality sme ...• the following clauses from iso...
TRANSCRIPT
![Page 1: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/1.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 1
Presentation to PhUSE EU Connect 2018
Cloud Services -A Framework for Adoption in the Regulated Life Sciences Industry
November 2018
Anders Vidstrup -Senior IT Quality SME, NNIT A/S
![Page 2: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/2.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 2
Agenda
• Background• Key issues• Next steps
![Page 3: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/3.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 3
Background
• 2013/2014: Team formation, brainstorming, case-studies -> framework concept
• Three versions of concept paper submitted• Version 4 is under revision, including
appendices on:– Cloud Terminology– Cloud Audit Activities– Cloud Case Stories– Regulatory requirements and Cloud Solutions
![Page 4: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/4.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 4
4 Key Roles• Cloud Service Customer: In the context of GxP, these are generally the organizations or
entities that purchase/use the cloud services to support their GxP-regulated activities. They are generally billed for the cloud services they consume, and depending on the services requested (IaaS, PaaS, SaaS), their activities, use cases and GxP requirements may vary.
• Cloud Service Provider: Organizations or entities responsible for providing cloud services to customers. The activities that the cloud providers perform will vary depending on their particular service offerings and can include building, deploying, operating and maintaining the cloud apps, infrastructure and associated service layers.
• Cloud Service Broker: These are the organizations or entities that manage the configuration, delivery and use of cloud services on behalf of the cloud customer. For example, cloud managers may perform infrastructure change control activities on the infrastructure built using general purpose, commercial cloud services.
• Cloud Auditor: A cloud auditor is a party that is qualified to conduct assessments of the cloud provider and the cloud infrastructure underlying the IaaS, PaaS, SaaS services. The auditor may be an independent third party such as a third party assessment organization (3PAO) or can also be a member of the consumer, provider or manager organization.
![Page 5: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/5.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 5
Cloud “Supply Chains”
Cloud Service Customer Cloud Service Provider (PaaS/SaaS)
Cloud Service Provider (IaaS)Cloud Service Broker
Cloud Service Auditor
Cloud Service Provider (IaaS)
Cloud Service Provider (PaaS/SaaS)
Cloud Service Broker
Cloud Service Auditor
![Page 6: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/6.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 6
Cloud “Supply Chains”
Cloud Service Customer Cloud Service Provider (PaaS/SaaS)
Cloud Service Provider (IaaS)Cloud Service Broker
Cloud Service Auditor
Cloud Service Provider (IaaS)
Cloud Service Provider (PaaS/SaaS)
Cloud Service Broker
Cloud Service Auditor
![Page 7: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/7.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 7
Cloud “Supply Chains”
Cloud Service CustomerCloud Service Provider (PaaS/SaaS)
Cloud Service Provider (IaaS)Cloud Service Broker
Cloud Service Auditor
Cloud Service Provider (IaaS)
Cloud Service Provider (PaaS/SaaS)
Cloud Service Broker
Cloud Service Auditor
![Page 8: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/8.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 8
Key issues right now
• Availability of data, and data integrity
• Facilitating compliance with GxP predicate rules in relation to supplier assessment/audits
• Contract with cloud service provider
• Inspection readiness
![Page 9: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/9.jpg)
#PhUSE
Cloud Services - A Framework for Adoption in the
Regulated Life Sciences Industry - Slide 9
Availability of data, and data integrity
• Data Loss and Data Breaches. Who's liable for
damages from interruptions in service?
• Malicious Insiders; How can users avoid
vendor lock-in and exit if needed?
• Insure interfaces and API’s
• Where is the data actually going to be
physically located?
• Change Management. What happens when
providers decide to change their service?
Very often
SOC2 and
other security
related reports
are provided
![Page 10: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/10.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 10
Supplier assessment/audits
• Often a SOC2/ISO 27001 report is provided –but:– ISO 9001 is the international standard that
specifies requirements for a quality management system (QMS).
– ISO 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements.
![Page 11: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/11.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 11
ISO 9001 and 27001• There is a difference between a quality approach and a security approach. • The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or
there are no similar clauses in ISO 27001:– Quality management principles (Introduction, clause 0.2)– Process approach (Introduction, clause 0.3)– Customer focus (Leadership, clause 5.1.2)– People (Support, clause 7.1.2)– Infrastructure (Support, clause 7.1.3)– Environment for the operation of processes (Support, clause 7.1.4)– Monitoring and measuring resources (Support, clause 7.1.5)– Organisational knowledge (Support, clause 7.1.6)– Release of products and services (Operation, clause 8.6)– Control of nonconforming outputs (Operation, clause 8.7)
• Even though there is an overlap between the two standards, there is still a need for e.g. defining quality metrics, quality management review etc.
![Page 12: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/12.jpg)
#PhUSECloud Services - A Framework for Adoption in the
Regulated Life Sciences Industry - Slide 12
Inspection readiness
• Quality responsible is the same independent of outsourcing or using cloud
solutions.
• It is expected to have support under inspections if needed. Following to be
aware of together with Cloud Service Provider
– Can documentation be provided, and how.
– Competency in answering an investigator’s questions
– Do the regulated company have a set-up to handle long distance support from the Cloud Service
Provider
• How to handle inspection at Cloud Service Provider site?
• Prepare questions for:
– Data location
– Access control
– Back-up
– How contracts are monitored.
![Page 13: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/13.jpg)
#PhUSECloud Services - A Framework for Adoption in the
Regulated Life Sciences Industry - Slide 13
Next step
• Framework document in version 4 under final revision.
• Appendices on:
– Cloud Terminology – close to be ready for internal review
– Cloud Audit Activities – under final revision
– Cloud Case Stories – we might need input
– Regulatory requirements and Cloud Solutions – close to be ready for
internal review
![Page 14: November 2018 Anders Vidstrup - Senior IT Quality SME ...• The following clauses from ISO 9001:2015 are not covered by ISO27001:2013 or there are no similar clauses in ISO 27001:](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f1f9bcc25b8b4445b0019da/html5/thumbnails/14.jpg)
#PhUSECloud Services - A Framework for Adoption in the Regulated Life Sciences Industry - Slide 14
Thank you for your attention
Questions?