As we move into the next generation of research & development, life sciences companies will continue to scale their use of electronic systems for strategic information sharing and collaboration to remain competitive. With cloud-based services becoming the norm in our daily personal lives, they will continue to gain traction in our professional environments with more and more critical business applications moving into the cloud.
To ensure a smooth transition into the cloud, life sciences companies must appropriately assess SaaS vendors and evaluate the risk of hosting GxP regulated applications. The basic principles of vendor assessment still apply to SaaS vendors, but the emphasis must be put on understanding the risks and having appropriate mitigation plans in place.
Once you’ve evaluated the potential risks it’s time to begin your SaaS vendor assessment process. Below we have laid out the steps you should take to evaluate cloud vendors for SaaS-based GxP applications.
Step 1: Determine the controls that you need to have in place
Once you’ve determined the level of risk your company is ready to accept, you must now look to having the tools needed to address the risks and determine the controls you expect the SaaS vendor should have in place. Here are some examples:
- Risk evaluation and mitigation strategies
- Defined vendor evaluation criteria tailored to a SaaS service/product you are assessing
- Vendor assessment process by which you may leverage vendor provided evidence of compliance or perform formal due diligence of their quality system and processes by postal or onsite assessments
- Service Level or Quality Agreements; defining the roles of each party. Ensure that agreements address business continuity scenarios and opt-out options.
- Compliance information from the vendor, in the case of systems with regulatory impact
- Validation strategy for SaaS system which should allow you to leverage SaaS vendor information/documents to demonstrate that their system is fit for its intended use
- Procedural controls to ensure that you address activities for which you are responsible
- Disaster recovery and business continuity plans
Step 2: Evaluate each vendor's ability to meet evaluation criteria
Now that you’ve identified risks and controls that you expect to be in place, you can develop or adapt your vendor selection criteria to better assess SaaS vendors. As you go through your evaluation criteria keep in mind the level of business and regulatory risk related to the SaaS application. You may use various methods to gather information needed as part of this initial assessment:
- internet research and other information easily accessible to the public
- feedback from other customers
- knowledge and experience within your organization
We’ve put together a Cloud Vendor Assessment Checklist to help you with the typical criteria that you should be evaluating Life Science SaaS vendors against.
Step 3: Compare evaluation results
As you compare the identified SaaS vendors take into account that the lower the risk, the higher the tolerance to using SaaS applications and as such the need to meet all of your evaluation criteria becomes more flexible. An example would be a SaaS-based electronic document management system versus a SaaS-based pharmacovigilance system. The latter system could potentially pose a threat to patient safety, and therefore, would have a higher risk than the document management system which may only pose a risk of loss of electronic records. In contrast the higher the risk, the lower your tolerance will be and the more assurance you’ll need that your potential SaaS vendor can meet as much of your evaluation criteria as needed to accommodate your need for control.
If during your review you identify gaps and corrective actions that would need to be implemented to ensure your comfort in moving forward with one of the SaaS vendors, you must verify and confirm that they are open to applying the corrective actions you’ve identified. You may also look if there are actions you may put in place to address the SaaS vendor gaps.
Step 4: Determine further assessment requirements
After you’ve identified your short-list of SaaS vendors, you must determine if you require a more in-depth investigation of their controls. For those you wish to investigate further, you can look into some of the following options:
- Postal audit - provide the SaaS vendor with a more exploratory questionnaire to get a better sense of their organization, quality system, and product
- Onsite audit - set up an onsite formal assessment of the SaaS vendor’s controls
- If the SaaS vendor is not available for audit, you can request if they provide compliance document that you could leverage as part of your qualification/validation process (compliance statement, standard based audit reports (i.e. ISO, SOC, SSAE, etc.))
For SaaS vendors that host their application with a 3rd party provider, you might want to ensure that they have or will provide you with Agreements (i.e. Quality Agreement, SLA) which clearly define each party’s responsibilities towards your data.
Step 5: Documenting your process
Though the type of vendor presents a different set of risks to your organization, you are still required to provide documented evidence of the assessment, decision and rationale used to select your SaaS application vendor. You should look to incorporating the assessments and evaluations performed during this exercise to required documentation based on your existing vendor management process.