Microsoft’s Office 365 ecosystem offers organizations unparalleled benefits when managing content in a secure cloud environment that is accessible to its users from virtually any device. For life science organizations using the cloud to manage and maintain regulated content, the transition to Office 365 can be a demanding and tedious task requiring the input of many stakeholders.
From a quality management perspective, a key concern for life science organizations is how to best perform a vendor assessment of cloud providers. A comprehensive vendor assessment is essentially a rigorous due diligence process to thoroughly investigate controls for GxP compliance and ensure that prospective cloud vendors meet regulations and standards.
In the following article, we'll examine our vendor assessment methodology outlined in more detail as well as the reasoning behind employing this approach for increasing compliance in the cloud.
Overview of Cloud Service Provider Vendor Assessment
The purpose of a vendor assessment is to evaluate a current or prospective vendor to ensure that the vendor’s standards and practices are in line with the Customer’s needs and expectations.
Life science organisations are ultimately responsible for demonstrating that systems used to manage regulated content comply with applicable regulations. However, due to the nature of the cloud environment, certain responsibilities pertaining to the system’s use and operation are shared between the Customer and cloud service provider.
Consequently, the vendor assessment of a cloud service provider, such as Microsoft, must consider regulatory requirements.
Resources Available for the Life Science Industry
Microsoft has shown that it is committed to supporting life science organizations as they transition to cloud-based solutions. With an abundance of helpful resources and tools available to Customers, it’s no surprise that Office 365 is utilized by 56% of organizations globally.
Office 365 Customers have access to the Microsoft Trust Center, a comprehensive repository of resources detailing Microsoft’s implementation and support processes for cloud products and services. The Trust Center has a companion feature, the Service Trust Portal, which allows cloud Customers to review audit reports verifying technical compliance and control requirements, such as SOC reports and ISO certification reports.
In the interest of transparency, Microsoft provides Customers with documentation pertaining not only to their internal processes but also to the results of objective evaluations of these processes by third-party auditors. We recommend utilizing these resources when assessing Office 365 to leverage information obtained through third-party audits available via SOC 2 reports and ISO certification reports.
The vendor assessment methodology is summarized below.
The controls evaluated by third-party auditors pertain to areas of interest for the vendor assessment process. For example, the Trust Services Principles (TSP) criteria employed in the SOC 2 framework addresses the security, availability and processing integrity of a service organization’s system as well as the confidentiality and privacy of information managed by the service organization.
These principles align with the considerations covered in regulations governing the management of electronic records, such as 21 CFR Part 11 and EU Annex 11. Independent auditors verify the effectiveness of the controls supporting the trust services criteria and results of these verifications are published in the SOC audit reports.
The practical advantage of leveraging third-party audit reports is to replace an on-site audit of the providers since cloud service providers do not generally allow for on-site audits due to security concerns involving the databases and infrastructure. Even if you feel an on-site audit is a necessary step for your organization, it’s important to re-align your expectations as the likelihood that such an activity is agreed by an enterprise cloud provider is slim – but as the old adage goes, there’s more than one way to cook an egg.
Vendor Assessment in Practice
Consider a life science organization utilizing Office 365 to manage GxP regulated content determines that its use of Office 365 must comply with 21 CFR Part 11.
If this organization (the Customer) were to apply the proposed approach to vendor assessment, it would review Part 11 requirements to assign responsibilities for meeting these requirements to the Customer and to Microsoft. The responsibilities attributed to Microsoft would then be mapped to controls addressed in reports issued by third-party auditors and for which the verifications of these controls by the auditors were successfully performed.
The example below pertains to the compliance of an Office 365 environment with Section 11.10 (c) of 21 CFR Part 11, and shared responsibilities between the Customer and Microsoft which relates to the protection of Customer records throughout their retention period.
Ensure that backup infrastructure and policies are in place and have been tested.
Ensure that record retention policies have been defined.
Ensure that mechanisms for Disaster Recovery and Business Continuity are in place and tested, should any issue arise with the Office 365 services subscribed to.
Data repatriation plan is in place and tested.
With existing uncertainty surrounding how vendor selection of cloud providers should be undertaken, Microsoft has developed numerous resources available to its life science Customers to assist in implementing Office 365 so that business needs, including regulatory concerns, are addressed. When planning to transition to the cloud, these resources can be leveraged by Customers when performing their due diligence and assessing Microsoft’s cloud products and services.
Montrium’s Professional Services team has worked on numerous projects in helping life science teams with their transition to Office 365 for supporting GxP content management. If you’d like to learn more on this subject, you can also participate in the Compliance Playbook webinar series where we’ll cover how to assess Microsoft as a vendor and develop a clear strategy for managing GxP content in Office 365 and SharePoint Online.
Was there a critical consideration you accounted for when performing your own vendor assessment that this article doesn’t cover? I invite you to comment below and tell us!