Implementing a Risk-based Approach to Office 365 (SharePoint Online) Validation

Life Science companies are increasingly interested in utilizing cloud services, resulting in a shift towards using services such as SharePoint Online for managing regulated content. While moving to the cloud presents several advantages, Office 365 validation or the validation of SharePoint Online remains a concern for many life science organizations.

In the following article, we explore how these organizations can apply a risk-based approach to validating Office 365 (and SharePoint Online).

Expert Tip: Before moving to the cloud, make sure that this is the right option for your organization.  As part of your decision-making process, it may help to look at other Life Science companies who have successfully implemented cloud-based technologies.


Defining the Intended Use

In order to properly evaluate the risk associated with using SharePoint Online, it is important to first define the intended use. How you plan to use the system for managing documentation will dictate the need for validation and the extent of validation testing performed.  When specifying the system’s intended use, consider the following:

  • Will the system be used to manage/ store electronic records that are required by GxP regulations?
  • Which GxP regulations are these electronic records subject to?
  • What SharePoint functionalities will be used to manage these records (ex. audit trail)?

The system’s intended use also depends on how the end users will use the system. Collaborate with key stakeholders and subject matter experts to develop requirements detailing the end user’s business needs and expectations for the system.

Once the intended use is defined, you should issue a documented system description. This system description details how your SharePoint Online environment will be used and should be updated if the system evolves over time.

Expert Tip: Requirements and the system description are deliverables that are produced at the beginning of a validation project.  Define the scope of the validation and all the associated activities in a validation plan.


Perform a Regulatory Impact Assessment

As you complete the analysis and generate the system description, you’ll find that this information can also be helpful as you conduct a regulatory impact assessment. This assessment serves to identify the applicable regulatory requirements and to outline the technical and procedural controls needed to ensure that these regulations are respected.

In addition to considering the regulatory impact, you should also assess the level of risk associated with the system, by evaluating the risk the system poses to patient safety, product quality and data integrity.


Conduct a Vendor Assessment

The regulatory impact and risk assessments are complemented by an evaluation of the supplier, in this case, Microsoft. You should perform this evaluation in accordance with internal procedures governing vendor assessments.

The goal of this vendor assessment is to formally demonstrate that you have done your due diligence on the supplier. Your evaluation should be focused on the controls that the supplier has in place to deliver the expected level and quality of service, including their ability to meet the system requirements.

Expert Tip:  When assessing Microsoft as a vendor, you may find it useful to include a review of Microsoft’s compliance certifications and other resources available via Microsoft’s Trust Center.


Review & Verify the Requirements

Based on the system description you’ve created and the results of the regulatory impact and risk assessments, you should review the specified requirements to ensure that they are suitable for your system and account for any high-risk areas that were identified.

When using SharePoint Online to manage regulated electronic records, you will need to configure some out-of-the-box SharePoint records management functionality, such as audit trails. You will also need to define functional specifications explaining how your system will be configured to meet requirements for records management and develop a configuration specification where the system settings are documented.

Expert Tip: The features offered in SharePoint Online may differ from those available in the SharePoint enterprise application. Be sure to do your research or reach out to an expert to make sure that your SharePoint Online environment meets your business needs.

New call-to-action

Begin System Testing

At this point in the process, you are now ready to start testing the system. The requirements and specifications provide an objective standard to which the system can be tested.

Start by developing test scripts that are designed to verify that requirements and specifications were met. The extent of testing is based on the level of risk that you identified for a specific function as part of the risk assessment. For example, test scripts related to security features should include both positive and negative test scenarios as these features mitigate risks associated with preserving data integrity.

Expert Tip: Since SharePoint Online is hosted in a cloud environment, the Installation Qualification (IQ) will primarily consist of verifying that the configuration specification was correctly implemented.


Test in Multiple Environments

When employing a risk-based approach to SharePoint Online validation, it is recommended to test in multiple environments to find and resolve any issues prior to implementing the live environment designated for day-to-day activities.

This method involves creating a separate testing environment and demonstrating via the Installation Qualification (IQ) that the environment was properly configured.  The test scripts demonstrating system functionality are subsequently executed in the testing environment prior to setting up the live environment.

Expert Tip:  In SharePoint Online, one way of segregating test data from production data is to create a separate site collection for the testing and live environments.


Establish Traceability

Develop a traceability matrix that defines the relationship between the requirements, functional specifications and the test scripts that demonstrate that the specifications have been met.  Include any procedural controls that are necessary to ensure that a specific requirement is met. If a requirement or specification is not explicitly tested, provide within the traceability matrix a rationale for forgoing testing that is tied to the risk of failure.

Expert Tip:  Summarize your validation effort and the results obtained in a Validation Summary Report. This report should demonstrate that the validation plan was followed and address any deviations from the initial plan. The approval of the report will authorize the release of the system for operational use.


To Conclude

While SharePoint Online offers life science organizations the ability to provide users with easy access to documents, as with any system, there are risks associated with its use. Properly evaluating these risks and implementing controls to mitigate them is crucial.

Applying a risk-based approach to validation ensures that the potential risks identified are taken into account when demonstrating that the system is fit for its intended use. This will allow your organization to benefit from the flexibility SharePoint Online offers while ensuring that records are maintained in a secure and compliant manner. Our Validation of SharePoint Toolkit will help you accelerate the validation of SharePoint Online and demonstrate compliance with the regulations.

Montrium Office 365 compliance toolkits

About the Author: Chrysa Plagiannos

Office 365 Compliance Toolkits

Recent Posts