Watch the ERP systems compliance and validation webinar!

Go to Webinar
(312) 207-5800

Cloud Infrastructure is the foundational support for the computing requirements of a cloud computing model. As migration to the cloud becomes increasingly prevalent, hyper-scale companies like Amazon Web Services (AWS), Microsoft Azure, and Google provide customized solutions that simplify the infrastructure layer in a cost-effective model. Once the cloud infrastructure is qualified, infinite GMP-regulated applications may be compliantly deployed on top of this layer at scale.

Compliance Responsibility

Organizations in the Life Sciences must ensure their systems adequately protect sensitive data. Consequently, companies choose private clouds provided by Amazon Web Services (AWS), Microsoft Azure, or Google to host their critical information. However, a private cloud does not ensure a compliant environment that meets regulatory standards.

The responsibility for US Food and Drug Administration (FDA) compliance in virtual private cloud (VPC) environments is shared. A customer will usually be responsible for their workloads, data, and other related components. The cloud provider will generally be responsible for physical component maintenance, security, and storage. These responsibilities can vary widely based on the cloud model. Understanding who is responsible for each infrastructure component is critical to maintaining effective compliance. Visit our Cloud Compliance services to find out more information. 

The following model characterizes the current best practices approach:

Breakdown of cloud GMP qualification and validation landscape.

Arbour Group Services

Industry standards evolve as new technologies emerge and become essential to your organization's processes. Arbour Group offers a Cloud Infrastructure Qualification Compliance methodology that ensures applicable compliance standards are met and your data is secure. Arbour provides clearly defined roles with the associated compliance responsibility. 

The Cloud Infrastructure Qualification process will incorporate identification of potential GMP impacts,  assessment of associated risks, and determination of testing rigor toward the development of the following deliverables:

  • Qualification Plan - Outlines the objectives, scope, approach, and responsibilities for qualification as well as requirements for ongoing change and records management
  • Requirements and Specifications - Describes the requirements and functions that the infrastructure must provide for GMP related areas
  • SOC Assessment & Customer End User Controls Test Protocols - Test protocols are developed to assess the SOC Reports provided by the cloud service organization and Complementary User Entity Controls (CUEC) as implemented by the end-user
  • Traceability Matrix - Verification of test coverage relative to the requirements and specifications for SOC Assessment reports and CUECs
  • Qualification Summary Report - Summarizes the results of qualification activities, including discrepancies, and provides a concluding statement to close the qualification phases 

Whether you are implementing Microsoft Azure, Google, or Amazon Web Services (AWS), Contact Arbour Group to discuss Cloud Infrastructure Qualification services.