Transcription
Microsoft Office 365GxP GuidelinesWhite paper
Microsoft Office 365 GxP GuidelinesDISCLAIMER 2019 Microsoft Corporation. All rights reserved. This document is provided "as-is". Information andviews expressed in this document, including URL and other internet website references, may changewithout notice. In addition, for your convenience, this document references one or more Microsoftagreements and summarizes portions of such agreements. You should refer to the actual text in themost current version of the Microsoft agreements for the exact legal commitments.This document does not constitute legal advice; you should consult your own counsel for legal guidanceon your specific scenarios. This document does not provide you with any legal rights to any intellectualproperty in any Microsoft product. You may copy and use this document for your internal, referencepurposes. You bear the risk of using it.April 2019Page 2 of 76
Microsoft Office 365 GxP GuidelinesForewordCloud computing is an essential part of every organization’s IT strategy. Life sciences andpharmaceutical companies are no exceptions. Across the board, innovative partners and customers inthe life sciences industry have embraced Microsoft Office 365 as a critical engine for digitaltransformation—one that can shorten the time to market, and that has the potential to drive whole newcategories of products and services.Each year Microsoft invests billions of dollars in designing, building, and operating innovative cloudservices. But trust is not a product – it’s a value that we must earn every day, every month, and everyyear. Microsoft cloud services are built around key tenets of security, privacy, transparency, andcompliance, and we invest more each year to increase the confidence of our life sciences customers inMicrosoft cloud services.With millions of systems in hundreds of facilities around the planet, Microsoft has a deep understandingof standardized policies and procedures, and how to ensure predictable outcomes and manage risk atextreme scale.Microsoft enterprise cloud services undergo regular independent third-party SOC 1 Type 2 and SOC 2Type 2 audits and are certified according to ISO/IEC 27001 and ISO/IEC 27018 standards. Although theseregular audits and certifications do not specifically focus on FDA regulatory compliance, their purposeand objectives are similar in nature to those of CFR Title 21 Part 11, and serve to help ensure theconfidentiality, integrity, and availability of data stored in Microsoft cloud services.In addition, guidelines for Microsoft Azure and Microsoft Office 365 provide a detailed explanation ofhow Microsoft audit controls correspond to the requirements of CFR Title 21 Part 11, guidance forimplementing an FDA qualification strategy, and a description of areas of shared responsibility. Wecontinue to make it easier for life sciences organizations to use Microsoft cloud services in theirapplication portfolios, and this GxP guidance document is a key step toward that goal.Although the ultimate responsibility for validating GxP applications remains with our customers andpartners, no matter where those applications are hosted, this guide should help demonstrate that youcan develop and operate GxP applications on Microsoft Office 365 with confidence and remaincompliant while using Microsoft cloud services.On a related note, we think the policies and procedures outlined here are also helpful to organizationslooking to achieve more with general change management. We’re proud of our pace of innovation.Helping our customers also means helping you learn to adapt and adopt to our updates andenhancements.We look forward to working with you to help you achieve your digital transformation initiatives usingMicrosoft Office 365.April 2019Page 3 of 76
Microsoft Office 365 GxP GuidelinesChris McNulty – Sr. Product Manager, Microsoft 365Microsoft CorporationApril 2019April 2019Page 4 of 76
Microsoft Office 365 GxP GuidelinesExecutive summaryThis GxP guidance document embodies the continued focus and commitment of Microsoft to supportingthe life sciences industry as it seeks to benefit from the full potential of cloud-based solutions. Byleveraging Office 365 controls to help manage regulated GxP content, life science customers canconfigure the necessary protocols to help ensure the integrity and security of their data.The purpose of this document is to demonstrate that as a cloud solution provider, Microsoft has thenecessary technical and procedural controls to maintain the Office 365 platform in a state of control bypreserving the confidentiality, integrity and availability of our customers’ data. This document identifiesthe shared responsibilities between Microsoft and our life sciences customers for meeting regulatoryrequirements, such as FDA 21 CFR Part 11 Electronic Records, Electronic Signatures (21 CFR Part 11), andEudraLex Volume 4 – Annex 11 Computerised Systems (Annex 11).While considering the use of cloud technology to host GxP content, it is important for life sciencesorganizations to assess the adequacy of the cloud service provider’s processes and controls that help toassure the confidentiality, integrity, and availability of data that is stored in the cloud. When stored inMicrosoft Office 365, customer data benefits from multiple layers of security and governancetechnologies, operational practices, and compliance policies to enforce data privacy and integrity atspecific levels. This guidance document highlights the extensive controls implemented as part of Office365’s internal development of security and quality practices, which help to ensure that the Office 365platform meets its specifications and is maintained in a state of control. Office 365 procedural andtechnical controls are regularly audited and verified for effectiveness by independent third-partyassessors.Of equal importance are those processes and controls that must be implemented by Microsoft lifesciences customers to ensure integrity of GxP content. This guidance document includesrecommendations based on proven practices of existing life sciences customers as well as industrystandards for validation of GxP applications. By establishing a well-defined cloud strategy and robustgovernance model, customers can ensure the following: Risks associated with hosting GxP content in the cloud are identified and mitigated. Internal quality and information technology procedures are adapted for using cloud-basedapplications and customer personnel are appropriately trained. Due diligence and assessment of the cloud service provider is performed. Systems are designed to preserve system resiliency, performance, data security, andconfidentiality. Data integrity and compliance with regulatory requirements is verified.By working together and focusing on their respective areas of expertise, Microsoft and its life sciencescustomers can help usher in a new era in which cloud-based GxP systems are no longer seen as acompliance risk, but rather as a safer, more efficient model for driving innovation and maintainingregulatory compliance.April 2019Page 5 of 76
Microsoft Office 365 GxP GuidelinesAuthorsThe production of this GxP guidance document was driven by the Microsoft Office 365 product teamand was developed in collaboration with several functional team members whose responsibilitiesinclude compliance, engineering, legal, life sciences, technology, strategy, and account management.We collaborated with our longstanding life sciences industry partner, Montrium, to review internalMicrosoft Office 365 quality and development practices and to provide expert guidance concerningindustry best practices for cloud compliance and GxP computerized systems validation. Montrium is ahighly regarded knowledge-based company that uses its deep understanding of GxP processes andtechnologies to help life sciences organizations improve processes and drive innovation whilemaintaining compliance with GxP regulations. Montrium works exclusively in the life sciences industryand has provided services to more than 150 life sciences organizations around the globe, includingorganizations in North America, Europe, and Asia. In producing this document, Montrium tookadvantage of the extensive practical experience gained while managing their SharePoint-based GxPsolutions suite, which is currently used by their life sciences customers to support various GxP-regulatedprocesses and records.April 2019Page 6 of 76
Microsoft Office 365 GxP GuidelinesTable of contentsForeword. 3Executive summary . 5Authors. 612Introduction . 91.1Purpose . 91.2Document overview . 91.3Audience and scope. 101.4Key terms and definitions. 101.4.1Customer . 101.4.2GxP . 101.4.3GxP regulations . 10Overview of Microsoft Office 365 . 112.1Establishing trust . 122.2Office 365 certifications and attestations . 132.2.1SOC 1 and SOC 2. 142.2.2ISO/IEC 27001:2013 . 152.2.3ISO/IEC 27017:2015 . 152.2.4ISO/IEC 27018:2014 . 152.2.5HITRUST. 162.2.6FedRAMP . 162.33Office 365 Quality and Secure Development Life Cycle . 162.3.1Roles and responsibilities. 172.3.2Policies and standard operating procedures . 172.3.3Microsoft personnel and contractor training . 182.3.4Risk Management . 182.3.5Design and development of Office 365 services . 192.3.6Operations management . 20Implementing an Office 365 GxP compliance lifecycle . 233.1Office 365 governance recommendations . 243.1.1Data integrity shared responsibilities . 243.1.2Service agreements . 27April 2019Page 7 of 76
Microsoft Office 365 GxP Guidelines3.1.3Governance policies and procedures. 283.2Considerations for FDA 21 CFR Part 11 compliance . 343.3Considerations for the validation of GxP applications . 363.3.1GAMP 5 Software Category . 373.3.2Application Stakeholders . 373.3.3Computerized system life cycle approach . 384Conclusion . 475Document Revision . 476References .
how Microsoft audit controls correspond to the requirements of CFR Title 21 Part 11, guidance for implementing an FDA qualification strategy, and a description of areas of shared responsibility. We continue to make it easier for life sciences organizations to use Microsoft cloud services in their application portfolios, and this GxP guidance document is a key step toward that goal. Although .
