May / June 2018

Mitigating Pharma Risk in the Cloud

Anna Maria Di Giorgio

ISPE's revised IT Infrastructure Control and Compliance Guide provides comprehensive guidance on regulatory expectations for both traditional and cloud-based IT platforms. Have we done enough?

That’s the question Stephen Ferrell, core team leader for the ISPE GAMP® Good Practice Guide: IT Infrastructure Control and Compliance (Second Edition), wants readers to ask themselves. IT infrastructure outsourcing, he says, has made risk mitigation particularly difficult.

“Because we are not allowed on-site audits of third-party suppliers, data and system verification rely more heavily on third-party certifications,” explains Ferrell, Vice President, Product Strategy, ByteGrid. “This GPG (good practice guide) explains how a company is exposed to risk in this new environment, and what to do about it.”

Stephen Ferrell
Stephen Ferrell

The advent of third-party suppliers and cloud services drove the revision of the GPG, which first appeared in 2005. At that time, recalls Ferrell, “people were buying their own servers and setting them up; they largely were contained within their own facility. They then subjected them to a quality assessment within their own ‘four walls.’ IT infrastructure was a low-risk proposition at that time because it was tangible: you could see it, you could touch it.”

The advent of the cloud changed all that. “You lose the ability to control the infrastructure and that really drove the revision,” he explained. The revised GPG expands the scope of the first edition to include guidance on the emergence of cloud and virtualized technologies. Information has also been added to reflect significant changes in the technologies that make up IT infrastructure, including:

  • Virtualization technologies that allow the sharing, combining, and maximization of resources
  • Cloud computing, including cloud-based infrastructure and three cloud-based service models: infrastructure as a service, platform as a service, and software as a service
  • GxP applications as a service 
  • Outsourcing and the increased use of third-party data centers

Ferrell acknowledges that most pharma companies have some form of cloud engagement, but for those that do not, the Guide serves as a road map, and identifies risk mitigation strategies. It tackles areas such as how to build your risk assessment, how to design your supplier qualification, how to structure your audit, and what questions you should ask.

IT Infrastructure Control and Compliance Guide
IT Infrastructure Control and Compliance Guide

And for those already using the cloud, the Guide will help them assess whether their risk-mitigation efforts have been sufficient.

ISPE GAMP® Good Practice Guide: IT Infrastructure Control and Compliance (Second Edition)


GAMP® 5 Series:  IT Infrastructure Compliance and Control

Guide Team Lead

Stephen R. Ferrell, CISA, CRISC, Vice President, Product Strategy, ByteGrid, USA

Guide Team Members

  • Ulrik Hjulmand-Lassen, Novo Nordisk A/S, Denmark
  • Shana D. Kinney, Canon BioMedical Ltd., US
  • Kevin C. Martin, Azzur Group, US
  • Ashish Moholkar, Novartis, US
  • René van Opstal, Van Opstal Consulting, Netherlands
  • Michael F. Osburn, Cornerstone OnDemand, US
  • Arthur “Randy” Perez, Novartis (retired), US
  • Mike Rutherford, Eli Lilly and Company, US
  • Jason Silva, ByteGrid, USA
  • Eric J. Staib, PRA Health Sciences, US
  • Anders Vidstrup, NNIT A/S, Denmark