GxP compliance

in cloud
infrastructure

Aug 2022

home.kpmg/in
 2
In this era of digital Along with cloud, colocation
transformation, where artificial data centres are also
intelligence, virtual and garnering interest since the
augmented reality have providers permit customers to
garnered attention, cloud use their own hardware and
computing is proving to be the configuration that meets their
enabler for these technologies. evolving requirements.
Pharmaceutical, medical
While these services have
devices and biotech
enamored other industries, for
companies are increasingly
life sciences industry, the
exploring digital solutions to
uptake has been a little slower
improve their drug
in comparison. This paper
development processes,
explores a phased approach
supply chain, research,
to implement GxP compliance
manufacturing of medicines
in cloud infrastructure and
and devices etc.
colocation facilities. Areas that
Cloud infrastructure is based require attention and need due
on a shared responsibility diligence, to meet the
model, which eases the regulatory requirements have
technical responsibilities of an been highlighted.
organisation. The cost-
effective pay-as-you-go
solutions, computing
scalability, advanced analytics
and automation capability
provided by cloud give an
edge over on-premises
infrastructure.

1. Regulatory changes

As organisations are looking to implement technology adoption and encourages the use
next-generation technologies including cloud, of automation tools and underlying IT
the regulatory bodies are optimistic about solutions.
ensuring compliance and data integrity.
CSA attempts to shift focus to a critical
Agencies like US FDA, EMA and MHRA are
thinking approach and is a green signal to
shifting focus to accelerate innovation and
encourage the use of automation and
support the use of automation and emerging
digitisation solutions, agile testing methods
technologies in the designing and
(unscripted testing and ad hoc testing) and
manufacturing of drugs and medical devices.
leveraging vendor documentation. This
FDA is publishing a new draft guidance— approach would help shift companies’ focus
Computer Software Assurance (CSA) for area from rigid compliance measures to
Manufacturing, Operations and Quality developing and sustaining a culture of
System Software. These guidelines are innovation, implementation and adherence
expected to address existing barriers to

© 2022 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. All rights reserved.
 3

2. Phased approach for cloud adoption

Onboarding the cloud infrastructure requires a phase wise approach to ensure that all risks are
considered, mitigation controls are implemented and required evidence is documented for a
smooth and compliant movement to the cloud landscape.

Concept phase • Understand security strategy (capability

gap assessment, roadmap, business case)

During initial stages, regulated organisations • Perform quality and regulatory assessment.
should assess benefits of bringing in cloud Consider the following:
solutions by weighing the risk and impact. ‒ GxP impact
‒ System classification
Typical deliverables - Quality Management
System (Policies, Procedures, Templates), ‒ ER/ES assessment (as applicable)
Training Records, Change Control, Vendor • Qualification strategy:
evaluation report ‒ Scope definition and responsibilities
• Raise change control. Consider the following: ‒ Lifecycle activities
‒ High level risk ‒ Deliverables and approvals
‒ Rollback plan ‒ Constraints and prerequisites
‒ Compliance documentation ‒ Cloud security and compliance activities
‒ Timelines ‒ Overview of the planned architecture
• Revamp Quality Management System to ‒ Training requirements.
include approach for moving to cloud-based • Consider share of responsibilities-
IT Infrastructure and solutions Responsi
Customer Cloud Provider
Models/ bilities
• Select personnel with adequate experience Services
Responsibility Responsibility

• Perform vendor evaluation based on (but not • Data access policies • Applications
• End Devices • Network Access
limited to) the following parameters: • User identities • Operating System
Software as • Network
‒ Market size and relevant experience a Service Infrastructure
‒ Performance history • Datacentre
• Physical Host
‒ System development life cycle practices • System Patches
‒ Quality management system • Data access policies • Network Access
‒ Available documentation • End Devices • Physical Host
• User identities • Network
‒ Testing practices Platform as • Applications Infrastructure
a Service • Datacentre
‒ Data integrity practices • Operating
‒ Business continuity/disaster recovery System
• System Patches
‒ Defect management
• Data access policies • Physical Host
‒ Support and maintenance services • End Devices • Network
‒ Personnel trainings Infrastructure
• User identities Infrastructure
• Network Access • Datacentre
‒ Third party management. as a Service
• System Patches • System Patches
• Applications
• Operating System
Planning phase
• Data access policies
• End Devices
Moving to cloud requires active planning and • User identities
defining a clear strategy. Onboarding the right • Applications
implementation partner with skillset in technical • Network Infrastructure
On premise • Datacentre
and regulatory aspect of cloud is essential • Operating System
• Network Access
Typical deliverables - Impact assessment, • Physical Host
• System Patches
Project Plans, Qualification Plans

© 2022 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. All rights reserved.
 4

Typical deliverables - Infrastructure

Risk management phase
requirements specification, Design
specification
During the risk management phase, GxP impact
• Specify controls and responsibilities based
and associated risks are to be identified and
on the service/platform models
mitigated through a controlled and secure
‒ Personnel and SOD controls
architecture. SLAs are to be defined and
verified during validation testing of the cloud ‒ Controls to manage risks and adhere to
infrastructure. regulations
‒ Specify service models to fulfil the
Typical deliverables - Infrastructure risk
business operations
assessment, Test plans.
‒ Platform components -
• For the key risk areas, identify the required Clients/Applications.
mitigation controls
• Design high-level cloud architecture for all
• Assess severity, predictability and the relevant source of requirements, Data
detectability of risks Management, Platform Backup, and storage
• Identify SLAs to reduce risks of shared design
responsibilities based on (but not limited to) - • Specify deployment models
‒ Responsibilities
• Secure deployment approach
‒ Up time / Down time
‒ Backup and recovery • Specify and design end-to-end security, risk
and compliance framework:
‒ Security
‒ Design security controls
‒ Data Storage Location
‒ Specify and manage risks
‒ Performance Monitoring
‒ Design compliance aspects
‒ Service Termination
‒ Specify configurations.
‒ Compliance management
• Design and integrate cloud-native controls
• Assess cloud security programme risks:
and configure policies for each service
‒ Information and Privacy Protection
‒ Integrate and configure cloud native
‒ Identity and Access Management controls
‒ Incident and Crisis Management ‒ Policies and procedures
‒ Threat and Vulnerability ‒ Specify SLA with cloud platform provider.
• Identify mitigation actions to reduce risks for • Define procedural / technical controls for the
technical controls following GxP areas-
• Consider design requirements and update/ ‒ User identity and access management
make changes to design specification ‒ Audit trails
• Define scope of testing needed based on ‒ Data integrity
risk identified ‒ Network security
• Create test plan. ‒ High availability
‒ Backup restoration
‒ Business continuity management
Specification and Design phase
‒ Performance monitoring
‒ Incident management
Based on the risk identified, the architecture of
the cloud infrastructure should be assessed and ‒ Change control and configuration
specifications to be documented based on the ‒ Archiving and retrieval
components selected. The deployment model • Define data migration activities and
should consider all the security risks, procedural requirements (if applicable)
and technical controls needed and continuous
monitoring mechanisms.

© 2022 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. All rights reserved.
 5

• Define automated cloud monitoring specifications. Scope covers (but is not limited
mechanism: to) to the following
‒ Set up user access and health check-up ‒ Verification of key management
logs ‒ Verification of security settings
‒ Define events and set a detect mechanism
‒ Challenge testing to access controls
‒ Build alerts triggered based on events
‒ Challenge testing to firewall features
‒ Set mechanism to notify the administrative
‒ Verification of time synchronisation
group.
‒ Verification of response time and network
connectivity.
Testing phase
• Verify if application migration (if applicable) is
performed correctly. Scope covers (but is not
To provide assurance, testing needs to be
limited to) to the following
performed against the specifications. In a cloud
landscape, it is not possible to verify some of ‒ Verification of data transfer
the vendor managed infrastructure components. ‒ Verification of adequate access controls
Existing certification and audit reports provided
‒ Verification of critical functionalities
by the cloud service providers need to be
(Regression testing based on risk)
referred and availability of adequate controls to
be verified. • Raise defects (if any), perform retesting and
Typical deliverables- Qualification protocols, track defects for closure
Test reporting, Traceability • Maintain traceability between requirements
• Author and execute qualification protocols and test protocols.

• Verify if the services and cloud components Reporting phase

configured are as per the design specification
and expected policies. Scope covers (but is
not limited to) the following All the qualification activities performed for the
implementation should be summarised and kept
‒ Server configuration
ready in a controlled manner as defined by the
‒ Storage services organisation’s document management procedure.
‒ Network components This includes consolidation of all documents
‒ Security components including SLAs and SOPs to maintain the qualified
‒ Logs configuration state of the cloud setup.
‒ Access components. Typical deliverables - Test results, Defect
summary reports, Qualification summary
• Verify the results of vendor audits and reports, SOPs to maintain compliance
assess the availability of procedural and
technical controls. Following certification/ • Summarise the test results in test summary
reports
reports may be referred -
• Summarise the defects raised during testing in
ISO
the defect summary report
22301
NIST ISO/IEC
800-171
• Summarise qualification activities along with
27001
deviations from the initial qualification plan (if any)

SOC ISO • Define SOPs to maintain operational compliance

Reports 27017 of the infrastructure
‒ User access management
ISO/IEC
FedRAMP ‒ Audit trail review
27018
‒ Records retention
• Verify if the services and cloud components ‒ Incident and problem management
are operating as per the design ‒ Backup and restoration

© 2022 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. All rights reserved.
 6

‒ Business continuity management Maintaining changes in a

‒ Performance monitoring regulated environment
‒ Incident management
One of the key concerns for regulated
‒ Change control and configuration organisations is controlling the regular
‒ Archiving and retrieval. changes and upgrades in the cloud
• Consolidate all the documents required to services. It is expected to prospectively
provide assurance during any regulatory validate any features before being used
inspection in GxP environment; hence additional
measures are needed.
Continuous regression testing
Operational phase
• Identify key functionalities and
When the cloud setup is up and running, regulatory requirements (audit trail,
adequate controls must be enabled for proper system security, password protection
monitoring. Changes pushed by the cloud etc.) to be met by the system
service provider need to be controlled and • Maintain a separate test environment
regular assessment of vendor audit reports for testing deployments
are to be performed.
• Use automation techniques to
Typical deliverables- Reports of vendor’s validate the system continuously
continuous monitoring, organisation’s for intended use
operational review reports, organisation’s • Review and maintain reports.
periodic review reports
Monitoring upcoming changes
• Perform operational maintenance activities
as per the defined SOPs Service providers should inform the
regulated organisations on the
• Review infrastructure and services under upcoming changes and should have the
regulated organisation’s control major upgrades listed down well in
‒ Perform operational reviews for change advance. SLAs should be set in place to
requests, incidents, user access, audit restrict number of releases in a time
trail and others at a defined periodicity frame and the availability and adequacy
based on GxP risk of the SLAs should be verified during
validation testing.
‒ Perform periodic review of complete
data structure/ infrastructure Compliance in a DevOps model
components compliance state as per the
organisational QMS and GxP criticality DevOps implementation is gaining
traction in IT organisations and can be
• Reviews of infrastructure and services utilised by life sciences organisations to
under vendor’s control stay compliant and support shorter
validation cycles. Traditional validation
‒ Perform continuous monitoring on the
practices with agile methodology
automated alerts with daily reporting
required creating and deploying codes in
‒ Review vendor audit reports and small packages that are created on
certification on a quarterly/half development environment, tested on
yearly/yearly basis to assess the quality environment, and deployed on
compliance state production environment followed by the
‒ Review and revise SLAs based on any next sprint. DevOps approach ensures
changes made to the infrastructure that compliance and security concerns
components or change in business are dealt in the early stages of
development.
requirements.

© 2022 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. All rights reserved.
 7

3. Compliance risks in cloud adoption

Life sciences organisations operating in GxP areas like research and development are still
hesitant in embracing cloud technology. However, implementation of adequate controls and
compliance checkpoints can mitigate data integrity and security risks and help stay compliant.

Parameter Risk Mitigation

Application/ Loss of data and lack of documented • Identify required security control
data migration evidence when migrating traditional • Leverage tools provided by cloud providers
software, data, infrastructure and • Run pre and post migration qualification tests.
applications to cloud.
Data security Lack of visibility about the exact location • Identify GxP critical data and decide to use private,
of data storage on cloud. Loss or hybrid or public cloud
leakage of data due to improper access • Set adequate access controls for data and leverage
management. leakage prevention tools
• Encrypt all data in transit and rest with proper
encryption key rotation policy.
Applicable Local laws, such as privacy laws and • Identify GxP and Non-GxP data that have data
data laws data localisation laws in Europe, may localisation restrictions
intervene when it comes to sharing of • Leverage distributed geographic locations of cloud
GxP critical or personal data outside the service providers
country • Assess the need of private cloud solutions.
Lack of Lack of trained internal resources on • Understand the shared responsibility model and
resources and new processes and platforms in the define required skillset
expertise cloud infrastructure can be a major • Leverage third party providers for operations
challenge management
• Automate routine processes
• Build a culture of continuous learning in the firm.
Overreliance The selection of vendors and • Identify the requirements and assess need of multi-
on vendors performance of third-party cloud cloud deployment
vendors heavily impact the performance • Consider leveraging hybrid cloud deployment models.
of the resources and the credibility of
the organisation
Governance Due to the shared responsibility, • Understand the shared responsibility model of the
and maintaining governance standards and cloud service provider
responsibility providing assurance on operational • Have proper SLAs and contracts in place to ensure
compliance can become a challenge governance commitment
• Create a cloud governance framework
• Ensure that an incident management plan is in place.
Continuous The cloud model is continuously • Define SLAs and contracts towards service
change evolving with regular updates and patch commitments
fixes pushed by the cloud service • Be up to date with the changes and perform periodic
provider. Regulatory bodies expect validations
companies to provide documented • Perform continuous monitoring and have a periodic
verification of these changes review framework in place.

4. Way forward

As cloud-based IT Infrastructure is being gradually adopted across life sciences value chain, it
is essential that opportunities and threats associated with cloud implementation are well mapped
and defined. If the path to cloud adoption is not a well thought out strategy and technology
partners are not aligned with the company’s objective; it can lead to serious performance and
compliance issues. However, when they are, it could open new avenues for implementing
strategic and innovative solutions.

© 2022 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. All rights reserved.
KPMG in India contacts:
Preeti Devi
Associate Partner
T: +919491257789
E: [email protected]

Sameen Ahmed
Associate Director
T: +919540751999
E: [email protected]

home.kpmg/in

Follow us on:
home.kpmg/in/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide
accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one
should act on such information without appropriate professional advice after a thorough examination of the particular situation.

KPMG Assurance and Consulting Services LLP, Lodha Excelus, Apollo Mills Compound, NM Joshi Marg, Mahalaxmi, Mumbai - 400 011 Phone: +91 22 3989 6000.

© 2022 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.

This document is for e-communication only.