Skip to main content AI for business Use cases Consumer goods Digital sovereignty Education Overview Power and utilities Oil and gas Mining Overview Banking Capital markets Insurance Overview Defense and intelligence Transportation and urban infrastructure Public health and social services Public safety and justice Public finance Overview Defense and intelligence Federal civilian State and local governments Cloud for US government AI for US government Overview Providers Payors Life sciences Health solutions Overview Industrial transformation Media and entertainment Overview Automotive Travel and transportation Retail Telecommunications Microsoft 365 Copilot AI agents at work Agent 365 Security for AI Copilot Studio Microsoft Foundry Microsoft Agent Factory Azure AI apps and agents Microsoft Marketplace Copilot+ PCs Microsoft Copilot Download the Copilot app Microsoft responsible AI Principles and approach Tools and practices Advancing sustainability Securing AI Data protection and privacy AI 101 AI learning hub Industry blog Microsoft Cloud blog Support for business Industry documentation
lab researcher examining test tube a
·
4 min read

GxP Compliance starts with proper vendor assessments – and here’s how you can do it effectively even remotely

  • By Jesper Bagh, Global GxP Lead, World Wide Commercial Business, Pharma and Life Sciences

lab researcher examining a test tube.Welcome back. As we continue to build up your secure, resilient, and compliant environment, we now must cover another foundational and required step: the vendor assessments. It is a mandatory regulatory requirement to conduct these assessments, however, the physical audit is not mandatory.

The need for analytics, high-capacity storage, and increased computing power has expanded the need for data handling, analytics tools, and applications that only the cloud can support.

Also, in response to the COVID-19 pandemic, pharmaceutical and life science organizations are looking into new methods for assessing a cloud vendor without physically visiting their datacenters.

In this article, we’ll cover how the offerings we have at Microsoft serve as a resource for you to save time while conducting your vendor assessment, and why our openness to compliance sets us apart.

Vendor Compliance

When considering a vendor and compliance, it’s important to understand that the cloud builds on the shared responsibility model that can help in guidance and understanding of the documents needed for compliance reporting.

Shared responsibility model

Figure 1: The shared responsibility model

Regardless of the type of deployment, there are responsibilities that are always retained by Microsoft, including datacenter building access, physical hosts, and physical networks. The data, endpoints, account, and access management are always retained by the customer. This means that you need to have controls in place to protect the security of your data and identities. It’s also important to have documented evidence ready at all times to show how you govern those assets.

Microsoft offers you the platform and tools to help build a secure, resilient, and available environment. These tools can also assist in building reports that demonstrate continuous compliance. We will be taking a closer look at some of these tools, like the Azure Cloud Adoption Framework and enterprise scale landing zone.

As mentioned in the previous blog post on GxP guidelines, physical security is a vital security layer to consider. Microsoft takes numerous measures to ensure that our infrastructure is secure. We also recently published a virtual tour around our datacenters that gives insight into the Azure physical security layer.

Remote vendor assessment

Conducting a vendor assessment is a requirement for using third-party vendors. A vendor audit is optional. To produce a vendor assessment remotely, you must assess how to build quality, security, and integrity into your services. You also need to document the competencies and training records of staff and reliability of the services offered.

It’s necessary to have the appropriate controls and mitigations documented in the quality management system to help comply with regulatory expectations.

When factoring the level of depth of the assessment, organizations must consider their vendor management process and the associated risk documented for outsourcing or using cloud services.

According to regulations, there are three levels of assessing vendors:

  • Basic assessment: A review of available information from the vendor.
  • Postal audit: Questions sent to the vendor in which detailed information about the vendor’s quality management system and business processes is requested.
  • On-site audit: A review of the vendor’s procedural controls and process documentation performed by an appointed auditor.

Special areas of interest in the vendor assessment would be:

  • The security of our facilities (e.g., human access restrictions)
  • Controls to protect hardware and devices (e.g., controls for destroying hardware)
  • Controls for human access
  • Availability of services

While an on-site audit is not allowed for security concerns and logistical reasons, Microsoft has contracted with third parties to do that inspection for you, making it easier for you to access the information to do a vendor assessment.

The above areas needed in the vendor assessment are all included in the audit cycle of our services and are also made available on the Microsoft Trust Center in SOC1/SOC2 reports, as well as our ISO/IEC 27001 certification report.

The SOC reports include the following areas:

  • Security
  • Availability
  • Integrity
  • Confidentiality
  • Privacy of personal information

To show full visibility, the audit report we make available also includes the findings for the controls that are being audited. Remember to look for the correct version (date covered by the report) and to check for the relevant bridge letter, if applicable.

The vendor assessments provide you with the evidence relevant to your controls of our quality standards and practices. Building solutions and using cloud relies on trust, which we hope is established with our openness to security, process and compliance. The openness and dedication to show that we have appropriate controls in place to secure and govern your foundational estate. A trust that should bring confidence that you can build your solutions on Microsoft Clouds.

Several of our customers have done remote vendor assessments (desk-audit) using our available reports discussed in the previous blog. These are available on the Microsoft Trust Center Website.

We hope that the above information helps you in building your assessment and starting to leverage the tools and services we offer to build a compliant service inside your business or in your partnership.

As you read this, the next question you may be thinking is: how do I build the technical part to support this secure, resilient, and compliant environment?

What’s next

In a future post, we will look into building a foundation that has automation, good software development life cycle practices, standardization, and compliance at the core.

Compliance is at the core of Infrastructure Architecture Infographic

A valuable resource for building a qualified foundation is the Microsoft Cloud Adoption Framework. We will dive “into the how’s” with some operational examples on using enterprise scale adoption of the framework in later blog posts. A teaser can be found here.

The need for a true enterprise scale foundation is important because it offers the availability and control points, as well as the ability to deliver the services as infrastructure as code.

It’s important to familiarize yourself with infrastructure as code since it is needed to build compliance into the flow and to work with continuous validation across the cloud services that you wish to use or offer to your business.

Key takeaway

The need for governance and control has never been greater. At Microsoft, we try to build our services with that need in mind. Our products have high-quality coverage to give you the insight and control to build out the policies to support your secure environment.

Governance is important now that we look at infrastructure as code and low-code/no-code principles. That’s why we will also look at some examples of how you can establish good governance in your journey.

So, stick around as we continue to work our way through the next steps for GxP Cloud Compliance using Microsoft Cloud.

Jesper Bagh headshot
Jesper Bagh
Global GxP Lead, World Wide Commercial Business, Pharma and Life Sciences

Related posts

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads