Qualification Guideline

QUALIFICATION GUIDELINE
Qualification Guideline for Microsoft Azure

June 2014
Disclaimer:
This document is meant as a reference to Life Science companies in regards to the Microsoft Azure platform. Montrium does
not warrant that the use of the recommendations contained herein will result in a qualified system or that a system validated
on Azure in accordance with this document will be acceptable to regulatory authorities.
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web
site references, may change without notice.
Limitation of Liability:
In no event shall Montrium or any of its affiliates or the officers, directors, employees, members, or agents of each of them, be
liable for any damages of any kind, including without limitation any special, incidental, indirect, or consequential damages,
whether or not advised of the possibility of such damages, and on any theory of liability whatsoever, arising out of or in
connection with the use of this information.
Montrium Inc.
Page 2 of 79
Document No. MTM-MST-GDE-01 Revision 03
Authors
Michael Zwetkow
VP Operations, Montrium Inc.
Stephanie Tanguay
Quality Assurance Manager, Montrium Inc.
Paul Fenton
CEO, Montrium Inc.
Gabrielle Soucy
Sr. Business Analyst, Montrium Inc.
Montrium Inc.
Page 3 of 79
Foreword
Over the last few years, Microsoft has undertaken a major transformational effort to adopt a cloud-first
agile approach to delivering its software and services. There is increasing demand from our customers to
adopt our technologies and our Azure platform to take their businesses to the cloud. However, to refer
to a popular movie, with great power comes great responsibility. Cloud technologies will not be able to
fulfill their promise if they are not based on the premise of trust. In order to run a trustworthy service,
our cloud platform must meet the most stringent internationally recognized compliance standards, and
our own internal safety and security standards.
This guideline is part of a set of white papers designed to demonstrate Microsofts strong commitment
to cloud and compliance, spanning the entire cloud continuum of Infrastructure as a Service (IaaS),
Platform as a Service (PaaS) and Software as a Service (SaaS).
At the end of the day, these are qualification guidelines and do not represent any guarantees from
Microsoft that your processes can be validated in any of the environments discussed or against any of
the regulations or standards discussed. Just like with on premise systems, the burden of validation
remains with the customer. That has not changed, as the spirit of the regulatory guidelines must be
preserved. However, when paired with the documentation referred to herein along with customer
evidence, these guidelines offer customers a starting point for their own compliance in the cloud
efforts, a starting point that may be furthered by the expertise Montrium has demonstrated in
producing these guidelines.
Gabor Fari, Director, Business Development and Strategy
Mohamed Ayad, Cloud Solution Specialist
Health & Life Sciences Industry Unit
Microsoft Corporation
June 2014
Montrium Inc.
Page 4 of 79
Executive Summary
The purpose of this document is to assist Microsofts life science customers in establishing a
qualification strategy for Microsoft Azure. This guideline identifies the responsibilities shared by
Microsoft and its customers for meeting the regulatory requirements of FDA 21 CFR Part 11 Electronic
Records; Electronic Signatures (21 CFR Part 11) and EudraLex Volume 4 - Annex 11 Computerised
Systems (Annex 11).
The intended audience for this guideline is any regulated customer within the life sciences industry,
aiming to use the Azure platform to host GxP regulated computerized systems. It is assumed that these
regulated systems will support GxP activities and produce and/or manage electronic records.
Microsoft Azure is a cloud services operating system that serves as the development, service hosting
and service management environment for the Azure platform. The Azure platform is classified as a
public, off-premise, third-party managed solution which encompasses both Infrastructure as a Service
(IaaS) and Platform as a Service (PaaS) cloud service models. From the perspective of a regulated user
(customer), the Azure platform is considered to be Category 1 Infrastructure Software as defined by
GAMP5.
Traditionally GxP computerized systems have been deployed on specific servers either directly or
through the use of virtual machines. This underlying hardware was usually qualified, managed and
specifically identified as being part of a specific instance of a GxP computerized system. With cloud
computing this paradigm changes slightly. The Azure platform is composed of many hardware and
software components which all fall under the same controls that have been identified in this guideline.
Each time a new server or virtual machine is commissioned within the Azure platform it is done using
the same process and standards. When considering public cloud based systems it is important to view
the whole public cloud as one system upon which we are able to install and run GxP computerized
systems. Azures high availability features could be leveraged as part of the customers risk based
qualification strategy as means of mitigating risks surrounding management of underlying infrastructure
hardware. When the system is configured for high availability, the Azure Fabric Controller effectively
renders the hardware into a commodity and minimizes the risk associated with physical machine failure
whether it is caused by faulty hardware, improper installation or as result of a change to infrastructure.
This guideline will help companies develop a qualification strategy by providing references to the 21 CFR
Part 11 controls that are present within the Azure platform and that should be identified in customer
qualification documentation.
Microsoft Azure platform services have undergone SSAE 16 (SOC 1 and SOC 2) audits and are certified
according to ISO/IEC 27001:2005 standards. Although these standards do not specifically focus on
regulatory compliance, their objectives are very similar to those of 21 CFR Part 11 and Annex 11.
Montrium has therefore decided to leverage the reports produced by independent third party SSAE and
ISO auditors to identify the procedural and technical controls established at Microsoft that could be
used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was assumed that these audit
reports were generated by qualified third party auditors and that all information contained within the
Montrium Inc.
Page 5 of 79
reviewed audit reports was objective and accurate at the time of the audits. It is expected that
customers will perform an independent analysis and verification of relevant regulatory requirements to
determine if the computerized system supporting GxP activities installed within the Azure platform is fit
for its intended purpose. The customer must also ensure that the GxP computerized system will be
sufficiently documented and validated to further demonstrate compliance.
Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of
data stored on the Azure platform and correspond to the applicable regulatory requirements defined in
21 CFR Part 11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is
responsible for ensuring that the Azure platform meets the terms defined within the governing Service
Level Agreements (SLA). When new virtual machines (VM) are deployed within the Azure Platform, they
are created using the default configuration established by Microsoft. Microsoft is responsible for
ensuring the deployed VMs are capable of meeting the specifications and the terms of the SLA(s).
In addition to ensuring that computerized systems have the relevant technical controls outlined in the
assessment contained within the guideline, the customer is also responsible for ensuring adequate
procedural controls governing the use of the GxP computerized system are in place. These procedural
controls should cover the technical aspects of system management, including but not limited to logical
security, user management, data backup and recovery and disaster recovery. There should also be
procedural controls relating to the operation of the GxP computerized system. The customer should
determine the GxP requirements that apply to the computerized system based on its intended use and
follow internal procedures governing qualification and/or validation processes to demonstrate that the
GxP requirements are met.
In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural
and technical controls that Microsoft has implemented could serve to demonstrate that the Azure
platform is being maintained in a state of control that is in accordance with the applicable regulatory
requirements. Moreover, the customer may leverage the audited controls described in this document
and related audit reports as part of the risk analysis and qualification effort of their GxP computerized
system installed on the Azure platform.
Montrium Inc.
Page 6 of 79
Table of Contents
Authors.......................................................................................................................................................... 3
Foreword....................................................................................................................................................... 4
Executive Summary....................................................................................................................................... 5
Table of Contents .......................................................................................................................................... 7
1
Introduction .......................................................................................................................................... 8
1.1
Purpose ......................................................................................................................................... 8
1.2
Key Definitions .............................................................................................................................. 8
1.3
Audience and Scope ...................................................................................................................... 9
1.4
Methodology............................................................................................................................... 10
1.5
Assumptions ................................................................................................................................ 10
1.6
Glossary ....................................................................................................................................... 11
System Description ............................................................................................................................. 14

2.1
Microsoft Azure Overview ....................................................................................................... 14
2.2
Microsoft Azure High Availability Features ................................................................................. 15
2.3
Global Foundation Services......................................................................................................... 16
2.4
GAMP5 Category ....................................................................................................................... 16
2.5
FDA Classification Open System vs Closed System ........................................................... 16
2.6
Microsoft Audits and Certifications ............................................................................................ 17
2.7
Microsoft Controls ...................................................................................................................... 19
Qualification Approach ....................................................................................................................... 25

3.1
GAMP Qualification Phases......................................................................................................... 27
3.2
Qualification Activities and Responsibilities ............................................................................... 28
3.3
US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment ..... 30
3.4
EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment ....................... 44
Conclusion ........................................................................................................................................... 74
References .......................................................................................................................................... 75
Appendices .......................................................................................................................................... 76
Appendix A - Recommended Procedures / Policies................................................................................ 77
Appendix B - Supplementary Information .............................................................................................. 79
Montrium Inc.
Page 7 of 79
Introduction
1.1
Purpose
The purpose of this document is to assist Microsofts life science customers in establishing a
qualification strategy for Microsoft Azure. The guidance provided within this document is based
on the assumption that Microsofts customers will utilize these services to host GxP computerized
systems.
This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the
regulations specified within Section 1.2. A summary is provided of the procedural and technical
controls which govern the Azure platform services and that can be leveraged by the regulated
user (customer) to demonstrate compliance with applicable regulatory requirements. Also
summarized within this guideline, are recommended activities and controls that should be
established by customers in order qualify and maintain control over the GxP computerized
systems installed on the Azure platform.
The qualification approach outlined within this guideline is based on industry best practices with
an emphasis on the concepts presented and described within ISPEs GAMP series of Good
Practice Guides (Ref. [8] & Ref. [9]) and PIC/S PI 011-3 Good Practices for Computerised Systems
in Regulated GxP Environments (Ref. [14]).
1.2
1.2.1
Key Definitions
GxP computerized system
A GxP computerized system is defined as a software application that will support activities and
records governed by regulations pertaining to GLP, GCP and GMP environments.
1.2.2
Customer
Within the context of this guideline, the customer is defined as any person or persons using a
GxP computerized system hosted on the Azure platform, who are responsible for the content of
the electronic records produced and/or managed within the GxP computerized system.
1.2.3
Customer Data on Storage

As per the Microsoft Azure Privacy Statement (Ref. [15]), Customer Data is all the data,
including all text, sound, software or image files that you provide, or are provided on your
behalf, to us through your use of the Services. For example, Customer Data on Storage includes
data that customers upload for storage or processing in the Azure platform services, and
applications that customer or customers end users upload for hosting in the Services. Customer
Data on Storage does not include configuration or technical settings and information. Microsoft
does not monitor or approve the applications that customers deploy to the Azure platform.
Microsoft does not claim ownership of the Data on Storage. Microsoft Azure Agreement (Ref.
[16]) states Except for Software we license to you, as between the parties, you retain all right,
title and interest in and to Customer Data. We acquire no rights in Customer Data, other than
Montrium Inc.
Page 8 of 79
the right to host Customer Data on Microsoft systems, including the right to use and reproduce
Customer Data within Microsoft systems solely for such hosting purposes. Data security
beyond the access controls mechanisms, including but not limited to fine-grain access controls
or encryption, is the responsibility of the customer.
1.2.4
Windows Azure and Microsoft Azure

On March 25, 2014, Microsoft announced that Windows Azure was renamed Microsoft Azure
starting on April 3, 2014 (Ref. [17]). Several references used to create this document were
created before the name change occurred and refer to Windows Azure. Throughout this
document, the terms Windows Azure, Microsoft Azure, Azure platform, and Azure are
used interchangeably.
1.3
Audience and Scope

The intended audience for this guideline is any regulated customer within the life sciences
industry, aiming to use the Azure platform to host GxP regulated computerized systems. It is
assumed that these regulated systems will support GxP activities and produce and/or manage
electronic records. The specific GxP activities performed within the customers GxP computerized
systems are not addressed in this guidance document, as the customer is responsible for defining
the requirements and evaluating the risk associated with each GxP computerized system installed
within the Azure platform.
The regulations within the scope of this qualification guidance document are limited to the
following:
FDA 21 CFR Part 11 Electronic Records; Electronic Signatures - Subpart A and B (Sec 11.10
and Sec 11.30) (Ref. [7])1
EudraLex Volume 4 - Annex 11 Computerised Systems (Ref. [10])2
The Azure platform components which are within scope of this guideline are:
Cloud Services (comprised of stateless Web, Worker and VM roles)

Storage (includes Blobs, Queues, and Tables)
Networking (includes Traffic Manager, Microsoft Azure Virtual Network)
Virtual Network
Virtual Machines
21 CFR Part 11 subparts related to electronic signatures are out of scope for this guide, as Microsoft does not
provide electronic signature functionality as part of the above services.
2
Although EudraLex Volume 4 Annex 11 specifically discusses GMP systems, it is generally accepted in industry
that the same principals in the most part are applicable to GCP and GLP systems.
Montrium Inc.
Page 9 of 79
This guideline also covers the underlying infrastructure components provided by the Global
Foundation Services group upon which the Azure platform is delivered to Microsoft customers.
1.4
Methodology
Microsoft Azure services have undergone SSAE 16 Service Organization Control (SOC) audits and
are also certified according to ISO/IEC 27001:2005 standards (see Section 2.6). Montrium has
leveraged the reports produced by independent third party auditors, to identify procedural and
technical controls established at Microsoft, which could be used to satisfy regulatory
requirements within US FDA 21 CFR Part 11 (Ref. [7]) and EudraLex Volume 4 - Annex 11 (Ref.
[10]). These controls are described in detail in Section 2.7. Montrium based the analysis on the
ISO and SSAE 16 standards, as they have similar objectives to 21 CFR Part 11 and EudraLex Volume
4 Annex 11 in relation to controls for computerized systems.
The qualification approach described in Section 3 summarizes the activities and responsibilities
shared between the regulated user (customer) and the cloud service provider (Microsoft) to
qualify the system against the relevant regulatory requirements. A detailed assessment (see
Sections 3.2.2 and 3.4) was performed on each regulatory requirement to interpret how
compliance could be achieved within the context of a hosted GxP computerized system installed
on the Azure platform. The assessment described the responsibilities of the customer and
Microsoft, as well as the activities, documentation and controls (technical/procedural) that are
required to meet the regulatory requirement.
1.5
Assumptions
The contents of this document are based on these assumptions:
Audit reports listed in Section 2.6 were generated by qualified third party auditors.
All information contained within the reviewed audit reports was objective and accurate at
the time of the audits.
Customers will perform an independent analysis and verification of related regulatory
requirements to determine if the computerized system(s) supporting GxP activities installed
within the Azure platform is fit for its intended purpose.
The GxP computerized system will be sufficiently documented and validated by the
customer to demonstrate compliance with all applicable regulations.
Montrium Inc.
Page 10 of 79
1.6
Glossary
Term
Definition
AICPA
American Institute of Certified Public Accountants
CFR
Code of Federal Regulations
Closed System
An environment in which system access is controlled by persons who are

responsible for the content of electronic records that are on the system. (Ref.
[6])
Cloud
Infrastructure as a
Service (IaaS).
The capability provided to the consumer is to provision processing, storage,

networks, and other fundamental computing resources where the consumer is
able to deploy and run arbitrary software, which can include operating systems
and applications. The consumer does not manage or control the underlying
cloud infrastructure but has control over operating systems, storage, deployed
applications, and possibly limited control of select networking components
(e.g., host firewalls). (Ref. [11])
Cloud Platform as
a Service (PaaS)
The capability provided to the consumer is to deploy onto the cloud

infrastructure consumer-created or acquired applications created using
programming languages and tools supported by the provider. The consumer
does not manage or control the underlying cloud infrastructure including
network, servers, operating systems, or storage, but has control over the
deployed applications and possibly application hosting environment
configurations. (Ref. [11])
Computerized
System
Includes hardware, software, peripheral devices, personnel, and

documentation; e.g., manuals and Standard Operating Procedures. (Ref. [21])
Customer
Microsoft Azure user using the platform for GxP regulated activities.
CV
Curriculum Vitae
Electronic Record
Any combination of text, graphics, data, audio, pictorial, or other information

representation in digital form that is created, modified, maintained, archived,
retrieved, or distributed by a computer system. (Ref. [11])
FDA
United States Food and Drug Administration
GAMP
Good Automated Manufacturing Practice
GCP
Good Clinical Practice
GFS
Global Foundation Services
GLP
Good Laboratory Practice
GMP
Good Manufacturing Practice
GxP
Compliance requirements for all good practice disciplines in the regulated

pharmaceutical sector supply chain from discovery to post marketing. (Ref. [14])
Montrium Inc.
Page 11 of 79
Term
Definition
IaaS
Infrastructure as a Service
ICFR
Internal Control over Financial Reporting
IEC
International Electrotechnical Commission
IQ
Installation Qualification
ISO
International Organization for Standardization
ISPE
International Society of Pharmaceutical Engineers
IT
Information Technology
NDA
Non-Disclosure Agreement
NIST
National Institute of Standards and Technology
O/S
Operating System
Open System
An environment in which system access is not controlled by persons who are

responsible for the content of electronic records that are on the system. (Ref.
[6])
OQ
Operational Qualification
PaaS
Platform as a Service
PIC/S
Pharmaceutical Inspection Convention and Pharmaceutical Inspection Cooperation Scheme
Procedure
The term procedure within the context of this document refers to any
approved and effective controlled document governing specific processes (i.e.
Policy, SOP, Standard, Guide, Work Instruction).
SAS
Statement on Auditing Standards
SDLC
Software Development Lifecycle
SLA
Service Level Agreement
SMAPI
System Management Application Program Interface
SOC
Service Organization Controls
SOP
Standard Operating Procedure
SSAE
Statement on Standards for Attestation Engagements
SSL
Secure Sockets Layer
STB
Microsoft Server and Tools Business
TSP
Trust Services Principles
Montrium Inc.
Page 12 of 79
Term
Definition
VM
Virtual Machine
VPN
Virtual Private Network
Montrium Inc.
Page 13 of 79
2
2.1
System Description
Microsoft Azure Overview
Microsoft Azure is a cloud services operating system that serves as the development, service
hosting and service management environment for the Azure platform. Microsoft Azure provides
developers with on-demand compute and storage to host, scale, and manage web applications on
the Internet through Microsoft data centers.
The Azure platform is classified as a public, off-premise, third-party managed solution which
encompasses both IaaS and PaaS cloud service models (see NIST definition in Section 1.6). The
IaaS service model includes the infrastructure resources from the facilities to the hardware
platforms and virtual machines that reside in them. The PaaS service model adds an additional
layer of integration with application development frameworks, middleware capabilities and
functions such as database, messaging and queuing. The PaaS services allow developers to build
and deploy applications on the platform with programming languages and tools that are
supported by the resource stack.
Figure 1 depicts which party (Microsoft or Customer) is responsible for managing the various
components of the platforms based on both cloud service models.
Figure 1 Cloud Service Models (based on Ref. [18])

The Azure team is part of the Microsoft Server and Tools Business (STB) group, which maintains
the Azure platform. The Microsoft Global Foundation Services group administers the physical
infrastructure on which the Azure platform runs and data is stored. Customers provide and
manage the GxP computerized systems and data that are deployed on the Azure platform.
Montrium Inc.
Page 14 of 79
2.2
Microsoft Azure High Availability Features

High availability is an important feature of the Azure platform, which contributes to its overall
benefit and may have an impact on the qualification strategy for the GxP computerized systems
hosted on the Azure platform.
Microsoft defines a highly available application as one which absorbs fluctuations in availability,
load, and temporary failures in the dependent services and hardware. The application continues
to operate at an acceptable user and systemic response level as defined by business requirements
or application service level agreements. Depending on the service model being used, IaaS vs PaaS,
Azure offers several features via the Azure Fabric Controller to provide high availability of its
services. The concepts around the Azure Fabric Controller and the High Availability features are
summarized within Disaster Recovery and High Availability for Azure Applications (Ref. [19]) and
Azure Business Continuity Technical Guidance (Ref. [20]).
When using one of the Azure PaaS cloud services, the Fabric Controller verifies the status of the
hardware and software of the host and guest machine instances. When it detects a failure, it
enforces SLAs by automatically relocating the compute instances. When multiple role instances
are deployed, Azure deploys these instances to different fault domains, which are essentially
different hardware racks in the same data center. Fault domains reduce the probability that a
localized hardware failure will interrupt the service of an application.
In order to achieve high availability with virtual machines (VMs) which are provisioned as part of
the Azure IaaS service model, the VMs must be configured to use Availability Sets. Within an
Availability Set, Azure positions the virtual machines in a way that prevents localized hardware
faults and maintenance activities from bringing down all of the machines in that group. Putting
two or more VMs in Availability Sets guarantees that the VMs are spread across multiple racks in
the Azure Data Centers, which means they will have redundant power supplies, switches and
servers. Grouping VMs in Availability Sets also provides the Azure Fabric Controller with the
information it needs to intelligently update the host operating system that the guest VMs are
running on, so that they are not updated at the same time.
The above features are mentioned in this guideline as they could be leveraged as part of the
customers risk based qualification strategy as means of mitigating risks surrounding management
of underlying infrastructure hardware. When the system is configured for high availability, the
Azure Fabric Controller effectively renders the hardware into a commodity and minimizes the risk
associated with physical machine failure whether it is caused by faulty hardware, improper
installation or as result of a change to infrastructure. By continuously monitoring key
infrastructure components parameters, the Fabric Controller is able to detect faults that occur
and automatically redistribute the load to other resources. The customer is responsible for
ensuring the Availability Sets are configured properly in order to mitigate the risk surrounding
hardware installation, upgrade and fault management.
Montrium Inc.
Page 15 of 79
2.3
Global Foundation Services

Global Foundation Services delivers the core infrastructure and foundation technologies for
Microsoft's Online Services environment. As described within the SOC 2 report (Ref. [2]), the GFS
operational infrastructure services include the following:
2.4
Engineering and operations for core infrastructure (networking, directory services, access
services, data retention and backup, hardware and software procurement, physical and
environmental controls);
Deployment, hosting and data center services;
Service support, monitoring and escalation;
Information security management and compliance monitoring.
GAMP5 Category
From the perspective of a regulated user (customer), the Azure platform may be considered
Software Category 1 Infrastructure Software, as defined in GAMP5 (Ref. [8]). Infrastructure
Software refers to components linked together within a unified environment allowing the
installation and management of applications and services. This category contains two types of
software; Established or commercially available layered software (e.g. operating systems,
database managers, programming languages, etc.) and Infrastructure software tools (e.g.
network monitoring software, batch job scheduling tools, security software, anti-virus and
configuration management tools).
The virtual servers on which customers would install the GxP computerized system in the
context of the IaaS service model, could be considered Hardware Category 1 Standard
Hardware Components, as defined in GAMP5 (Ref. [8]).
2.5
FDA Classification Open System vs Closed System

While Microsoft is not directly responsible for the electronic records contained within the Azure
platform, it is responsible for maintaining the Azure platform. In addition, Microsoft configures
the Azure platform infrastructure and establishes access control requirements for logical and
physical security. The Azure platform is therefore considered to be open (refer to definition in
Section 1.6). The FDA requires open systems to meet additional requirements, such as
encryption, as defined in 21 CFR Part 11.30 (Ref. [7]). The customer should evaluate any GxP
computerized system deployed on the Azure platform should to determine whether it should be
considered an open or closed system per 21 CFR Part 11 and whether additional controls /
procedures need to be implemented as a result of the evaluation.
Montrium Inc.
Page 16 of 79
2.6
Microsoft Audits and Certifications

The following table lists the formal audit reports prepared by third parties which were reviewed
by Montrium in order to identify relevant controls which have a potential impact on compliance
with the 21 CFR Part 11 (Ref. [7]) and Annex 11 (Ref. [10]) regulations. Existing Microsoft
customers may request access to these reports subject to NDA terms and conditions, through
their respective Microsoft account representatives.
Audit Type
Date
Reference No.
SOC 1 Type II
July 1, 2013
Ref. [1]
SOC 2 Type II
July 1, 2013
Ref. [2]
ISO/IEC 27001:2005 *
November 14, 2011
Ref. [3]
ISO/IEC 27001:2005 *
November 2013
Ref. [4] and Ref. [5]
* Both ISO/IEC 27001:2005 reports from 2011 and 2013 were included in this guideline because
their scopes cover different ISO controls that are relevant to this effort.
2.6.1
ISO/IEC 27001:2005 Certification

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a documented Information Security
Management System within the context of the organization's overall business risks. It specifies
requirements for the implementation of security controls customized to the needs of individual
organizations or parts thereof.
Microsoft Azure core services (Compute, Storage, Virtual Network and Virtual Machines) are
ISO/IEC 27001:2005 certified.
Included in the above are Microsoft Azure service management features and the Microsoft
Azure Management Portal, as well as the information management systems used to monitor,
operate, and update these services.
ISO/IEC 27001:2005 certifications for Microsoft Azure and Global Foundation Services can be
found by clicking on the following links:
2.6.2
Azure ISO/IEC 27001:2005 certificate

GFS ISO/IEC 27001:2005 certificate
SOC Service Audit Reports

Service Organization Controls (SOC) reports are designed by the American Institute of Certified
Public Accountants (AICPA) to help service organizations that operate information systems and
provide information system services to other entities build trust and confidence in their service
delivery processes and controls through a report by an independent Certified Public Accountant.
Montrium Inc.
Page 17 of 79
SOC 1 Service Auditors Reports are conducted in accordance with the professional standard
known as Statement on Standards for Attestation Engagements (SSAE) No. 16. SOC 1 reports are
geared towards reporting on controls at service organizations that are relevant to internal
control over financial reporting (ICFR), and replace the SAS 70 auditing standard.
The Azure platform has been audited by independent third party auditors to generate a SOC 1
Service Auditors Report which examined the following Azure features:
Cloud Services (formerly Compute; comprised of stateless Web, Worker and VM roles)
Storage (includes Blobs, Queues, and Tables)
Networking (include Traffic Manager, Connect and Virtual Network)
SOC 2 Service Auditors Reports are also conducted in accordance with the professional
standard of SSAE 16. SOC2 reports are intended to meet the needs of a broad range of users
that need to understand internal control at a service organization as it relates to security,
availability, processing integrity, confidentiality and privacy and are intended for use by
stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service
organization that have a thorough understanding of the service organization and its internal
controls.
The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles
(TSP) which are composed of the following five (5) sections:
The security of a service organization' system;

The availability of a service organization's system;
The processing integrity of a service organization's system;
The confidentiality of the information that the service organization's system processes
or maintains for user entities;
The privacy of personal information that the service organization collects, uses, retains,
discloses, and disposes of for user entities.
The GFS services group has also undergone a SOC 2 audit to examine the suitability of the design
and operating effectiveness of controls to meet the criteria for the security principle set forth in
TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing
Integrity, Confidentiality, and Privacy (Ref. [12]).
Montrium Inc.
Page 18 of 79
2.7
Microsoft Controls
This section describes the audited controls implemented by Microsoft which serve to ensure
confidentiality, integrity and availability of data stored on the Azure platform. These controls are
also referenced within the compliance assessment sections (see Sections 3.2.2 and 3.4), where
they respond to applicable regulatory requirements.
2.7.1
Security Policies and Procedures

The SOC 1 audit reported that Microsoft implemented an Information Security Policy which
addresses security, availability and confidentiality for Azure. Procedural controls are in place to
support the policy. The Information Security Policy is implemented and communicated to the
applicable employees.
The SOC 1 and SOC 2 audit reported that the security policies are established, periodically
reviewed and approved by a designated individual or group.
2.7.2
Physical and Environmental Security

Microsoft has been audited to verify that proper physical security controls are established to
protect the physical assets forming the foundation of the Azure platform. The SOC 1 audit
reported that policies and procedures provide reasonable assurance that systems and data are
protected against unauthorized physical access and environmental threats.
The following activities/controls were audited in relation to physical security:
Data Center Services;

Physical Security (Access);
Access Controls (Technological/Biometric);
Data Center Security Personnel;
Security Surveillance;
Emergency Power, Facility and Environmental Protection.
The SOC 2 audit reported that the GFS services group has implemented procedures to restrict
physical access to the infrastructure elements including, but not limited to:
Facilities;
Backup media;
Firewalls;
Routers;
Servers.
The 2011 ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking
and monitoring physical infrastructures and services, as well as a documented methodology for
determining the asset security level.
Montrium Inc.
Page 19 of 79
2.7.3
Logical Security
The SOC 1 audit reported that Microsoft has implemented several logical security controls to
provide reasonable assurance that logical access to the Azure production infrastructure and
systems is restricted to authorized personnel.
The following activities/controls were audited in relation to logical security:
User Account Management;

Server / Device Remote Access.
The SOC2 audit reported that the GFS services group has implemented procedures to restrict
logical access to the system including, but not limited to, the following measures:
Logical access security measures to restrict access to information resources not deemed
to be public;
Identification and authentication of users;
Registration and authorization of new users;
The process to make changes and updates to user profiles;
Distribution of output restricted to authorized users;
Restriction of access to offline storage, backup data, systems and media;
Restriction of access to system configurations, super-user functionality, master
passwords, power utilities and security devices (for example, firewalls).
The 2011 ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking
and monitoring logical assets, as well as determining the associated asset security level
following a documented methodology.
2.7.4
System Monitoring and Maintenance

The SOC 1 audit reported that proper controls are established to provide reasonable assurance
that the Azure platform is monitored for known security vulnerabilities and potential
unauthorized activity. An automated logging and alerting system is used for detecting
unauthorized activity and security events.
The following activities/controls were audited in relation to system monitoring and
maintenance:
Logging and Monitoring;

Patching.
The SOC 2 audit reported that proper controls are established to monitor the GFS infrastructure
components and proper actions are taken to maintain compliance within its defined system
security policies. Security controls are monitored on a regular basis. The GFS group monitors,
logs, reports and takes appropriate action to resolve events involving critical/suspicious
activities.
Montrium Inc.
Page 20 of 79
The 2011 ISO/IEC 27001:2005 audit reported that procedural controls are in place for logging
and monitoring of individual components of Azure, patch management, and related change
management. Procedural controls are in place for security incident management. These controls
define roles and responsibilities, resolution methodology, and communication requirements
based on criticality. Performance related to the resolution of security incidents is tracked,
monitored and reported.
2.7.5
Data Backup, Recovery and Retention

The SOC 1 audit reported that Microsoft has implemented processes which manage the backup
of critical Azure components and data, including customer subscriptions, hosted services,
certificates and deployments.
The SOC 2 audit reported that the GFS Data Protection Services group which manages the
secure backup system infrastructure provides secure backup retention and restoration of data in
the Microsoft Online Services environment.
The 2013 ISO/IEC 27001:2005 audit reported that backup of key platform components are
performed on a regular basis and stored in fault tolerant (isolated) facilities. The report also
verified that controls are in place to test backup and recovery and ensure backup related
incidents are documented following procedural documents. The audit also reported that the
recovery and backup process is tested on an annual basis and that procedural controls are in
place. A business continuity program is in place.
Data retention policies and procedures are defined and maintained in accordance to regulatory,
statutory, contractual or business requirements. The Azure backup and redundancy program
undergoes an annual review and validation. Azure backs up infrastructure data regularly and
validates restoration of data periodically for disaster recovery purposes (Ref. [13]).
2.7.6
Confidentiality
The SOC 1 audit reported that Microsoft provides reasonable assurance that customer secrets
(such as storage account keys) are protected while in transit and at rest within the Azure
platform using cryptographic controls. The audit also verified that customer secrets are
managed in accordance with customer agreements.
The SOC 1 and SOC 2 audit reported that encryption or other equivalent security techniques are
used to protect user authentication information and the corresponding session transmitted over
the internet or other public networks.
The 2011 ISO/IEC 27001:2005 audit reported that procedures and mechanisms are established
for effective key management to support encryption of data in storage and in transmission for
the key components of the Azure service.
Montrium Inc.
Page 21 of 79
2.7.7
Software Development / Change Management

The SOC 1 audit reported that a formal SDLC process exists, which governs the development of
new features or major changes to the Azure platform. The SOC 1 audit also reported that the
changes performed to the Azure platform are documented, authorized and tested. The Azure
services group uses four physically and logically isolated environments for software
development, integration testing, pre-production and production.
The SOC 2 audit of the GFS services verified adequate IT change management controls are
established surrounding the following topics:
Separation of Environments
Segregation of Duties
Software Configuration and Changes
Hardware Changes
Network Changes
The 2013 ISO/IEC 27001:2005 audit reported that procedural documents covering change
management are in place, in which the methodology for change and release management is
defined. Changes are appropriately tested and approved.
2.7.8
Incident Management
The SOC 1 audit reported that adequate procedures are established governing how incidents
within the production environment are documented and resolved in a timely manner. The
procedures are part of an incident management framework that includes defined process roles,
responsibilities, and communications for managing the detection, escalation and response to
incidents.
The SOC 2 audit reported that procedures exist to identify, classify, escalate, and act upon
system security breaches and other incidents this per assigned criticality and severity. The Azure
Live Site Support team with assistance from the Azure team documents, tracks, and coordinates
responses to incidents.
The 2013 ISO/IEC 27001:2005 audit reported that procedural controls are in place for Azure
security incident management that cover both the core components and active directory. The
procedures define roles and responsibility, resolution methodology, and communication
requirements based on severity. Performance related to security incidents is tracked, monitored
and reported.
2.7.9
Service Level Agreements

Microsoft provides Service Level Agreements (SLA) related Azure platform services, which may
be downloaded from the Azure website. The following table is an excerpt the SLA for Cloud
Services, Virtual Machines (VM) and Virtual Network.
Montrium Inc.
Page 22 of 79
Cloud Services, Virtual Machines and Virtual Network SLA
For Cloud Services, we guarantee that when you deploy two or more role instances in
different fault and upgrade domains, your Internet facing roles will have external
connectivity at least 99.95% of the time.
For all Internet facing Virtual Machines that have two or more instances deployed in the
same Availability Set, we guarantee you will have external connectivity at least 99.95% of
the time.
For Virtual Network, we guarantee a 99.9% Virtual Network Gateway availability.
2.7.10 Risk Assessment

The SOC 1 audit reported that Microsoft is accountable for the management of short and long
term corporate risks. Microsofts internal audit specialization area leaders are responsible for
determining high-priority risks across the company. Through quarter and year-end reviews,
designated Microsoft executive and upper management individuals review the issues that may
have arisen.
The SOC 2 audit reported that Microsofts Azure security and compliance team develops,
maintains and monitors the Information Security program which includes the ongoing Risk
Assessment process.
The 2013 ISO/IEC 27001:2005 audit reported that Microsoft effectively follows a documented
risk management procedure dedicated to the Azure platform.
2.7.11 Documentation / Asset Management
The procedure governing software development was audited against a control objective which
stipulates that the development of new features or major changes must be documented. In
addition, Microsoft has confirmed to Montrium that a Document and Records Management
procedure governing protection and retention of documentation is in force. Microsoft has also
indicated to Montrium that the baseline configuration of Azure components is documented,
managed, maintained and controlled for access via access control mechanisms. Additionally, this
configuration is performed according to the Asset management guidelines.
The 2011 ISO/IEC 27001:2005 audit reported that an Asset Management procedure is in place,
which provides guidelines for ensuring assets are properly managed. Microsoft defines an asset
as something that supports the delivery of the Azure Service including, source code, design
documents, contracts and agreements, system documentation, standard operating procedures,
business continuity plans, configuration files, etc.
Montrium Inc.
Page 23 of 79
2.7.12 Training Management

The SOC 1 audit reported that employee, contractor and third partys roles and responsibilities
with regards to information security are defined in a related policy and that training and
awareness is provided on an ongoing basis. The definitions of roles and responsibilities for the
different functions with regards to information security have been established and are
documented. Information security training is provided through different channels on a periodic
basis. Training material was found to cover security policy requirements and training records
were maintained and up-to-date.
The SOC 2 audit reported security policies concerning information security and business conduct
were implemented. Training is mandatory for all employees on these policies. Procedures and
standards cover policy training and training requirements. Training is documented and
compliance with training requirements is monitored.
The 2011 ISO/IEC 27001:2005 audit reported that training pertaining to security, compliance,
and Microsoft Security Development Lifecycle was mandatory. This audit reported evidence of
the involvement and commitment of management towards achieving full compliance with this
requirement.
2.7.13 Disaster Recovery
The SOC 2 audit reported that GFS business units at least annually exercise, test and maintain
business continuity and disaster recovery plans. Microsoft management teams perform and
document a resiliency assessment specific to the data centers operations on an annual basis or
before significant changes.
The 2013 ISO/IEC 27001:2005 audit reported that business continuity is documented,
implemented, maintained, tested annually and any issues are tracked to closure. Testing
includes the simulation of a loss of one cluster and of a data center. The report also states that
to minimize isolated faults, customer data is automatically replicated within Azure to separate
nodes.
2.7.14 Vendor Management
The SOC 2 audit reported that third party vendors are assessed by the procurement team and if
appropriate they are added to the approved vendor list that has been established. This process
is initiated by the creation of a purchase order to employ a third party and requires that a
Microsoft Master Vendor Agreement be established.
The 2011 ISO/IEC 27001:2005 audit provides evidence that Microsoft operates in a way that
supports adequate vendor management. Statement of Work, Service Level Agreement, regular
Key Performance Indicators reporting, Non-Disclosure Agreement, and Privacy and Data center
security controls were found to be in place and effective in an applicable instance of a vendor.
Montrium Inc.
Page 24 of 79
Qualification Approach
The proposed qualification methodology for the Azure platform is aligned with standard methodology as
described within the GAMP good practice guidelines. According to industry best practices as proposed
within the GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [9]), in order for
an IT infrastructure platform to be considered qualified and compliant, the following critical aspects
need to be considered:
Installation and operational qualification of infrastructure components;

Configuration management and change control of infrastructure components;
Management of risks to IT Infrastructure;
Involvement of service providers in critical infrastructure processes;
Security management in relation to access controls, availability of services and data integrity;
Data Backup, Restore, Disaster Recovery, Archiving.
Due to the nature of the cloud environment, there is a shift in certain responsibilities surrounding the
qualification and management of the underlying cloud infrastructure, which are summarized in Section
3.2. Qualification is defined as a process of demonstrating the ability of an entity to fulfill specified
requirements. In the context of an IT Infrastructure, this means demonstrating the ability of components
such as servers, clients, and peripherals to fulfill the specified requirements for the various platforms
regardless of whether they are specific or of a generic nature (Ref. [9]). In order to ensure the
infrastructure components are capable of meeting the requirements, the cloud provider must put in
place controlled processes, illustrated in Figure 2, to ensure the Service Level Agreements are met. Since
the Azure platform is not built for specific requirements of the Customers GxP computerized systems, it
is the responsibility of the regulated user (customer) to verify that the system, as it is configured, is
capable of meeting the requirements.
Figure 2 Qualification of Infrastructure vs. Validation of Applications
Montrium Inc.
Page 25 of 79
Validation consists of demonstrating, with objective evidence, that a system meets the requirements of
the users and their processes. As such, validation is performed by the regulated users (customer) of the
GxP computerized systems that reside on the Azure platform.
In the context of a public IaaS and PaaS cloud service model, the cloud service provider is responsible for
managing and maintaining the infrastructure components and ensuring that they meet the terms
defined within the governing Service Level Agreement(s). Microsoft has implemented controls (see
Section 2.7) which encompass the critical aspects of compliance.
Montrium Inc.
Page 26 of 79
3.1
GAMP Qualification Phases
The following are the primary qualification phases as defined within the ISPE, GAMP Good Practice
Guide: IT Infrastructure Control and Compliance (Ref. [9]), and the recommended activities performed
within each phase as they relate to the Azure platform.
Planning
Prepare Qualification Plan
Identify SOPs which need to be created / updated as a result of using Azure
Specification and Design
Identify system requirements needed to support the GxP application
Determine appropriate server architecture and configuration for high availability
Determine system backup and restoration requirements
Risk Assessment and Qualification Test Planning
Perform regulatory impact assessment to identify which GxP regulations apply based
on the intended use
Perform hazard analysis to determine risks associated with hosting the GxP
application in an off-premise cloud
Define scope of qualification, test specifications and acceptance criteria
Procurement, Installation and IQ
Installation and configuration verification tests
Verification that approrpiate SLAs are in place
OQ and Acceptance
Verify backup and restore process

Verify data archiving process
Perform operational and user acceptance tests and verification of GxP applications are
fit for intended purpose
Reporting and Handover
Summary Reports
Implement Governance Plan for Azure
Montrium Inc.
Page 27 of 79
Additional information for GxP computerized system validation can be found within the following
guidance documents:
3.2
PIC/S - Good Practices for Computerised Systems in Regulated GxP Environments (Ref. [14]);
ISPE, GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems (Ref. [8]).
Qualification Activities and Responsibilities
By utilizing the Azure platform, the customer is effectively outsourcing the management and
operations of their IT infrastructure to Microsoft. However, it is important to note that, the
regulated company remains responsible for the regulatory compliance of their IT operations
regardless of whether they choose to outsource/offshore some or all of their IT Infrastructure
processes to external service provider(s). Compliance oversight and approvals cannot be
delegated to the outsource partner. (Ref. [9])
A summary of the Customers and Microsofts responsibilities, as they relate to the qualification
and validation activities is provided below. A detailed description of each partys responsibilities,
as they relate to the applicable regulatory requirements, is provided in Section 3.2.2 (21 CFR Part
11) and Section 3.4 (Annex 11).
3.2.1
Summary of Customer Responsibilities

The customer is responsible for performing the following activities for each GxP computerized
system requiring qualification and validation within the Azure platform:
Perform high level risk assessment to identify specific risk associated with hosting the
GxP computerized system in a cloud environment and mitigation strategies;
Develop or identify procedural controls governing the use of the GxP computerized
system. These procedural controls should cover the topics as described in Appendix A,
as well as any other controlled processes which are impacted by the GxP computerized
system including the following:
o
o
o
o
o
o
o
o
o
o
Montrium Inc.
Use of Microsoft IDs and passwords;

Account access to Virtual Machines applications;
Compliance management with applicable laws and regulations;
Planning and implementation of customer data encryption requirements ;
Securing Azure SMAPI access certificates;
Data access method (public or signed access) for data contained with the Azure
Platform;
Configuration of Virtual Machines deployed within Azure;
Data backup and retrieval upon Azure subscription termination;
Protection of secrets associated with accounts;
Application software development using a Security Development Lifecycle on
Azure;
Page 28 of 79
o
o
o
o
o
Quality assurance of applications before moving to Azure;

Security monitoring for applications developed on Azure;
Assessing public Azure security and patch updates;
Patch application when not subscribed to auto-upgrade;
Incident and alert reporting to Microsoft when those are specific to customer
systems and Azure and support Azure team when responding to incidents by
providing appropriate and timely information;
Determine the requirements that apply to the GxP computerized system based on its
intended use. Configure the Azure environment to meet the requirements, including
high availability (if required);
Follow internal procedures governing Qualification and/or Validation processes,

expected deliverables would include but are not limited to:
o
Qualification / Validation plan describing the activities, responsibilities and

deliverables to be produced for each GxP computerized system installed within
the Azure platform;
Specification documentation describing the GxP computerized systems

requirements, functionality and intended use;
Risk Assessments covering the high level intended used of the GxP
computerized system and a functional risk assessment of the GxP computerized
system features, if required. The assessments should include mitigation actions
required to address identified risks;
Adaptation and verification of VM configuration to meet the specific resource

requirements of the GxP computerized system which will be installed on the
VM;
Verification documentation providing evidence that the GxP computerized

system meets its intended use as defined within relevant specification
documents;
Maintain and operate the GxP computerized system in a secure and controlled manner
according to internally developed procedures as defined above.
Periodic reviews should be performed to demonstrate continuous control of the

environment and effectiveness of the configuration management process. Periodic
verification of the Backup and Restore process should be performed to ensure data can
be retrieved in the event of data corruption or disaster at the data center.
Montrium Inc.
Page 29 of 79
3.2.2
Summary of Microsoft Responsibilities

Microsofts primary responsibilities as an outsourced cloud service provider are to ensure the
Azure platform is managed in a controlled and secured manner, so as to provide the following
key elements:
Confidentiality - ensuring that information is secure and accessible only to those

authorized to have access;
Integrity - safeguarding the accuracy and completeness of information and processing
methods;
Availability - ensuring that authorized users have access to information and associated
assets when required.
Microsofts specific contractual obligations towards their Azure customers are defined within
the governing Service Level Agreements (see Section 2.7.9). The controls identified in Section
2.7are audited periodically and certified to demonstrate that the above key requirements can
be met.
When new services are deployed within the Azure Platform, they are created using the default
configuration established by Microsoft. Microsoft is responsible for ensuring the deployed
services are capable of meeting the specifications and the terms of the SLA(s).
3.3
US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment

The following table outlines the assessment that was performed on each regulatory requirement
of US FDA 21 CFR Part 11 which were identified as in scope in Section 1.2 of this document. The
primary objective of the assessment is to identify the procedural and technical controls that are
required to satisfy the different regulatory requirements.
In conjunction with the responsibilities identified in Section 3.2, we further identify which controls
fall within the responsibility of Microsoft versus the controls that are considered the responsibility
of the customer when using the Azure platform for regulated GxP computerized systems.
Montrium Inc.
Page 30 of 79
Sec. 11.10 Controls for closed syste ms.
11.10 (a)
SEC. 11.10 CONTROLS FOR CLOSED SYSTEMS.

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ
procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the
confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed
record as not genuine. Such procedures and controls shall include the following:
11.10 (a)
Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records.
Customer Regulated User
The customer is responsible for ensuring any GxP computerized system used to produce and/or manage
electronic records is validated according to an approved and effective procedure. This procedure should
ensure that the validation verifies accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records. Additional details regarding the qualification / validation activities are
provided in Section 3.2.1.
Description of activities, documentation and controls:
Perform computer system validation activities for GxP computerized systems as defined within the
governing the computer system validation procedure to ensure accuracy, reliability, consistent
intended performance, and the ability to discern invalid or altered records;
Verify the software and virtual hardware requirements of the GxP computerized system have been
correctly provisioned by the Azure platform;
Document the qualification/validation activities performed prior to and during the deployment of
the GxP computerized systems on the Azure Platform;
Establish appropriate system performance monitoring to ensure consistent availability and

performance of GxP computerized system.
Microsoft Cloud service provider

Microsoft is not responsible for validation of the GxP computerized systems installed within the Azure
platform, as this is the responsibility of the customer. Microsoft is responsible for ensuring the Azure
platform performs consistently and reliably by implementing adequate controls over the development,
deployment and testing of the software applications which make up the Azure platform.
Microsoft meets these requirements through the following controls:
System Monitoring and Maintenance (see Section 2.7.4)
Software Development / Change Management (see Section 2.7.7)
Montrium Inc.
Page 31 of 79
11.10 (b)
11.10 (b)
The ability to generate accurate and complete copies of records in both human readable and electronic
form suitable for inspection, review, and copying by the agency. Persons should contact the agency if
there are any questions regarding the ability of the agency to perform such review and copying of the
electronic records.
The customer is responsible for implementing adequate controls to secure the GxP computerized systems
which contain electronic records and provide appropriate system monitoring. These controls should
ensure that the electronic records which are stored within the GxP computerized systems on the Azure
platform are protected to prevent corruption or loss of information. The customer is also responsible for
ensuring that GxP computerized systems installed on the Azure platform are capable of generating
accurate and complete copies of records in both human readable and electronic form suitable for
inspection, review, and copying by the agency.
Establish Procedure(s) to govern the protection of records to ensure accurate and complete copies
are readily available including:
o Documentation Management to define who is responsible for managing documentation
within the organization;
o Records Retention and Archiving to ensure adequate record retention policies and
archive management processes are in place;
o Backup and Restoration to ensure proper protection of records through backup
mechanisms with regular restoration tests;
o Disaster recovery to ensure that electronic records can be retrieved properly in the
event of a disaster and that this retrieval is tested periodically;
o System Monitoring to ensure consistent availability and performance of GxP
computerized system;
Verify accurate and complete copies of electronic records can be retrieved from the GxP
computerized systems;
Verify that data transfer from GxP computerized systems which store electronic records on the
Azure Platform does not impact data integrity;
Ensure that record retention procedures establish long term archiving controls so that electronic
records can be retrieved throughout the required retention period from the Azure platform (or
until they are moved to another long term archiving environment outside of the Azure platform).
Montrium Inc.
Page 32 of 79
11.10 (b)
The ability to generate accurate and complete copies of records in both human readable and electronic
form suitable for inspection, review, and copying by the agency. Persons should contact the agency if
there are any questions regarding the ability of the agency to perform such review and copying of the
electronic records.
Microsoft is responsible for implementing adequate controls to secure the Azure platform and provide
appropriate system monitoring. By protecting and monitoring the Azure platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are
continually available.
Security Policies and Procedures (see Section 2.7.1)
Physical Security (see Section 2.7.2)
Logical Security (see Section 2.7.3)
Montrium Inc.
Page 33 of 79
11.10 (c)
11.10 (c)
Protection of records to enable their accurate and ready retrieval throughout the records retention
period.
The customer is responsible for ensuring that appropriate controls are established to protect records
pertaining to GxP activities performed within GxP computerized systems which are deployed on the Azure
platform and to ensure the records are readily available throughout their retention period.
Establish procedure(s) that govern the following topics:

o Logical security - describing the security controls which are required in order to prevent
unauthorized access to the application;
o Records Retention and Archiving to ensure adequate record retention policies and
archive management processes are in place;
o Backup and Restoration to ensure proper protection of records through backup
mechanisms with regular restoration tests;
computerized system;
Data repatriation plans are established and tested in the case of contract termination with
Microsoft for Azure services.

Microsoft is responsible for implementing adequate controls to secure the Azure platform, provide
appropriate system backup and data retention policies. Data backup and retention policies/procedures are
defined and maintained in accordance to regulatory, statutory, contractual or business requirements.
These controls help to satisfy the above regulatory requirement, such that Microsoft backs up Azure
infrastructure data regularly and validates restoration of data periodically for disaster recovery purposes.
Data Backup, Recovery and Retention (see Section 2.7.5)
Montrium Inc.
Page 34 of 79
11.10 (d)
11.10 (d)
Limiting system access to authorized individuals.
The customer is responsible for ensuring that an individual must have a valid user account in order to
access both the Azure platform and any relevant GxP computerized system. Within the Azure platform and
GxP computerized system, user permissions must be managed by the System Administrator to specify
what areas of the computerized system are accessible to authorized users.
Azure customers register for the service by creating a subscription through the Azure Portal web
site. Customers manage applications and storage through their subscription using the Azure
management portal;
Ensure proper procedures are established to govern logical and physical security over the terminal
devices (e.g. workstations, laptops, etc.) used to access the Azure platform. The procedure should
clearly describe how access to the system is managed, as well as how user system access is
documented;
Appropriate System Administration practices are followed for GxP computerized systems installed
on the Azure platform based on predefined system administration procedures.

Microsoft is responsible for ensuring adequate controls are established to ensure access to the Azure
platform is restricted to authorized individuals.
Montrium Inc.
Page 35 of 79
11.10 (e)
11.10 (e)
Use of secure, computer-generated time-stamped audit trails to independently record the date and time
of operator entries and actions that create, modify, or delete electronic records. Record changes shall
not obscure previously recorded information. Such audit trail documentation shall be retained for a
period at least as long as that required for the subject electronic records and shall be available for
agency review and copying.
The GxP computerized system installed on the Azure platform should have an auditing feature which
captures an audit trail of actions performed on electronic records.
The audit trail feature of the GxP Computerized System deployed on the Azure platform should:
o Record the information required for audit trails as defined in 21 CFR Part 11.10(e);
o Store read-only audit trail entries in a secure database and ensure the audit trail remains
linked to its respective record throughout its retention period;
o Ensure that Audit trail information can be accessed and exported from the GxP
Computerized System as human readable records;
Procedure(s) are established governing the following activities:

o Record retention and archiving - should define how audit trails will be protected
throughout their corresponding records lifetime;
o Logical security to ensure adequate protection and integrity of audit trails as electronic
records in their own right;
o System Administration procedures for the GxP computerized systems deployed on the
Azure platform to ensure the proper management of audit trails;
computerized system.

Microsoft does not provide GxP computerized systems as the part Azure platform and therefore do not
need to implement audit trails. Microsoft is however responsible for implementing adequate controls to
secure the Azure platform and provide appropriate system monitoring. By securing and monitoring the
Azure platform, these controls help to satisfy the above regulatory requirement, such that the GxP
computerized systems are protected and are continually available.
Montrium Inc.
Page 36 of 79
11.10 (f)
11.10 (f)
Use of operational system checks to enforce permitted sequencing of steps and events as appropriate.
Operational checks are typically present in the process control mechanisms of GxP computerized systems
to ensure that operations are not executed outside of the predefined order established by the operating
group.
The customer should ensure that GxP computerized system installed on the Azure platform have been
assessed and are capable of fulfilling this requirement.
Within the context of the Azure platform, Microsoft does not have control over operational checks, as
these would be implemented within the GxP computerized system installed and managed by the
customer.
Montrium Inc.
Page 37 of 79
11.10 (g)
11.10 (g)
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign
a record, access the operation or computer system input or output device, alter a record, or perform the
operation at hand
The customer is responsible for ensuring that adequate authority checks are implemented where
necessary through the application of security policies and the centralized management of user permissions
within the GxP computerized system. The customer is responsible for managing the access mechanism to
the GxP computerized system on the Azure platform (see Section 3.2.1).
Establish a procedure describing the process for managing user accounts and user permissions for
the GxP Computerized System;
The verification that only authorized users are able to access and alter records contained within
the GxP computerized system and Azure platform should be performed as part of the validation
effort.

The customer is primarily responsible for implementing and verifying the proper application of authority
checks in order to fulfill this regulatory requirement. Microsoft may maintain the system which
authenticates users of the GxP computerized system, and must also manage authentication and security
for the Azure platform. Microsoft is therefore responsible for ensuring proper controls are established to
securely manage the user access control system.
Montrium Inc.
Page 38 of 79
11.10 (h)
11.10 (h)
Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input
or operational instruction.
The customer must determine whether the implementation of device checks is required based on the
intended use of the GxP computerized system and the associated risks. Device checks are warranted in an
environment where only certain devices have been selected as legitimate sources of data input or
commands. In such cases, the device checks would be used to determine if the data or command source
was authorized. If required, the customer is responsible for defining which devices are authorized to
provide data or operational instructions and implement the necessary controls within the GxP
computerized system installed on the Azure platform.
Within the context of the Azure cloud services, Microsoft does not have control over device checks, as
these would be implemented within the GxP computerized system installed and managed by the
customer.
11.10 (i)
11.10 (i)
Determination that persons who develop, maintain, or use electronic record/electronic signature
systems have the education, training, and experience to perform their assigned tasks.
The customer is responsible for establishing procedural controls that which define the employee training
process and requirements which ensuring that adequate training is provided to an end user prior to using
the GxP computerized system. The customer is also responsible for ensuring that the adequate education
and experience requirement is met for persons who develop, maintain or use the GxP computerized
system(s).
Ensure that appropriate training policies are established and that training and personnel
qualification are documented (i.e. training records, CV).

Microsoft is responsible for maintaining the Azure infrastructure and services that which store electronic
records, therefore must ensure appropriate training policies are established and that training and
personnel qualification are documented (i.e. training records, CV) for personnel managing and monitoring
the Azure services.
Training Management (see Section 2.5.12)
Montrium Inc.
Page 39 of 79
10.10 (j)
11.10 (j)
The establishment of, and adherence to, written policies that hold individuals accountable and
responsible for actions initiated under their electronic signatures, in order to deter record and signature
falsification.
This requirement would be applicable if the customer has implemented a GxP computerized system which
provides users with the ability to apply electronic signatures to sign electronic records (see definition in
Section 1.6). The customer would in this case be responsible for implementing controls governing the use
of electronic signatures ensuring that individuals are aware that they are accountable and responsible for
actions initiated under their electronic signatures.
A written policy should be established that holds individuals accountable and responsible for
actions initiated under or authorized by their electronic signatures;
Ensure that appropriate Training policies are established and that training and personnel
qualification are documented (i.e. training records, CV).

Microsoft does not participate in the generation of electronic records or application of electronic
signatures, therefore does not have any responsibilities with regards to this regulatory requirement.
Montrium Inc.
Page 40 of 79
11.10 (k)(1)
11.10 (k) Use of appropriate controls over systems documentation including :

11.10 (k)(1)
Adequate controls over the distribution of, access to, and use of documentation for system operation
and maintenance.
This regulation applies to system documentation which describes how a system operates and is
maintained, including standard operating procedures. Some highly sensitive documentation, such as
instructions on how to modify system security features, should not be widely distributed. Hence, the
customer is responsible for controlling the distribution of, access to, and use of such documentation which
is typically managed via the Document Management and Training Management processes.
Procedures governing controlled documentation management should be established in order to

ensure that employees have access to the correct and updated versions of standard operating and
maintenance procedures for the GxP Computerized System installed on the Azure platform;
Ensure that procedural controls are established to appropriately manage the distribution, access
and use of system documentation for GxP computerized systems installed on the Azure platform.

Microsoft is responsible for ensuring access to system operation and maintenance documentation related
to the Azure platform is properly controlled and that adequate controls are established to control the
distribution and use of these documents. Employee training is performed in order to ensure proper use of
the system documentation.
Documentation / Asset Management (see Section 2.7.11)
Montrium Inc.
Page 41 of 79
11.10 (k)(2)
11.10 (k) Use of appropriate controls over systems documentation including :

11.10 (k)(2)
Revision and change control procedures to maintain an audit trail that documents time-sequenced
development and modification of systems documentation.
The customer is responsible for establishing controls which govern changes to system and corresponding
documentation. Documents within the scope of this requirement include GxP computerized system
specification, design, installation and validation documents and all other system operating procedures and
manuals.
Establish procedures for proper documentation management including document change control;
Ensure proper versioning and audit trail controls on GxP computerized systems documentation;
Establish system change control procedures which trigger appropriate documentation revisions for
GxP computerized systems.

This regulation stipulates that any change to Microsoft systems hardware or software components should
be documented. The Microsoft change control procedure governs the process of applying changes to the
system and associated documentation. Microsoft has implemented Document and Records Management
procedure governing protection and retention of documentation in conjunction with its Asset
Management procedure.
Montrium Inc.
Page 42 of 79
Sec. 11.30 Controls for Open System
SEC. 11.30 CONTROLS FOR OPEN SYSTEMS

11.30
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ
procedures and controls designed to ensure the authenticity, integrity, and as appropriate, the
confidentiality of electronic records from the point of their creation to the point of their receipt. Such
procedures and controls shall include those identified in 11.10, as appropriate and additional measures
such as document encryption and use of appropriate digital signature standards to ensure, as necessary
under the circumstances, record authenticity, integrity, and confidentiality.
The customer is responsible for ensuring that appropriate controls are implemented to ensure record
authenticity, integrity, and confidentiality. These controls include those identified in Section 3.2.1.
As the GxP computerized system is hosted and the internet is used to transmit and/or view electronic
records within the Azure platform, in addition to controls for the proper authentication of users (as with a
closed system), there should also be encryption controls (i.e. SSL or VPN) established to ensure that
records that transit across public networks (such as the Internet) cannot be intercepted or interpreted by
unauthorized individuals. Customers are also responsible for determining and implementing encryption
requirements for data stored within the GxP computerized system(s).
Applications installed within the Azure platform must be assessed for this requirement;
Customer may implement encryption of customer data within the customers application;
Ensure that encryption and access controls are established to ensure that the integrity of data is
maintained.

Microsoft is responsible for ensuring controls are established to ensure the availability, integrity and
confidentiality of data within the Azure platform and during transit. Microsoft provides customers the
option of encrypting data transmitted to and from Microsoft data centers over public networks.
Confidentiality (see Section 2.7.6)
Montrium Inc.
Page 43 of 79
3.4
EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment
The following table outlines the assessment that was performed on each regulatory requirement of
EudraLex Volume 4 Annex 11 which were identified as in scope in Section 1.2 of this document. The
primary objective of the assessment is to identify the procedural and technical controls that are
required to satisfy the different regulatory requirements.
We further identify which controls fall within the responsibility of Microsoft versus the controls that are
considered the responsibility of the customer when using the Azure platform for regulated GxP
computerized systems.
PRINCIPLE
This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A
computerised system is a set of software and hardware components which together fulfill certain
functionalities.
The application should be validated; IT infrastructure should be qualified.
Where a computerised system replaces a manual operation, there should be no resultant decrease in
product quality, process control or quality assurance. There should be no increase in the overall risk of
the process.
The customer must interpret this regulation as applying to all GxP Computerized Systems supporting GxP
related activities that will be installed on the Azure platform (IaaS & PaaS).
The customer is responsible for validating the GxP computerized systems installed within the Azure
platform along with ensuring that the Azure VM that has been deployed for their use has been
appropriately qualified.
Microsofts responsibility towards their customers is to ensure that the components supporting the Azure
platform have been developed, verified and deployed in a controlled fashion and managed according to
approved procedures.
Montrium Inc.
Page 44 of 79
1 Risk Manage ment
GENERAL
1 - Risk Management
Risk management should be applied throughout the lifecycle of the computerised system taking into
account patient safety, data integrity and product quality. As part of a risk management system,
decisions on the extent of validation and data integrity controls should be based on a justified and
documented risk assessment of the computerised system.
The customer is responsible for ensuring that risk management is part of the process of assessing,
selecting or developing and implementing GxP computerized systems within the Azure platform.
Ensure risk management policies are effective and implemented and/or risk management is
integrated into the relevant procedures used for the development, deployment and management
of GxP Computerized Systems;
Integrate risk management into your software development lifecycle procedure;
Use a risk based approach when performing and documenting the qualification/validation
activities surrounding the deployment of the GxP Computerized Systems on the Azure platform.

Microsoft is responsible for ensuring that risk management has been applied in the selection and
implementation of the components of its Azure platform.
Microsoft meets this requirement through the following control:
Risk Assessment (see Section 2.7.10)
Montrium Inc.
Page 45 of 79
2 - Personnel
2 - Personnel
There should be close cooperation between all relevant personnel such as Process Owner, System Owner,
Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and
defined responsibilities to carry out their assigned duties.
The customer is responsible for ensuring that controls are established to govern the training and the
activities assigned to their personnel. They should also document the method used to confirm or verify an
individuals qualifications and experience against formal job descriptions to ensure they are qualified to
perform assigned tasks.
The customer is also responsible for ensuring that an individual has a valid user account in order access the
Azure platform and any relevant GxP computerized system. Within both the Azure platform and the GxP
computerized system, user permissions must be managed by the customers assigned System
Administrator to specify what areas of the system are accessible to authorized users.
Ensure that appropriate training policies are established and that training and personnel
qualifications are documented (i.e. training records, CV);
Ensure that personnel are aware of their roles and responsibilities through approved and signed
documentation such as Job Descriptions;
User Account Management procedures should be established to govern the assessment, enabling
and disabling of IT system user accounts;
Different levels of system access should be formally defined for each GxP Computerized System
deployed on Azure and users should be assigned to the different levels through the User Account
Management procedure.

Microsoft is responsible for maintaining the Azure platform infrastructure and services which store
customer electronic records, and therefore must ensure appropriate training policies are established and
that training and personnel qualifications are documented (i.e. training records, CV).
platform is restricted to authorized individuals.
Montrium Inc.
Page 46 of 79
3 - Supplier s
3.1
3 - Suppliers
3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure,
integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related
service or for data processing, formal agreements must exist between the manufacturer and any third
parties, and these agreements should include clear statements of the responsibilities of the third party.
IT-departments should be considered analogous.
The customer is responsible for assessing third party suppliers that have an impact on relevant GxP
computerized systems. They are responsible for ensuring that controls addressing the identification,
assessment, selection and management of third party suppliers are established.
Ensure that a vendor selection process has been defined and is covered within an effective
procedure;
Ensure that when needed appropriate contracts are established (i.e. NDA, SLAs);
Ensure that contracts establish clear statements of responsibility;
Ensure that vendor selection evidence and documentation is maintained following governing
Record Retention policies.

Microsoft would be considered a third party service provider to the client within the context of this
requirement and formal agreements will be in place between the customer and Microsoft which include a
service level agreement which clearly defines responsibility of each party. In addition, Microsoft is
responsible for ensuring that they appropriately document and control the services provided by third party
suppliers within the context of their Azure platform offering.
Vendor Management (see Section 2.7.14)
Montrium Inc.
Page 47 of 79
3.2
3 - Suppliers
3.2 The competence and reliability of a supplier are key factors when selecting a product or service
provider. The need for an audit should be based on a risk assessment.
The customer is responsible for assessing third party suppliers that have an impact on relevant GxP
computerized systems. The level of impact that a supplier may have on a GxP computerized systems
should be part of the supplier assessment process. This should be taken into account in order to determine
the need for a formal audit of the supplier.
Establish a vendor selection procedure and an external audit procedure to define when a vendor
audit is required;
Ensure that risk assessment is part of the vendor selection process.

Microsoft is responsible for ensuring that they appropriately document and control the selection of third
party suppliers of components/services which form part of the Azure platform offering used by customers
to deploy GxP computerized systems.
Vendor Management (see Section 2.7.14)
Montrium Inc.
Page 48 of 79
3.3
3 - Suppliers
3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated
users to check that user requirements are fulfilled.
The customer is responsible for implementing controls ensuring the review of documentation related to
commercial off-the-self applications supporting GxP activities to verify that the system meets user
requirements.
Establish procedures for selecting and deploying off the shelf software solutions and services
which includes the verification of supplied documentation to ensure the solutions or services meet
user requirements.

This regulatory requirement does not apply to Microsoft as they are not regulated users of third party
commercial off-the-shelf products.
As Microsoft is the provider of commercial off-the-self products to regulated users, they are required to
provide these customers with sufficient documentation to allow the customer to meet this requirement.
3.4
3 - Suppliers
3.4 Quality system and audit information relating to suppliers or developers of software and
implemented systems should be made available to inspectors on request.
The customer is responsible for implementing appropriate controls which ensure that quality system and
audit information relating to suppliers is available to inspectors.
Ensure that quality system and vendor selection evidence and documentation is maintained
following governing record management policies.

As Microsoft is a third party vendor of cloud services to their customers, they are not required to meet
this requirement.
Montrium Inc.
Page 49 of 79
4 Validation
4.1
4 - Validation
4.1 The validation documentation and reports should cover the relevant steps of the life cycle.
Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and
records based on their risk assessment.
The customer is responsible for ensuring that GxP computerized systems are defined, developed, verified,
deployed, and validated according to approved and effective software development lifecycle procedures.
Establish formal risk based software development lifecycle and computer systems validation
procedures;
Ensure GxP computerized systems installed on the Azure platform that manage electronic records
are validated to confirm they are fit for their intended purpose based on a formal risk assessment;
Document the qualification/validation activities surrounding the deployment of the GxP

computerized systems on the Azure platform per the formal procedures.

Microsoft is not responsible for validation of the GxP computerized systems installed within the Azure
platform, as this is the responsibility of the customer. Microsoft is responsible for ensuring that the
components used within the Azure platform have been defined, developed, verified, deployed, and
validated according to approved and effective software development lifecycle procedures.
Microsoft meets these requirements through the following control:
Montrium Inc.
Page 50 of 79
4.2
4 - Validation
4.2 Validation documentation should include change control records (if applicable) and reports on any
deviations observed during the validation process.
The customer is responsible for ensuring that controls are established to govern the management of issues
encountered within the validation process, along with the administration of changes to GxP computerized
systems and corresponding documentation.
The customers validation process should also describe methods used to track and manage deviations
issues encountered within the validation process. Additional details regarding the qualification / validation
activities are provided in Section 3.2.1.
Ensure computer system validation and change control procedures are established, including
specific security controls;
Ensure that documentation management controls are established to manage documents produced
within the validation and change management processes;
Documents within the scope of this requirement include validation, change control and deviation
documents.

Microsoft is responsible for ensuring that controls are established to manage the deployment and
verification of customer Azure VMs, documentation generated as evidence of this effort must be
efficiently controlled.
Microsoft is also responsible for the implementation of upgrades or patches to the Azure platform. Any
changes to hardware or software components supporting the Azure platform should be documented and
tested prior to being placed into production.
Montrium Inc.
Page 51 of 79
4.3
4 - Validation
4.3 An up to date listing of all relevant systems and their GMP functionality (inventory) should be
available.
For critical systems an up to date system description detailing the physical and logical arrangements,
data flows and interfaces with other systems or processes, any hardware and software pre-requisites,
and security measures should be available.
The customer is responsible for ensuring that controls are established to determine the need and content
of system documentation required to manage applicable GxP computerized systems.
Produce system description document for all GxP computerized systems, including Azure and
relevant systems which describes the GxP computerized systems and components installed within
the Azure platform;
Reference the Azure virtual machines or services that will be used to deploy the GxP computerized
system in the system description document.

As customers may implement critical GxP computerized systems within the Azure platform, Microsoft is
responsible for ensuring the management of assets within the GFS environment supporting the Azure
platform.
Microsoft meets this requirement through the following control:
Montrium Inc.
Page 52 of 79
4.4
4 - Validation
4.4 User Requirements Specifications should describe the required functions of the computerised
system and be based on documented risk assessment and GMP impact. User requirements should be
traceable throughout the life-cycle
The customer is responsible for ensuring that controls are in place which define the method for gathering
and documenting the needs of their users. The approach must include the assessment and mitigation of
risk and regulatory impact. The customers documented User Requirements must be traced throughout
the GxP computerized systems lifecycle.
Establish procedures for the development and management of user requirements;
Establish traceability mechanisms for user requirements.

This regulatory requirement does not apply to Microsoft as they are not users of regulated computerized
systems.
Montrium Inc.
Page 53 of 79
4.5
4 - Validation
4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed
in accordance with an appropriate quality management system. The supplier should be assessed
appropriately
The customer is responsible for ensuring that controls addressing the management of third party suppliers
are established. The customer must also ensure that regulated systems have been developed according to
or meet the requirements of an approved SDLC process.
Ensure that a vendor selection process has been defined and is covered within an effective
procedure;
Ensure that when needed appropriate contracts are established (i.e. NDA, SLAs);
Ensure that vendor selection evidence and documentation is maintained following governing
Record Retention policies;
Ensure that the vendors quality system has the appropriate controls in place to govern the SDLC
process;
Ensure that system development activities are performed as defined within the governing the
SDLC or computer system validation procedure.

systems.
As Microsoft is the provider of commercial off-the-self products to regulated users, they are required to
provide these customers with sufficient documentation to allow the customer to meet this requirement.
Montrium Inc.
Page 54 of 79
4.6
4 - Validation
4.6 For the validation of bespoke or customised computerised systems there should be a process
established that ensures the formal assessment and reporting of quality and performance measures for
all the life-cycle stages of the system.
The customer is responsible for establishing controls that will ensure the continuous assessment and
measurement of quality and performance throughout the GxP computerized systems lifecycle.
Ensure computer system validation and change control policies are established.

As customers may implement GxP computerized systems within the Azure platform, Microsoft is
responsible for establishing appropriate controls to ensure the monitoring and change management of
assets supporting the Azure platform.
Software Development / Change management (see Section 2.5.7)
Montrium Inc.
Page 55 of 79
4.7
4 - Validation
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly,
system (process) parameter limits, data limits and error handling should be considered. Automated
testing tools and test environments should have documented assessments for their adequacy.
The customer is responsible for establishing appropriate controls to govern the testing of their GxP
computerized systems and that relevant tests are performed and adequately documented.
Ensure adequate computer system validation and change control policies are established;
Ensure that all testing activities are properly documented.

As customers may implement GxP computerized systems within the Azure platform, Microsoft is
responsible for establishing appropriate controls to ensure the controlled and verified deployment of
customer VMs within the Azure platform.

4.8
4 - Validation
4.8 If data are transferred to another data format or system, validation should include checks that
data are not altered in value and/or meaning during this migration process.
The customer is responsible for establishing appropriate controls to ensure that the process of data
migration is tested and documented accordingly when migrating data to/from GxP computerized systems
deployed on the Azure platform.
Establish change management procedures which govern data migration;
Establish data migration plans which include controls for the verification that data has not altered
in value and/or meaning following migration.

Microsoft is not responsible for the migration of data between GxP computerized systems hosted on the
Azure platform.
Montrium Inc.
Page 56 of 79
5 Data
OPERATIONAL PHASE
5 - Data
Computerised systems exchanging data electronically with other systems should include appropriate
built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.
The customer is responsible for establishing the controls required to ensure the authenticity, integrity and
confidentiality of data related to GxP computerized systems hosted within the Azure platform. In addition
to controls for the proper authentication of users (as with a closed system), there should also be
encryption controls (i.e. SSL or VPN) established to ensure that records that transit across public networks
(such as the Internet) cannot be intercepted or interpreted by unauthorized individuals. These controls
should include related topics as identified in Section 3.2.1.
Applications installed within the Azure platform must be assessed to this requirement;
maintained within the GxP computerized system and when data is transiting from the Azure
platform across the internet.

appropriate system monitoring. By securing and monitoring the Azure platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems on the Azure platform
are protected. Microsoft provides customers the option of encrypting data transmitted to and from
Microsoft data centers over public networks.
Confidentiality (see Section 2.7.6)
Montrium Inc.
Page 57 of 79
6 Accura cy Che cks
6 - Accuracy Checks
For critical data entered manually, there should be an additional check on the accuracy of the data. This
check may be done by a second operator or by validated electronic means. The criticality and the
potential consequences of erroneous or incorrectly entered data to a system should be covered by risk
management.
The customer is responsible for implementing controls to ensure that data entered into GxP computerized
systems are accurate. Verification controls should be implemented to determine the risk and impact that
inaccurate or mistakenly entered data would have on the GxP computerized system.
Ensure GxP computerized have controls for detecting inaccurate or erroneous data.

This requirement is the customers responsibility as Microsoft is not providing GxP computerized systems
used for data entry.
Montrium Inc.
Page 58 of 79
7 - Data Storage
7.1
7 - Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should
be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the
retention period.
The customer is responsible ensure adequate authority checks are implemented where necessary through
the application of security policies and the centralized management of user permissions with the GxP
computerized system. The customer is also responsible for ensuring that appropriate controls are
established to protect data and records pertaining to GxP activities performed within GxP computerized
systems deployed on the Azure platform, and to ensure accurate data is readily available throughout its
retention period.
The verification that only authorized users are able to access, read and alter records contained
within the GxP computerized system should be performed as part of the validation effort;
Procedure(s) are established governing the following topics:

o Logical security - describes the security controls which are required in order to prevent
unauthorized access to the application;
o User Account Management - describes the process for requesting new user accounts and
how to provide end users with relevant permissions;
o Data backup and recovery - describes the process for the backup and recovery of data
housed within the Azure platform;
o Records retention and archiving - describes how records will be protected and archived
throughout their lifecycle;
Ensure that mechanism for Disaster Recovery and Business Continuity are established and tested,
should any issue arise with the Azure VMs;
Data repatriation plan are established and tested in the case of contract termination.
Montrium Inc.
Page 59 of 79
7 - Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should
be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the
retention period.
Microsoft manages the security component which authenticates users of the Azure platform, therefore is
responsible for ensuring proper controls are established to securely manage the user access control
system.
satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are
continually available.
Service Level Agreements (see Section 2.7.9)
Montrium Inc.
Page 60 of 79
7.2
7 - Data Storage
7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and
the ability to restore the data should be checked during validation and monitored periodically.
The customer is responsible for defining the backup scheme for data housed within GxP computerized
systems which are deployed on the Azure platform and ensuring that the implemented backup mechanism
functions appropriately and consistently.
Ensure that controls and procedures are established to oversee the backup and recovery of data.
These controls should be tested periodically to ensure that they are still functional;
Ensure data repatriation plans are established and tested in the case of contract termination.

Microsoft is responsible for ensuring that appropriate controls are in place to manage the backup systems
and provide assurance to customers that their defined backup schemes are implemented and function
correctly and will provide the expected level of retention. Controls to govern the maintenance and
verification of the backup system should be implemented.
Montrium Inc.
Page 61 of 79
8 Printouts
8.1
8 - Printouts
8.1
It should be possible to obtain clear printed copies of electronically stored data.

The customer is responsible for ensuring that GxP computerized systems installed on the Azure platform
are capable of generating accurate and complete copies of records.
Procedure(s) are established governing the protection of records to ensure accurate and complete
copies are readily available;
Verify accurate and complete copies of electronic records can be retrieved and printed from the
system during validation;
Verify data transfer from applications which store electronic records in GxP computerized systems
deployed on the Azure platform does not impact data integrity.

Microsoft is not responsible for ensuring it is possible to print copies of customer data stored within the
GxP computerized systems hosted on the Azure platform. However, Microsoft is responsible for
implementing adequate controls to secure the Azure platform and provide appropriate system monitoring.
By securing and monitoring the Azure platform, these controls help to satisfy the above regulatory
requirement, such that the GxP computerized systems are protected and are continually available.
Montrium Inc.
Page 62 of 79
8.2
8 - Printouts
8.2 For records supporting batch release it should be possible to generate printouts indicating if any of
the data has been changed since the original entry.
The customer should ensure that GxP computerized systems installed on the Azure platform have been
assessed and are capable of fulfilling this requirement. This requirement is typically met through the
generation of audit trails for batch records and ensuring that the batch records with audit trail can be
printed.
Microsoft is not responsible for customer data stored within the GxP computerized systems hosted on the
Azure platform. However, Microsoft is responsible for implementing adequate controls to secure the
Azure platform and provide appropriate system monitoring. By securing and monitoring the Azure
platform, these controls help to satisfy the above regulatory requirement, such that the GxP computerized
systems are protected and are continually available. .
Montrium Inc.
Page 63 of 79
9 Audit Trails
9 - Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a
record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or
deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and
convertible to a generally intelligible form and regularly reviewed.
The customer is responsible for ensuring that GxP computerized systems installed on the Azure platform
have an auditing feature which captures an audit trail of actions performed on electronic records. The
need for maintaining an audit trail should be determined by assessing the risk related to the data managed
within the GxP computerized system. The audit trail feature of the GxP Computerized System deployed on
the Azure platform should:
Record the reference to the record being changed or deleted, the identity of the individual or
system making the change or deletion, the date and time of the change or deletion, the old and
new value for the record being changed and the reason for change or deletion;
Store read-only audit trail entries in a secure database and ensure the audit trail remains linked to
its respective record throughout its retention period;
Ensure that Audit trail information can be accessed and exported from the GxP Computerized
System as human readable records.
Establish Procedure(s) governing the following activities:

o Record retention and archiving - should define how audit trails will be protected
throughout their corresponding records lifetime;
o Logical security to ensure adequate protection and integrity of audit trails as electronic
records in their own right;
o System Administration procedures for the GxP computerized systems deployed on the
Azure platform to ensure the proper management of audit trails;
Verify that audit trail entries are being generated correctly and are adequately protected during
validation.
Montrium Inc.
Page 64 of 79
9 - Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a
record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or
deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and
convertible to a generally intelligible form and regularly reviewed.
Microsoft does not provide GxP computerized systems as the part Azure platform and therefore do not
need to implement audit trails. However, Microsoft is responsible for implementing adequate controls to
secure the Azure platform and provide appropriate system monitoring. By securing and monitoring the
Azure platform, these controls help to satisfy the above regulatory requirement, such that the GxP
computerized systems on the Azure platform are protected and are continually available.

10 Cha nge and Configuration Manage ment
10 - Change and Configuration Management

Any changes to a computerised system including system configurations should only be made in a
controlled manner in accordance with a defined procedure.
The customer is responsible for establishing controls to govern the change and configuration management
processes related to GxP computerized systems deployed on the Azure platform.
Ensure that appropriate System Change Control, Configuration Management, Application Quality
and Security procedures along with documentation management controls are established.

Microsoft is responsible for ensuring that controls are in place to govern the management of GFS and
Azure components used for GxP computerized systems deployed on the Azure platform.
Montrium Inc.
Page 65 of 79
11 Periodi c evaluation
11 - Periodic evaluation
Computerised systems should be periodically evaluated to confirm that they remain in a valid state and
are compliant with GMP. Such evaluations should include, where appropriate, the current range of
functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security
and validation status reports.
The customer is responsible for ensuring that controls are established to govern the maintenance of the
GxP computerized systems validated state throughout its lifecycle. These controls should include related
topics as identified in Section 3.2.1.
Ensure computer system validation and change control policies are established for GxP
computerized systems deployed on the azure platform;
Ensure that systems maintenance procedures are in place to manage GxP computerized systems
deployed on the azure platform;
Ensure that deviation and incident management procedures are in place to manage deviations,
incidents and problems that arise with GxP computerized systems deployed on the azure platform.

Microsoft is not responsible for validation of systems to verify compliance with GMP regulations. However,
are protected and are continually available.
Montrium Inc.
Page 66 of 79
12 Security
12.1
12 - Security
12.1 Physical and/or logical controls should be established to restrict access to computerised system to
authorised persons. Suitable methods of preventing unauthorised entry to the system may include the
use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer
equipment and data storage areas.
The customer is responsible for ensuring that an individual has a valid user account in order to access the
Azure platform and GxP computerized system. Within the Azure platform and GxP computerized system,
user permissions must be managed by the System Administrator to specify which areas of the system are
accessible to each user.
Ensure proper procedures are established to govern logical and physical security. The procedure
should clearly describe how access to the system is managed, as well as how user system access is
documented;
A procedure describing the process for requesting new user accounts and how to provide the
correct permissions should be developed;
The verification that only authorized users are able to access and alter records contained within
the system should be performed as part of the validation effort;
Appropriate System Administration practices are followed for applications installed on the Azure
platform;
maintained.

infrastructure components is restricted to authorized individuals.
Montrium Inc.
Page 67 of 79
12.2
12 - Security
12.2
The extent of security controls depends on the criticality of the computerised system.

The customer is responsible for establishing controls to ensure that appropriate security controls are
implemented. The level and complexity of security controls should be based on the GxP impact of the GxP
computerized system.
Ensure proper procedures are established to govern logical and physical security;
Ensure risk management policies are established.

are protected and are continually available.
Risk Assessment (see Section 2.7.10)
Montrium Inc.
Page 68 of 79
12.3
12 - Security
12.3
Creation, change, and cancellation of access authorisations should be recorded.

The customer is responsible for ensuring that the management of user accounts is controlled and
documented. It should be noted that user accounts should not be deleted but deactivated, allowing
traceability within electronic records to be maintained. This control of access also applies to physical
components related to the GxP computerized systems (i.e. computer rooms, office space, server rooms)
which must equally be controlled and documented.
Ensure proper procedures are established to govern logical and physical security. The procedure
should clearly describe how access to GxP computerized systems is managed;
Establish a user access control list to record all granting of, changes to or cancellation of user
access to GxP computerized systems;
Ensure appropriate System Administration practices are followed for GxP computerized systems
installed on the Azure platform.

are protected.
Montrium Inc.
Page 69 of 79
12.4
12 - Security
12.4 Management systems for data and for documents should be designed to record the identity of
operators entering, changing, confirming or deleting data including date and time.
The GxP computerized systems installed on the Azure platform should capture the identity of users
creating or performing actions on data. The information captured should include the following:
Date and time when electronic records are created, initiated, changed, confirmed, and deleted;
The identity of the user who performed the action.

Procedure(s) are established governing the following activities:

o The defined Computer System Validation process should ensure that this requirement is
present and functions in the GxP computerized system.

systems for the collection and management of regulated electronic records.
13 Inci dent Manage me nt
13 - Incident Management
All incidents, not only system failures and data errors, should be reported and assessed. The root cause
of a critical incident should be identified and should form the basis of corrective and preventive actions.
The customer is responsible for ensuring that appropriate tools or controls are established to govern the
documentation, assessment and tracking of reported issues related to GxP computerized systems. These
controls should include related topics as identified in Section 3.2.1.
Ensure that procedural controls such as incident management and CAPA are implemented to
manage all incidents related to GxP computerized systems.

Microsoft is responsible for ensuring that appropriate tools or controls are established to govern the
documentation, assessment and tracking of reported issues related to the Azure platform on which GxP
computerized systems are deployed.
Incident Management (see Section 2.7.8)
Montrium Inc.
Page 70 of 79
14 - Electronic Signature
14 - Electronic Signature
Electronic records may be signed electronically. Electronic signatures are expected to:
a. have the same impact as hand-written signatures within the boundaries of the company,
b. be permanently linked to their respective record,
c. include the time and date that they were applied.
The customer is responsible for ensuring through verification that GxP computerized systems installed
within the Azure VMs applying electronic signatures meet this requirement.
Ensure that the use and elucidation of Electronic Signatures are defined within a procedural
control;
Ensure procedure controls are established to govern the assignment of Electronic Signatures.

This regulatory requirement does not apply to Microsoft as this functionality is not provided as a part of
the Azure platform.
15 - Batch release
15 - Batch release
When a computerised system is used for recording certification and batch release, the system should
allow only Qualified Persons to certify the release of the batches and it should clearly identify and record
the person releasing or certifying the batches. This should be performed using an electronic signature.
The customer is responsible for ensuring that GxP computerized systems to be implemented within the
Azure platform have been assessed to this requirement.
The defined Computer System Validation process should ensure that this requirement is assessed
and appropriate supporting documentation must be produced;
Ensure that controls have been defined and implemented to govern the use of electronic
signatures.

This requirement does not apply to Microsoft. Microsoft does not have direct control over GxP activities,
as these would be implemented within GxP computerized systems that are installed and managed by the
customer on the Azure platform.
Microsoft does not provide electronic signature functionality as part of the Azure platform.
Montrium Inc.
Page 71 of 79
16 - Busine ss Continuity
16 - Business Continuity
For the availability of computerised systems supporting critical processes, provisions should be made to
ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or
alternative system). The time required to bring the alternative arrangements into use should be based
on risk and appropriate for a particular system and the business process it supports. These arrangements
should be adequately documented and tested.
The customer is responsible for ensuring that mechanisms for Disaster Recovery and Business Continuity
are established and tested, should any issue arise with either the GxP computerized system or with the
Azure platform.
Establish a comprehensive disaster recovery and business continuity plan and test it regularly. This
plan should include provisions in the case that the Azure platform becomes unavailable. The plan
should also integrate risk and impact assessment mechanisms;
Ensure that backup infrastructure and policies are established and have been tested for GxP
computerized systems installed on the Azure platform;
Ensure the data repatriation plans are established and tested.

Microsoft is responsible for implementing adequate controls to ensure the Azure platform remains
available in the event of disaster. Backup and retention policies/procedures are defined and maintained in
accordance to regulatory, statutory, contractual or business requirements. These controls help to satisfy
the above regulatory requirement, such that Microsoft backs up Azure infrastructure data regularly and
validates restoration of data periodically for disaster recovery purposes.
Disaster Recovery (see Section 2.7.13)
Montrium Inc.
Page 72 of 79
17 - Archiving
17 - Archiving
Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant
changes are to be made to the system (e.g. computer equipment or programs), then the ability to
retrieve the data should be ensured and tested.
The customer is responsible for establishing controls to implement appropriate archiving mechanisms.
Archived data should be regularly verified to ensure its accessibility, readability and integrity.
Ensure that appropriate security controls are established;
Ensure that backup infrastructure and policies are established and have been tested for GxP
computerized systems installed on the Azure platform;
Ensure that record retention policies have been defined;
Ensure that mechanism for Disaster Recovery and Business Continuity are established and tested,
should any issue arise with the Azure platform;
Data repatriation plan are established and tested;
Ensure that audit trails have been properly defined and verified.

Microsoft is not responsible for archiving data contained within the GxP computerized systems hosted on
the Azure platform. However, Microsoft is responsible for implementing adequate controls to secure the
Azure platform and provide appropriate system monitoring. By protecting and monitoring the Azure
platform, these controls help to satisfy the above regulatory requirement, such that the GxP computerized
systems are protected and are continually available.
Montrium Inc.
Page 73 of 79
Conclusion
In summary, when considering the use of a public, off-premise, third party managed cloud service to
host GxP computerized systems it is important to assess the adequacy of the cloud service providers
controls which ensure confidentiality, integrity and availability of data stored on the hosted platform.
Defining roles and responsibilities shared between the regulated user and the cloud service provider is
essential.
As outlined within this guidance document, Microsoft has implemented procedural and technical
controls which are relevant to regulatory requirements stipulated within US FDA 21 CFR Part 11 and
EudraLex Volume 4 Annex 11. These controls have been independently audited and could serve to
demonstrate that the Azure platform is maintained in a state of control that is in accordance with the
applicable regulatory requirements. The assessment has shown that the audited controls are similar to
those required to satisfy the applicable regulatory requirements, therefore the customer may leverage
these audits as part of the risk analysis and qualification effort of their GxP computerized system
installed on the Azure platform.
The following diagram summarizes the primary steps which may be performed by Microsofts regulated
customers as part of their overall qualification strategy.
Perform high level risk assessment to identify specific risks
associated with hosting the GxP application in a cloud
environment and mitigation strategies
Identify which regulations apply based on the intended use and
the controls needed to achieve compliance
Map individual controls to regulatory requirements in order to
demonstrate compliance and identify responsibilities shared
between Microsoft and the internal system owners (IT)
Configure the Azure environment so that it meets the
requirements
Develop a qualification plan, perform verification activities and
develop or adapt procedures to maintain control and
compliance of the qualified environment
Of equal importance are the activities and controls which must be implemented by the customer to
ensure that GxP computerized systems are maintained in a secured and qualified state. A summary of
these activities was provided in Section 3.2.1. The customer should identify the specific activities within
a qualification plan for each GxP computerized system installed on the Azure platform. In order to
qualify the system and maintain it in a qualified state, Montrium recommends implementing
procedures/policies which cover the topics as outlined in Appendix A.
Montrium Inc.
Page 74 of 79
References
Ref ID
Reference
Ref. [1]
Report on a Description of Microsoft's Windows Azure Service and the Suitability of the Design
and Operating Effectiveness of Controls, July 1, 2013
Ref. [2]
Windows Azure: Report on Controls at a Service Organization Relevant to Security, Availability,

and Confidentiality (SOC 2), July 1, 2013
Ref. [3]
Assessment Report Microsoft Corporation Windows Azure, ISO/IEC 27001:2005, IS 577753,

November 14, 2011
Ref. [4]
Assessment Report Microsoft Corporation Windows Azure, Continuing Assessment

(Surveillance), ISO/IEC 27001:2005, IS 577753, November 18, 2013
Ref. [5]
Assessment Report Microsoft Corporation Windows Azure, Extension to scope,

ISO/IEC 27001:2005, IS 577753, November 21, 2013
Ref. [6]
U.S. Food and Drug Administration, Code of Federal Regulations, Title 21 Part 11, Electronic
Records; Electronic Signatures.
Ref. [7]
U.S. Food and Drug Administration, Guidance for Industry - Part 11, Electronic Records;
Electronic Signatures - Scope and Application.
Ref. [8]
ISPE, GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems, 2008.
Ref. [9]
ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance
Ref. [10]
EudraLex The Rules Governing Medicinal Products in the European Union - Volume 4 - Good
Manufacturing Practice - Medicinal Products for Human and Veterinary Use- Annex 11:
Computerised Systems
Ref. [11]
NIST Cloud Computing Standards Roadmap
Ref. [12]
Appendix B: Trust Services Principles and Criteria for Security, Availability,

Processing Integrity, Confidentiality, and Privacy
Ref. [13]
Standard Response to Request for Information Security and Privacy
Ref. [14]
PIC / S PI 011-3 - Good Practices for Computerised Systems in Regulated GxP Environments
Ref. [15]
Microsoft Azure Privacy Statement
Ref. [16]
Microsoft Azure Agreement
Ref. [17]
Upcoming Name Change for Windows Azure
Montrium Inc.
Page 75 of 79
Ref ID
Reference
Ref. [18]
Windows Azure Introducing Virtual Machines (IaaS)
Ref. [19]
Disaster Recovery and High Availability for Azure Applications
Ref. [20]
Azure Business Continuity Technical Guidance
Ref. [21]
U.S. Food and Drug Administration, Glossary of Computer Systems Software Development
Terminology (8/95)
Appendices
Appendix A.
Appendix B.
Montrium Inc.
Recommended Procedures / Policies

Supplementary Information
Page 76 of 79
Appendix A - Recommended Procedures / Policies

The following topics should be covered within the customers internal procedures or policies to manage
the qualified state of the GxP system.
Procedure / Policy Topic
Purpose
Computer Systems
Validation
Define the management of the validation of computer systems and so

must describe the activities, deliverables and individuals required to
achieve and maintain computer systems in a validated state and in
compliance with applicable GxP regulations.
Physical Security
Describe the companys application of security measures to facilities

(buildings, server rooms, laboratory and other controlled physical
environments), in order to protect data and users.
Logical Security
Describe the companys application of security measures to all

information technology systems in order to protect data and users.
System Monitoring
Describe the tools used to monitor the systems to ensure consistent

availability and performance.
Records Retention and

Archiving
Ensure that all the companys records are managed in conformance with
applicable regulations and requirements. This should include the
identification, classification and retrieval, storage and protection, receipt
and transmission, retention, and disposal or archival preservation of
records.
System Administration and

Maintenance
Provide the companys personnel direction on the technical

management and engineering practices to be used in planning,
acquisition, operation, maintenance, and termination of information
technology systems.
User Access Management
Describe the management of computing accounts that facilitate access

or changes to the companys data. An account, at a minimum, consists of
a username and password; supplying account information will usually
grant access to the companys resources. User access management also
establishes clear standards for issuing accounts, creating password
values, and managing accounts.
Backup and Restoration
Provide for the continuity, restoration and recovery of critical

documents, all electronic records and systems in the event of an
equipment failure, intentional destruction of data or disaster.
Montrium Inc.
Page 77 of 79
Procedure / Policy Topic
Purpose
Training Management
Define an internal training program and to ensure that personnel have

the competencies required to access and work within the application
contained within the controlled cloud platform. Additional training needs
may need to be defined for each controlled application within the cloud
platform.
Documentation
Management
Establish the framework under which official records and documents are
created and managed. The intent is to ensure that the companys
business areas have the appropriate governance and supporting
structure and resources established to enable them to manage their
records and documents in a manner that is planned, controlled,
monitored, recorded and audited, using authorized systems.
Incident and Problem

Management (Helpdesk)
Define a formal Helpdesk Process to ensure that issues are raised,

recorded and resolved in a formal and controlled manner.
Change / Configuration
Management
Define a formal process for change management that will ensure that
system changes are implemented in a controlled fashion. This procedure
must also establish the framework for proposing, reviewing, and
approving changes to a system.
The purpose for addressing Configuration Management is to ensure that
all updates to baseline items are controlled and traceable.
Vendor Management
Define a formal process to ensure that vendors are identified, assessed,

selected and managed in a formal and controlled manner.
Disaster Recovery and

Business Continuity
Assist in the recovery of the companys information technology

infrastructure and to ensure the continued operation of identified
business critical systems in the event of a serious disruption.
Montrium Inc.
Page 78 of 79
Appendix B - Supplementary Information

Document Title
Introducing Geo-replication for Windows Azure Storage
Windows Azure Security Overview
Validation Guidance for FDA Regulated Companies
Microsoft Server Tools Business Information Security Policy
Summary Scope of Attestation SAS No. 70 Type II
Windows Azure ISO 27001 Controls
Cloud Security Alliance, Security Guidance for Critical Areas of Focus on Cloud Computing, V3.0
Cloud Security Alliance Cloud Controls Matrix (CCM)
Introducing Azure
Montrium Inc.
Page 79 of 79

Qualification Guideline - Microsoft Azure

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Qualification Guideline - Microsoft Azure

Uploaded by

Copyright:

Available Formats

Qualification Guideline for Microsoft Azure

Qualification Guideline for Microsoft Azure

Qualification Guideline for Microsoft Azure

VP Operations, Montrium Inc.

Quality Assurance Manager, Montrium Inc.

CEO, Montrium Inc.

Sr. Business Analyst, Montrium Inc.

Qualification Guideline for Microsoft Azure

Qualification Guideline for Microsoft Azure

Qualification Guideline for Microsoft Azure

Qualification Guideline for Microsoft Azure

Key Definitions .............................................................................................................................. 8

Audience and Scope ...................................................................................................................... 9

System Description ............................................................................................................................. 14

Microsoft Azure Overview ....................................................................................................... 14

Microsoft Azure High Availability Features ................................................................................. 15

Global Foundation Services......................................................................................................... 16

GAMP5 Category ....................................................................................................................... 16

FDA Classification Open System vs Closed System ........................................................... 16

Microsoft Audits and Certifications ............................................................................................ 17

Microsoft Controls ...................................................................................................................... 19

Qualification Approach ....................................................................................................................... 25

GAMP Qualification Phases......................................................................................................... 27

Qualification Activities and Responsibilities ............................................................................... 28

EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment ....................... 44

Qualification Guideline for Microsoft Azure

Customer Data on Storage

Qualification Guideline for Microsoft Azure

Windows Azure and Microsoft Azure

Audience and Scope

Cloud Services (comprised of stateless Web, Worker and VM roles)

Qualification Guideline for Microsoft Azure

Qualification Guideline for Microsoft Azure

American Institute of Certified Public Accountants

Code of Federal Regulations

An environment in which system access is controlled by persons who are

The capability provided to the consumer is to provision processing, storage,

The capability provided to the consumer is to deploy onto the cloud

Includes hardware, software, peripheral devices, personnel, and

Any combination of text, graphics, data, audio, pictorial, or other information

United States Food and Drug Administration

Good Automated Manufacturing Practice

Good Clinical Practice

Global Foundation Services

Good Laboratory Practice

Good Manufacturing Practice

Compliance requirements for all good practice disciplines in the regulated

Qualification Guideline for Microsoft Azure

Internal Control over Financial Reporting

International Electrotechnical Commission

International Organization for Standardization

International Society of Pharmaceutical Engineers

National Institute of Standards and Technology

An environment in which system access is not controlled by persons who are

Pharmaceutical Inspection Convention and Pharmaceutical Inspection Cooperation Scheme

Statement on Auditing Standards

Software Development Lifecycle

Service Level Agreement

System Management Application Program Interface

Service Organization Controls

Standard Operating Procedure

Statement on Standards for Attestation Engagements

Secure Sockets Layer