Determine Risk Level Of Regulated IT Systems
  • Topics
  • Industries
  • Partners





How To Determine The Risk Level Of A Regulated IT System

In the previous post in this series, I discussed the process you can use to determine whether a particular IT system is regulated. That post described the first part of a four-part approach to assessing and mitigating risk with regulated IT systems. Today’s post will cover the second part – what to do once you know you’re dealing with a regulated system.

Part Two: System Risk Level

Once you’ve determined that a system is regulated, the next step is to determine that system’s risk level (SRL). You will need to divide systems into types, write a standard definition for each type, and assign each type a risk level (e.g., low, medium, high). The definitions should include a rationale for why you believe that system type involves more or less risk.

A system’s SRL is only assessed once, and it determines the degree of rigor needed to ensure that the system is implemented in a validated (i.e., proven to be trustworthy) state. The SRL is assigned to the system forever and is considered in the calculation each time a change is proposed to that system.

Up next? Part three: how to assess the risk of a proposed change to a regulated system. While you’re waiting for that post, check out The Ultimate Guide to 21 CFR Part 11.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up