As we’ve learned in the previous posts in this series, having a thoughtful, thorough cloud vendor qualification process and intelligent SLAs in your cloud vendor contracts will help you maximize the value of the cloud while maintaining regulatory compliance. In addition, here are some tips and best practices to help you knock it out of the park.
Cloud Vendor Qualification Tools
When qualifying cloud vendors, there are several tools you can use including audits, questionnaires, investigating publicly available information, and checking references. Because audits are time-consuming and expensive, you might want to reserve them for systems you deem “critical.” For less-critical systems, reviewing a completed questionnaire might be sufficient.
To conserve resources, you will want to use a risk-based approach when selecting qualification tools. Consider defining system criticality tiers somewhere in your SOPs, and then creating a kind of matrix that aligns the types of qualification tools with each tier of criticality.
As a point of clarification, the topics you cover in your qualification process will be the same across all cloud vendors/systems. What will differ is the set of tools you use to learn about those topics.
Additional SOPs
Your cloud vendor qualification SOP will help you select an appropriate system for regulated purposes, but is not the only SOP you need for a service in the cloud. As with any regulated software or hardware, you still need documented procedures that address business use and quality assurance (QA), especially computer system validation (CSV) and change control.
As a general guide, the cloud vendor will own the technical procedures (which you will qualify during cloud vendor selection and enforce in your SLAs), and you will own the application procedures, with quality assurance procedures overlapping.
Okay, almost there! Just one last post in this series. If you haven’t already, feel free download the guide on this topic by filling out the form below. See you soon!
