ISPE GAMP® Good Practice Guide: IT infrastructure control and compliance guide:
The first edition was published in 2005, the IT infrastructure used on these days is far from the current one. IT infrastructure has increased its power and it has appeared new systems that are vastly used by IT departments.
In this second version the scope of the qualification is extended to new systems and services like virtualization technologies, Cloud Services (SaaX) and third parties contractors like datacenters.
The infrastructure qualification is mainly based in the compliance of below topics:
|Requirements||What to demonstrate|
|IT systems like virtualization, servers, storage, network||According specifications.|
|People||Assigned roles and responsibilities.
|Processes and procedures||Effectiveness.|
Infrastructure qualification must be performed in phases, considering bellows:
- Residual risks
Once the system is qualified, next change controls may lose qualification status. To maintain the qualification status, it is important to have processes and procedures like change control and configuration management, incident and problem management, etc. These processes and procedures help people to understand and to keep the qualification status, otherwise any effort performed to qualify the IT infrastructure is a photo of the infrastructure. These process and procedures should have under an IT quality management system (QMS).
IT internal company departments must operate under their QMS, in a simple way they are IT providers as well as the Cloud providers. In this way the infrastructure qualification must be performed in both cases without exceptions.
The guide also specify that it is intended to be used with ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems and other ISPE GAMP® guidance documents.