LSOPS03-BP01 Perform supplier and vendor assessment of each vendor

Establish criteria for the selection and evaluation of suppliers, and create a plan for the monitoring and re-evaluation of those suppliers. Assess vendor controls while considering the intended use of the services and possible risks involved to the system.

Desired outcome: Vendors are established as approved IT suppliers of purchased services.

Common anti-patterns:

Treating AWS as a SaaS provider whose solutions usually directly support GxP processes, and therefore incorrectly assessing the risk of using AWS services for to support GxP workloads.
Asking questions in the supplier questionnaire that are irrelevant considering the services to be used.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Use as much supplier documentation as possible to expedite a supplier assessment of AWS.

Implementation steps

Perform a general market assessment to establish AWS position in the market and financial stability.
Collected documentary evidence of the suitability of the AWS control framework for supporting GxP workload. Establish an AWS account and download required third-party assessment reports and certifications from AWS Artifact.
If there are perceived gaps in the information obtained, contact your account team to complete a supplier assessment questionnaire.
With the downloaded documentary evidence and questionnaire, perform an analysis and generate a assessment summary with your conclusions. Retain this in case of inspection.

Resources

Related tools:

AWS Artifact

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

LSOPS02-BP02 Implement regulatory reviews

LSOPS03-BP02 Limit available services to improve regulatory adherence