CSV and ISO 27001
CSV (Computer System Validation) is often considered as software validation. Now big enterprises perform validation projects to prove that their software or system is performing the way it is supposed to work, and not performing in ways that it isn’t intended to work. Computer systems include all the complementary equipment that supports the system as well as its users as a whole.
ISO 27001 Information Security Management System describes organisation’s approach to information security and privacy for the system. It will help to identify and address the threats and opportunities around our valuable information and any related assets. ISO 27001 guidelines protects our organisation from security breaches and control it from disruption if and when they do happen
Information security is one of the concerns of the modern organisation. The volume and value of data used in everyday business increasingly informs how organisations operate and how successful they are. In order to protect this information – and to be seen to be protecting it – more and more companies are becoming ISO 27001 certified.
For ensuring Pharmaceutical IT compliance we have to implement ISO 27001 Information Security Management system along with CSV aligned with 21 CFR part 11.
The last few years have seen corporate governance requirements become increasingly more defined and specific. Information technology has become more pervasive – underpinning and supporting almost every aspect of the organisation.
The ISO 27000 family of standards offers a set of specifications, codes of conduct and best practice guidelines for organisations to ensure strong IT service management.
For implementation this system , we have to complete Gap Assessment against ISO 27001:2013 ,CSV, GAMP 5.0 and 21 CFR11 requirements and Creation of Statement of Applicability (SOA) based on the Gap Assessment report.
After GAP Assessment we have to create ISO27001 Manual, Mandatory Procedures, Work Instruction, Formats etc. required for implementation of ISMS. We have to align CSV (Computer System Validation), GAMP 5.0 & 21 CFR11 guideline alignment with ISO 27001 standard.
Risk analysis of ISMS ISO 27001 with Department head including Production, HR, QC, IT, QA, Engg, Store etc. is required for maturation of the system
Achieving ISO 27001 certification is a valuable and visible proof of Our Plant as well as organization’s willingness to meet internationally-accepted data security standards. Achieving this international standard is not simply branding & marketing but also the ability to prove that our organization complies with ISO 27001 is likely to open business opportunities across the globe.
How ISO 27001 is useful for Access Control
Access Control Policy
In any organisation an access control policy is must be established, documented and reviewed regularly for Information Security in place for the assets in scope.
Any company’s Access control rules, rights and restrictions along with the depth of the controls should reflect the information security risks around the information and the enterprise’s appetite for managing them.
Access to Networks and Network Services
Least access principle is the general approach for protection, rather than unlimited access and super user rights without mindful consideration.
Company should think about to whom get access for network. Only key employee should get Network and network services access who know to use as per their job. The policy therefore needs to address; the networks and network services in scope for access; Authorisation procedures for showing who is allowed to access to what and when.
User Registration and Deregistration
A company who is keen to implement ISO27001 there should be a formal user registration and deregistration process needs to be implemented.
A good on-boarding and exit process aligned with Human Resource Security to show quick and clear registration/deregistration along with avoidance of reissuing old IDs.
There should be a regular review of ID’s will illustrate good control.
User Access Provisioning
Any company who aspire ISO27001 or a good system for information security must be implement to assign or revoke access rights for all user types to all systems and services. It should be aligned with HR Security work.
There should be Verification process for access granted is relevant to the role being done; and protecting against provisioning being done before authorisation is complete.
Management of Privileged Access Rights
Privileged access right is more powerful and higher ‘privileged’ levels of access e.g. systems administration permissions versus normal user rights.
System for allocation and use of privileged access rights should be tightly controlled given the extra rights usually conveyed over information assets and the systems controlling them.
Information Access Restriction
For implementing information Security system in any company, the focus area should be access to information and application system functions which must be tied into the access control policy.
What are the considerations when we are going to put information Access Restrictions are-
- Levels of access;
- Role-based access control (RBAC);
- Read, write, delete and execute permissions;
- Limiting output of information;
- Design of “menu” systems within applications;
- Physical and/or logical access controls to sensitive applications, data and systems.
Secure log-on Procedures
Log on Procedure must be fool proof. In any organisation access to systems and applications must be controlled by a secure log-on procedure to prove the identity of the user.
We are typically put password approach, this can go beyond password approach into multi-factor authentication, biometrics, smart cards, and other means of encryption. We have to do Risk management and whenever we do risk management we should consider log on procedure in depth. We have to see ISO27002 guideline for this procedure
Password Management System
Password management system is a good way to reduce the risk .The purpose of a password management system is to ensure quality passwords meet the required level and are consistently applied.
Password generation and management systems provide a better path for centralising the provisioning of access and they serve to reduce the risk of people using the same login for everything.
Along with any other control approach, password generation and management systems need to be carefully implemented adequate levels of protection.