9 Must-Have IT SOP's When

Implementing a Regulated Electronic

System
1. System Maintenance SOP
The system maintenance SOP should describe the controls that you have in place to
ensure that appropriate maintenance on your system is carried out in a controlled
way, and on a regular basis. Typically you should look to include a maintenance
schedule, with links to your Change Control SOP. Your System Maintenance SOP
should describe the system monitoring procedures that you have in place, as well
as a clear definition of your process for decommissioning systems. Make sure you
outline your approach to ensure the integrity of any data contained within the
systems.

2. Physical Security SOP

Physical security focuses on controls that you have in place to secure access to your
premises. These controls could include things like management of key cards and
codes, the management of your building alarm system and intrusion control etc.
Physical security should also reference the environmental controls in place to
protect your data installations; such as fire detection and suppression, temperature
and humidity controls and so on.

3. Logical Security SOP

Logical security is a key area of focus for 21 CFR Part 11 environments. This SOP
should detail how access to the systems are managed, and include links to any
policies that relate to passwords such as; password format or ageing, technical
controls to improve security such as password protected screen savers. Other
logical security mechanisms that allow you to ensure data traceability and custody
should also be described in the Logical Security SOP. Finally, systems such as VPNs,
Firewalls and virus protection applications should also be managed through this
procedure.

4. Incident and Problem Management SOP

This SOP should provide you with a process for managing any incidents or
problems that are experienced with regulated computerized systems. Typically you
will need to describe how incidents or problems are recorded, analyzed and
resolved. If you are using a bug management system it would be governed by this
SOP. You should also look at covering the communication mechanisms that need to
be in place.

5. System Change Control SOP

This is one of the most important activities when managing regulated systems and
also one of the areas that can present the most problems. The system change
control procedure should be used when changing any component of a
computerized system. The change control procedure will typically use a form to
allow the documentation of the change control. This form is also an important
communication tool. The process should first require that the change rationale and
steps be documented. An impact assessment must then be done to determine
what else in the system could be impacted. Any revalidation should also be
documented including any test scripts to be executed and evidence to produce. Its
important to define a roll back path. Finally the review and approval process both
pre and post execution should be clearly defined.

6. Configuration Management SOP

Configuration management should govern how regulated systems configuration
should be managed and documented. This SOP is used often in conjunction with
change control. Configuration changes typically require verification rather than
revalidation. The configuration management procedure should discuss how
configuration should be documented and how documentation should be versioned
and maintained. It is also important to define a standard process for review and
approval of configuration changes. For more on Configuration Management, check
this out.

7. Disaster Recovery SOP

Ensuring that data is properly protected and that we are able to recover from a
disaster in a timely and controlled manner is imperative when dealing with
regulated content and systems. The Disaster Recovery SOP should clearly define
what is considered a disaster and provide an overview of what should be contained
within the disaster recovery plan. The plan will typically be a separate document

and describe the different systems that fall under the plan, how to bring systems
up, communication procedures, escalation and prioritization of recovery, supplier
and customer contact information and the disaster recovery team composition.
This SOP should also have provisions for periodic testing of the disaster recovery
plan and how this should be documented.

8. Electronic Signature Policy SOP

21 CFR Part 11 electronic signatures require that individuals sign a non-repudiation
form attesting to the fact that their electronic signature is a legally binding
equivalent of their hand written signature. This means that they will need to be
trained on what an electronic signature is and when it can be applied. This is
typically defined in the electronic signature policy. The policy will also govern the
non-repudiation form and the process of provisioning electronic signatures.

9. Backup and Restoration SOP

The final SOP and possibly the most important one is Backup and Restoration. The
procedure should outline the schema and methods that you use to properly
protect your data and systems. You should look to define how backup jobs are
created, maintained and verified. A restoration request process will also be defined
and should be tested periodically to ensure that you can still restore your data.
Finally, long-term archiving of data should also be addressed in this SOP.