Level 3 Checklist

Level three organizations are where the compliance volume is cranked up to 11. The best way to summarize a level three organizations is to make a general statement that every action needed to achieve something takes no fewer than three people. Here are some examples:

• To create or update any controlled document you need an: Author, Reviewer and Approver (GDP)
• To make any change to a software system, you need a: Product owner, Engineer, and QC. (SDLC/CSV)
• To update any "medium/high" risk change on any "high" risk IT system you need a unique person to: Initiate/Author, Review, Approve, Implement, and Verify the CR.

In addition to the separation of responsibilities you must also follow the principle of least privilege throughout all of your EASs and provide evidence that your procedures were executed as indicated in the SOPs. We won't create a checklist here as level three organizations will typically have their own industry specific checklist to go through which will be covered in future [blog][/blog/] posts.