SQF 2.3.3 - is there a requirement for information technology professionals as contract service providers?

Hello all,

We are getting ready for our first SQF audit, and there was some question about whether we really needed to include information technology professionals among our contract service providers for SQF 2.3.3.  I had originally included them, and there are now questions about whether this is necessary--the reason being it was difficult to see how these companies could influence food safety.

My stance is that I included them because their actions ensure integrity of electronic data, including electronic records, formulas, specifications, etc. and whether those are trustworthy and reliable.  Computer systems, including hardware and software controls & associated documentation maintained for electronic records, etc. are subject to FDA inspection.  However, mostly this requirement is for SQF, where they don’t necessarily make such a sharp distinction between those controls that are for product quality and those that are for food safety.  Though not explicitly listed in SQF Module 2 general guidance, contracted service in the form of information technology could indirectly affect product quality or food safety, and even though they might not geographically come onsite, they should be included.

Please let me know your thoughts.  We manufacture dietary supplements in the United States and are under regulations in the form of 21 CFR Parts 111, 117, 121, and 1 Subpart L.

Thank you,

Matthew

Yes. Put them in.

Hi, 

is there any minimum requirement for the approval of IT company. what, from food safety perspective would you include in the contract? 

the obvious ones would be the regular back - ups (BRC requirement - i think daily), any other points worth including? 

Hello !

I would put them in. Don't forget to put your CB as well. Our auditor told us one year that since they had a contract with us they should be put into our Register. 

From what I understand, anyone that has a contract with your company that has an impact or could have an impact (Security company, Outside maintenance, etc.) should be in your list.

Have a good one ! :)

Hello !

 

I would put them in. Don't forget to put your CB as well. Our auditor told us one year that since they had a contract with us they should be put into our Register. 

 

From what I understand, anyone that has a contract with your company that has an impact or could have an impact (Security company, Outside maintenance, etc.) should be in your list.

 

Have a good one ! :)

how would you risk assess the IT company? 

Hello !

I would do the same than other companies. Depending what you have on your network. In our case, we have pretty much everything (we are about 90% paperless). So our risk is pretty high. However, with all the back-ups and security, the probability would be low.

Hope it helps !

From someone who has lost a crap ton of info over the years.   (i was assured of backup, retrieval, etc).   its probably more important than most think.