ISPE：数据完整性风险评估指南（数据完整性成熟度分级）

Level 1
一级

Level 2
二级

Level 3
三级

Level 4
四级

Level 5
五级

Cluture
文化

•  DI Understanding and awareness
•  对数据完整性的理解和认识

Awareness of the importance of data integrity, and understanding of dataintegrity principles 
对数据完整性的重要性的认识，以及对数据完整性原则的理解

Low awareness, limited to SMEs and specialists 
认识不足，仅来自于SMEs和专家

General awareness of the topic, but not fully reflected in workingpractices 
对主题有一定的认识，但没有充分反映在工作中

Principles reflected in working practices, but not consistently applied
数据完整性原则反映在工作中，但是不能持续的应用

Data integrity principles fully incorporated and applied in establishedprocesses and practices 
数据完整性原则充分纳入和应用于既定的过程和实践中

Formal ongoing awareness programme, proactively keeping abreast ofindustry developments
制定正式的持续改进计划，积极跟进行业发展

•  Corporate culture and workingenvironment 
•  企业文化与工作环境

A culture of willing and open reporting for errors, omissions andabnormal results, and willing collaboration to achieve data integrityobjectives
一种愿意和公开报告错误、遗漏和异常结果的文化，并愿意协作以实现数据完整性目标

Unwillingness or no motivation to report errors and abnormal results. 
不愿意或没有动机报告错误和异常结果

DI problems may be reported but mitigation is either inadequate orignored 
可能会报告数据完整性问题，但采取措施要么不够充分，要么被忽略

Policies and procedures encourage openness, but not implemented in allcases. Mitigation generally limited to the specific instance 
政策和程序鼓励暴露问题，但不适用于所有情形。采取措施通常局限于个别事例

Full openness and collaboration achieved through such behaviour beingmotivated by management behaviour. Mitigation considers wider implication 
通过管理行为激励实现了充分的公开和协作。采取的措施考虑了更广泛的影响

Anticipating potential future DI weaknesses and applying appropriatecontrols 
预测未来潜在的数据完整性弱点并应用合适的控制

•  Quality Culture 
•  质量文化

An environment in which employees habitually follow quality standards,take taking quality-focused actions, and consistently see others doing so. 
员工按照习惯遵循质量标准，采取以质量为中心的行动，并且看到周围人也这么做的环境

Low awareness and application of quality principles and standards. Aculture of not reporting what management 

would rather not hear 
对质量原则和标准的认识和应用不足。管理层不愿听到的就不报告的文化

Ad-hoc quality. Activities performed, but relying on individual efforts 
仅限于某种目的设置的质量。仅依赖于个别努力开展活动。

General application of some quality principles, but not fully ingrainedor consistent.
普遍应用一些质量原则，但不完全彻底和一致

Quality considerations incorporated in normal working practice 
质量因素纳入日常工作实践

Quality and continuous improvement incorporated in normal workingpractice 
质量和持续改进纳入日常工作实践

Governance and Organization 
治理与组织

•  Leadership 
•  领导力

Objectives defined and communicated by executive management. 
目标界定和行政管理沟通

Leadership silent or inconsistent on the need for data integrity. Otherbusiness priorities typically override. 
领导对数据完整性的需求保持沉默或不一致。其他业务优先级通常高于数据完整性

Leadership state need for DI, but do not lead by example. 
领导强调需要数据完整性，但不以身作则

Objectives defined in policies and high level statements, but not alwaysfully reflected in management priorities. 
政策和高层声明中定义了数据完整性的目标，但并不总是充分反映在管理优先事项中

Management actions and priorities fully reflect stated objectives 
管理行为和优先级充分反映所规定的数据完整性目标

DI aspects routinely addressed and improved as part of management review
数据完整性的常规处理和改进作为管理评审的一部分

•  Sponsorship 
•  资源支持

Executive management providing appropriate resources and support. 
行政管理提供合适的资源支持

Appropriate resources only made available in emergencies (e.g. criticalcitation). 
仅在紧急情况下提供资源（如关键引证）

Appropriate resources available in principle, but often not be availablein practice due to other pressures. 
大体上有适当的资源,但由于其他方面的压力，通常在实践中不可用

Appropriate resources available, but may be diverted or diluted due toother pressures. 
适当的可用资源,但由于其他压力，可能被转移或打折扣

Required and planned resources are available and safeguarded due toongoing commitment to data integrity 
由于持续致力于数据完整性，所需和计划的资源得到保障。

Management looking ahead to identify future resource needs, based onexperience 
管理层展望未来，根据经验确定未来的资源需求

•  Structure
•  组织架构

Appropriate roles and reporting structures. 
适当的角色和报告结构

No consideration of specific data governance in roles andresponsibilities. 
不在角色和职责制定中考虑数据管理

Data governance roles only recently established, or in flux. 
最近才建立数据管理角色，或一直在变化

Data governance roles established, but not always effective. 
建立数据管理角色，但是不是一直有效

Data Governance roles are well integrated into the management structuresand systems 
数据管理的角色很好地融入管理架构和体系

Management reviewing and adapting organizational structures based onexperience 
基于经验的管理评审与组织结构调整

•  Stakeholder Engagement 
•  相关人员参与

Engagement of business Process Owners, Quality Assurance, and keysupporting technical groups (e.g. IT)
业务流程所有者、QA部门和关键技术支持部门(例如：IT) 的参与

Data integrity and governance seen as either an IT issue or a QualityIssue. No real Process Owner involvement 
数据完整性和治理视为IT问题或质量问题。没有真正的流程所有者参与

Ad-hoc involvement of Process Owners, and Quality Assurance. High persondependence. 
流程所有者和QA
“仅仅这次”参与。高度依赖于个人

Process Owners, and Quality Assurance typically involved, but notconsistently
流程所有者和QA通常参与，但不是一贯的

Process Owners, Quality Assurance, and IT work together through the dataand system life cycles 
过程所有者、QA和IT在数据和系统生命周期中一起协作

All stakeholders consistently work together to identify furtherco-operation opportunities, based on experience. 
所有利益相关者不断合作，根据经验确定进一步的合作机会

•  Data Ownership 
•  数据所有权

Clear ownership of data and data-related responsibilities 
明确数据所有权和数据相关的责任

Process, system, and data owners not defined
没有定义流程、系统和数据的所有者

Process, system, and data owners identified in few areas. 
在小范围内定义流程、系统和数据的所有者

Process, system, and data owners typically defined in many, but not allcases, and responsibilities not always clear 
流程、系统和数据所有者在大范围内定义，但不是所有情况，而且职责不总是很清晰

Process, system, and data owners are well defined and documented. 
流程、系统和数据所有者都被很好的定义并且形成文件

Process, system, and data owner responsibilities considered andclarified during management review. 
在管理回顾中对流程、系统和数据所有者的职责进行考虑和阐述

•  Policies and Standards
•  政策和标准

Defined polices and standards on data integrity 
定义关于数据完整性的政策和标准

No established policies and standards for data integrity 
没有建立数据完整性的政策和标准

Ad-hoc policies and standards for data integrity in some cases 
数据完整性的政策和标准仅在在某些情况下可用

Polices and standards exist, but not fully integrated into the QMS andbusiness process. 
有政策和标准，但没有完全纳入质量管理体系和业务流程

Policies and standards fully integrated into the QMS and fully reflectedin business processes and practices
政策和标准完全纳入质量管理体系并且充分反映在业务流程和实践中

Policies and standards regularly reviewed and improved based onexperience 
根据实践定期回顾和改进政策和标准

•  Procedures 
•  规程

Established procedures defining key activities and processes
建立规程描述关键活动和流程

No established procedures for key data integrity related activities 
没有建立管理数据完整想相关活动的规程

Ad-hoc procedures for data integrity in some cases 
针对数据完整性的某些情况制定了有限的规程

Some procedures and standards exist, but not covering all data integrityrelated activities. 
有一些规程，但是没有覆盖所有的数据完整性相关活动

Procedures for all key areas fully integrated into the QMS andreflecting established policies and standards.
将所有关键领域的规程充分纳入质量管理体系并反映既定的政策和标准

Procedures regularly reviewed and improved based on experience 
根据实践定期回顾和改进规程

•  Awareness and Training 
•  认识和培训

Awareness and training on regulatory requirements and organizationalpolices and standards. 
对法规要求、组织政策、标准的认识和培训

No real awareness of regulatory requirements and company policy in thisarea 
在这方面没有真正意识到法规要求和公司政策

Some awareness of regulatory requirements and company policy, inpockets. 
对于法规要求和公司政策，有一些局限的认识

General awareness of well-known regulations, and the existence ofcompany policies 
普遍了解众所周知的法规，以及公司政策的存在

Comprehensive training program ensures an appropriate level of knowledgeof specific regulatory and company requirements 
综合培训计划确保对特定的规章制度和公司要求有适当的了解

Formal training needs analysis, taking into account regulatorydevelopments. Training effectiveness assessment for ongoing improvement 
正式的培训需求分析，考虑法规发展。培训效果评估以持续改善。

Quality Management System 
质量管理体系

Established and effective Quality Management System, focused on patientsafety, product quality and data integrity.
建立有效的质量管理体系,关注患者安全,产品质量和数据的完整性

Few procedures in place focused on patient safety, product quality anddata integrity. 
几乎没有规程关注患者安全,产品质量和数据的完整性

Some procedures and quality control processes, but not consistentlyachieving quality goals. 
有一些规程和质量控制流程，但不能始终如一地实现质量目标

Established Quality Management System, but compliance and data integrityactivities are not fully effective 
建立了质量管理体系，但合规性和数据完整性活动并不完全有效

Established and effective Quality Management System, consistentlyachieving data integrity goals in support of patient safety and productquality 
建立有效的质量管理体系，始终如一地实现数据完整性目标，以保证病人安全和产品质量

QMS subject to regular management review and continuous improvement 
质量体系定期管理回顾和持续改善

Business process definition
业务流程定义

Clear and accurate definitions of regulated business processes, coveringall key GxP areas 
清晰和准确定义需要监管的业务流程，涵盖所有GxP关键领域

Few business processes formally defined and documented 
几乎没有业务流程被正式定义，也没有形成文件

Some business processes formally defined and documented on an ad-hocbasis, either by project or operational groups 
只有一些业务流程被定义并仅在某些情况下被记录

Most business processes defined, but not consistently followingconventions or standards, and not always complete and up-to-date. 
定义了大多数业务流程,但不能一致遵循规定或标准,且并不总是完整实时。

Business processes defined following established conventions andstandards. 
按照既定规定和标准确定业务流程

Business processes defined and supported by appropriate tools, andconsistently maintained. 
业务流程通过适当工具定义和支持，并持续维护

Supplier and service provider management 
供应商和服务提供商管理

Assessment of suppliers and service providers against agreed standards,and setting up and monitoring of contracts and agreements to deliver thosestandards. 
根据商定的标准评估供应商和服务供应商，并建立和监测合同和协议，以交付这些标准

Many suppliers and providers with a potential impact on data integritynot assessed or managed 
许多供应商和供应商对数据完整性的潜在影响没有评估或管理

Some suppliers and providers with a potential impact on data integrityinformally assessed 
少数供应商对数据完整性的潜在影响进行非正式的评估

Established process for supplier management, but not appliedconsistently. Data integrity implications not always fully covered byassessments or agreements 
建立供应商管理流程,但不是一贯地应用。评估或协议并不总是完全覆盖数据完整性的影响

Established process for supplier management, consistently applied, andincluding a data integrity risk review. 
建立供应商管理的流程并一贯地应用，包括数据完整性风险审查

Effectiveness of supplier management subject to regular managementreview based on metrics.
通过定期管理回顾确认供应商管理的有效性

Strategic Planning and Data Integrity Program 
战略规划和数据完整性计划

•  Planning
•  计划

Executive level strategic planning and programs for improving and/ ormaintaining data governance and data integrity. 
领导层级别的战略规划，用于改进 和/或 维护数据管理和数据完整性

No planning for data integrity or data governance at executive level 
没有领导层级的针对数据管理和数据完整性的计划

Limited planning for data integrity or data governance, typically drivenby emergencies
有限的数据完整性和数据治理规划,通常由突发事件驱动的

Specific Data Integrity program or equivalent underway. 
具备特定数据完整性程序或等效系统

Successful Data Integrity programs achieving stated objectives 
成功的数据完整性程序以实现既定目标

Data integrity integral to ongoing organizational strategic planning 
数据完整性是持续组织性战略规划的重要部分

•  Communication 
•  沟通

Communication and change management processes, supported by a suitablerepository of information and resources. 
沟通和变更管理过程，由适当的信息资源库支持

No communication and change management process for DI 
没有针对数据完整性的沟通和变更管理过程

Some informal and person dependent communication and change management. 
一些非正式和依赖个人的沟通和变更管理

Formal communication and change management for DI in place, but on aper-project or per-site basis, with ad hoc repositories.
对数据完整性进行正式的沟通和变更管理，但是在某个项目或某个场所的基础上，使用临时资源库

Communication and change management for DI integral to QMS, supported bytools and central repository. 
在工具和中央资源库的支持下，针对数据完整性的沟通和变更管理纳入质量管理体系

Communication and change management for DI subject to review andimprovement, supported by defined metrics. 
对数据完整性进行沟通和变更管理，在定义的指标支持下进行评审和改进

Regulatory 
法规

•   Awareness
•   认识

Awareness of applicable regulatory requirements 
对适用法规要求的认识

No awareness of key regulatory requirements. 
对关键法规要求没有意识

Some awareness of detailed regulatory requirements, based on individualexperience and effort. 
基于个人的经验和努力，对监管要求的细节有一些认识

Formal regulatory awareness-raising underway, including training onregulations and guidance. 
正在进行正式的监管意识提高，包括法规和指南的培训

All staff aware of regulatory requirements affecting their work. 
全体员工意识到监管要求影响他们的工作

Formal training needs analysis and action, taking into accountregulatory and industry developments. 
正式培训需求分析和行动，考虑法规和行业发展

•  Traceability 
•  可追溯性

Traceability to applicable regulatory requirements from, e.g., QualityManual, polices or procedures 
可追溯到适用的法规要求，例如质量手册、政策或规程

No traceability to regulations
不可追溯到法规

Little traceability of policies and procedures to specific regulations.
政策和程序对具体法规的可追溯性很小

Traceability in place, but limited to key regulatory requirements. 
可追溯，但限于关键监管要求

Full traceability, e.g. from Quality Manual or policies, to specificregulatory requirements. 
完整的可追溯性,如从质量手册或政策到具体的监管要求

Traceability effectively maintained and updated taking into accountregulatory developments 
考虑到法规的发展，对可追溯性进行有效地维护和更新

•  Inspection readiness
•  检查准备

Preparation for inspection, including responsibilities, and inspectionreadiness documentation. 
检查准备工作,包括责任,检查准备文档

No inspection readiness preparation 
无检查准备

Limited inspection readiness preparation - ad-hoc and dependent onindividual Process and System Owners
检查准备有限，是“仅仅这次”的和依赖流程和系统所有者个人的

Inspection readiness activities in place, but inconsistent in level,content, and approach 
检查准备活动到位，但水平、内容和方法不一致

Established process for inspection readiness covering all systemsmaintaining regulated data and records.
建立了检查准备流程覆盖所有系统保存的数据和记录

Inspection readiness processes regularly reviewed and refined based onregulatory and industry developments. 
根据监管和行业发展情况，定期审核检查准备过程并改进

•  Regulatory Relationship andcommunications 
•  监管关系和沟通

Effectiveness of communication with regulatory authorities, andeffectiveness of dealing with concerns and citations. 
与监管部门沟通的有效性，以及处理关注点和引用的有效性

No communication except during inspections, when specific citations areaddressed. 
处理某个处罚时，除检查过程外，没有沟通

没有沟通除非检查期间

Ad-hoc , informal communication as-and-when required, not following adefined procedure. 
临阵磨枪式的沟通，而不是遵循规程

Communication as-and-when required, following a defined procedure. 
按照既定的规程，在需要时进行沟通

Effective, consistent, communication with regulatory bodies following adefined procedure. 
有效、一致、与监管机构按照既定程序进行沟通

Clear communication lines to key regulatory bodies, with internalspecialists following an established process. Concerns and citations areproactively managed. 
明确与关键监管机构的沟通渠道，内部专家遵循既定程序。主动管理关注和引用。

Data Life Cycle 
数据生命周期

•  Data life cycle definition 
•  数据生命周期定义

Data life cycle(s) defined in standards and/or procedures 
定义于标准和/或规程的数据生命周期

Data life cycles not defined. 
没有定义数据生命周期

Some data life cycles defined on an ad-hoc basis. 
一些数据生命周期被临时定义

Data life cycles generally defined following procedures. Notconsistently applied. 
数据生命周期普遍定义于规程中，但执行不到位

Data life cycle defined in procedures, and applied consistently to allkey regulated data and records. 
数据生命周期定义于规程中，并始终适用于所有关键数据和记录

Data life cycles defined f and maintained, supported by effectiveautomated tools 
已定义数据生命周期，并通过有效的自动化工具维护和支持。

•  Quality Risk Management
•  质量风险管理

Application of risk management (including justified and documented riskassessments) through the data life cycle. 
在数据生命周期中应用风险管理（包括经论证和文件化的风险评估）

No documented and justified assessment of risks to data integrity
对数据完整性的风险无文件化的和合理的评估

Limited data integrity risk assessments performed on an ad-hoc basis. 
权且进行了有限的数据完整性风险评估

Data integrity considered in risk assessment procedures, but notperformed to a consistent level. 
风险评估过程中考虑到的数据完整性，但没有落实

Data integrity risk management established as an integral part of thedata life cycle and system life cycle. 
进行数据完整性风险管理，作为数据生命周期和系统生命周期的组成部分

Quality Risk Management activities subject to continuous improvement 
持续改进的质量风险管理活动

•  Data Management processes andtools 
•  数据管理流程和工具

Established data management processes, supported by appropriate tools. 
建立数据管理流程，并有适当的工具支持

No data management processes 
没有数据管理流程

Some data management processes defined by individual Process Owners 
个别流程所有者定义了一些数据管理流程

Data management procedures defined, but not always effectivelyimplemented 
定义了数据管理规程，但并不总是有效地执行

Well established and effective data management processes.
建立数据管理流程 ，并有效的执行

Well established common data management processes, maintained, updated,supported by appropriate automated tools 
已建立通用的数据管理流程，通过适当的自动化工具维护、更新

•  Master and reference datamanagement 
•  主数据和参考数据管理

Established processes to ensure the accuracy, consistency, and controlof master and reference data. 
建立规程以确保主数据和参考数据的准确性、一致性和控制

No master/reference data management processes 
没有主数据参考数据的管理规程

Some master/reference data management processes defined by individualProcess Owners 
个别流程所有者定义了一些主/参考数据管理规程

Master/reference Data management procedures defined, but not alwayseffectively implemented
建立了主/参考数据管理规程，但并不总是有效地执行

Well established and effective master/reference data managementprocesses.
建立了主/参考数据管理规程，并得到有效执行

Well established common master/reference data management processes,maintained, updated, supported by appropriate automated tools 
已建立了通用的主/参考数据管理规程，通过适当的自动化工具维护、更新

•  Data Incident and ProblemManagement
•  数据事件和问题管理

Established processes to deal with data incidents and problems, linkedwith change management and deviation management as appropriate. 
建立处理数据事件和问题的规程，并与变更管理和偏差管理联系在一起

No formal data incident and data problem management process
没有正式的数据事件和数据问题管理规程.

Some data incident and data problem management processes defined byindividual Process/System Owners
由个别流程/系统所有者定义了一些数据事件和数据问题管理规程

Data incidents and problems typically effectively dealt with as a partof normal system or operational incident management, but with limitedconsideration of wider DI implications. 
数据事件和问题通常作为正常系统或操作事件管理的一部分有效地处理，但很少考虑扩大数据完整性影响。

Established data incident and problem management process linked to CAPAand deviation management where necessary. 
建立数据的事件和问题管理规程，并且，必要时，与CAPA和偏差管理联系在一起

Established data incident and problem management process, supported bytools and appropriate metrics, leading to process improvement. 
建立数据事件和问题管理流程，由工具和适当的度量支持，已实现过程改进

•  Access and Security management 
•  访问和安全管理

Establishing technical and procedural controls for access management andto ensure the security of regulated data and records. 
对访问管理建立技术和程序控制，并确保数据和记录的安全性

Lack of basic access control and security measures allowing unauthorizedchanges 
缺乏基本的访问控制和安全措施，允许未经授权的更改

Some controls, but group logins and shared accounts widespread. Passwordpolices weak or not enforced 
有一些控制，但组登录和共享账户普遍。密码策略弱或不强制执行

Established standards and procedures for security and access control,but not consistently applied 
已建立安全和访问控制的标准和规程，但落实不到位

Established system for consistent access control and securitymanagement, including regular review of security breaches and incidents 
已建立强壮的访问控制和安全管理体系，包括定期审查安全漏洞和事件

Established integrated system for consistent access control and securitymanagement, supported by appropriate tools and metrics for continuousimprovement. 
已建立强壮的访问控制和安全管理的集成系统，并有适当的工具和度量支持以持续改进

•  Archival and retention 
•  归档和保存

Establishing processes for ensuring accessibility, readability andintegrity of regulated data in compliance with regulatory requirementsincluding retention periods. 
根据法规要求，建立规程确保数据的可访问性、可读性和完整性，包括的保存期限

No consideration of long term archival and retention periods
没有考虑长期归档和保存期限

No effective process for identifying and meeting regulatory retentionrequirements. Few archival arrangements in place. 
无有效流程识别并符合法规对于保存要求。很少有存档。

Retention policy and schedule defined covering some, but not allregulated records. Some systems with no formal archival process. 
定义了保存策略和计划覆盖一部分，但不是所有的记录。有一些系统做了非正式的归档

Retention Schedule includes all regulated records, and those policiessupported by appropriate archival processes and tools. 
保存时间计划表包括了所有记录，并有适当的归档流程和工具支持。

Archival and data retention policies and processes regularly reviewedagainst regulatory and technical developments 
根据法规和技术发展对归档和数据保存政策和流程定期审核

•  Electronic Signatures 
•  电子签名

Effective application of electronic signatures to electronic records,where approval, verification, or other signing is required by applicableregulations.
在电子记录中有效应用电子签名

No control of electronic signatures. 
无电子签名控制

Lack of clear policy on signature application, and lack of consistenttechnical support for e-signatures. 
对签名应用的缺乏明确的政策，对电子签名缺乏强壮的技术支持

Policies in place. Compliant e-signatures in place for some, but not allrelevant systems.
有政策，某些但不是所有相关系统都有合规的电子签名

Compliant e-signatures in place for all relevant systems, supported byconsistent technology where possible 
电子签名在所有相关系统中均合规，并得到强壮的技术支持

Electronic signature policies and processes regularly reviewed againstcurrent best practice and technical developments 
针对现行良好规范和技术发展定期审查电子签名政策和程序

•  Audit trails 
•  审计追踪

Usable and secure audit trails recording the creation, modification, ordeletion of GxP data and records, allowing effective review either as part ofnormal business process or during investigations. 
审计跟踪可用并安全，以记录GXP数据和记录的创建，修改，或删除，在正常业务流程或调查期间进行有效的审核

Lack of effective and compliant audit trails 
缺乏有效的合规的审计追踪

Some limited use of audit trails. Often incomplete or not fit forpurpose (e.g. in content and reviewability). Not typically reviewed as partof normal business process. 
有限的使用审计追踪。往往不完整或达不到要求（例如内容和可查性）。通常不作为正常业务流程的一部分进行审核

Audit trail in place for most regulated systems, but with undefined and inconsistentuse within business processes in some cases. 
对大多数系统进行审计追踪，但在某些情况下业务流程未定义审计追踪或落实不到位

Effective audit trail in place for all regulated systems, and use andreview of audit trail included in established business processes. 
为所有的系统进行有效的审计追踪，以及在既定业务流程中进行审计追踪并审核

Audit trail policies and use regularly reviewed against regulatory andtechnical developments 
根据法规和技术发展，定期审查审计追踪政策和使用情况

Data Life Cycle Supporting Processes 
数据生命周期支持过程

•  Auditing 
•  审计

Auditing against defined data quality standards, including appropriatetechniques to identify data integrity failures 
对定义的数据质量标准进行审计，包括确定数据完整性故障的适当技术

No data quality or integrity audits performed 
没有执行数据质量或完整性审计

Some audits performed on an ad-hoc and reactive basis, but noestablished process for data quality and integrity auditing. 
有一些审计是在临时和被动基础上进行的，没有建立数据质量和完整性审计的流程。

Data quality and integrity process defined, but audits not alwayseffective and the level of follow-up inconsistent. 
定义了数据质量和完整性流程，但审计并不总是有效的，后续的水平不一致

Effective data auditing fully integrated into wider audit process andschedule. 
有效的数据审计完全集成到更广泛的审计过程和计划中

Auditing process and schedule for subject to review and improvement,based on audit results and trends.
根据审计结果和趋势进行审核，并改进审核过程和进度表

•  Metrics
•  度量

Measuring the effectiveness of data governance and data integrityactivities 
衡量数据治理和数据完整性活动的有效性

No data related metrics captured. 
没有捕获与数据相关的指标

Limited metrics captured, on an ad-hoc basis 
有限指标捕获，在一个特设的基础上

Metrics captured for most key systems and datasets. Level, purpose, anduse inconsistent. 
为大多数关键系统和数据集捕获的度量。水平、用途和使用不一致

Metrics captured consistently, according to an established process. 
根据既定的过程，一致地度量指标

Metrics captured consistently, and fed into a continuous improvementprocess for data governance and integrity 
度量一致地被捕获，并加入到数据治理和完整性的持续改进过程中。

•  Classification and assessment 
•  分级和评估

Data and system classification and compliance assessment activities 
数据和系统分类以及合规性评估活动

No data classification. 
无分级

Limited data classification, on an ad-hoc basis. No formal process 
有限的数据分级，临时的。非正式规程

Data classification performed (e.g. as a part of system complianceassessment), but limited in detail and scope.
已执行数据分级（如作为系统符合性评估的一部分），但细节和范围有限

Established process for data classification, based on business processdefinitions and regulatory requirements. 
基于业务流程定义和监管要求，建立数据分级规程

Classification process subject to review and improvement, based outcomesand trends. 
根据结果和趋势，审查和改进分级规程

•  CS Validation and compliance 
计算机化系统验证和合规性

Established framework for achieving and maintaining validated andcompliant computerized systems
建立框架以实现和维持计算机化系统验证和合规性

Systems supporting or maintaining regulated records and data are notvalidated 
受监管的记录和数据的支持或保存系统未经验证

No formal process for CS validation, The extent of validation andevidence dependent on local individuals. 
没有正式的计算机化系统验证过程，验证的程度和证据仅依赖于个别员工

Most systems supporting or maintaining regulated records and data arevalidated according to a defined process, but approach is not alwaysconsistent between systems and does not fully cover data integrity risks 
多数支持或保存记录和数据的系统已按照既定流程进行验证，但是系统之间的方法并不总是一致的，也不能完全覆盖数据完整性风险

Established process in place for ensuring that all systems supportingand maintaining regulated records and data are validated according toindustry good practice, and fully compliant with regulations, includingeffective and documented management of data integrity risks. 
建立适当的程序，以确保所有支持和保存记录和数据的系统已根据行业规范进行验证，并完全合规，包括数据完整性风险的有效的书面管理

CS Validation policies and processes regularly reviewed againstregulatory and industry developments 
针对法规和行业发展定期审查计算机化系统验证政策和流程

•  Control strategy 
•  控制策略

Proactive design and selection of controls aimed at avoiding failuresand incidents, rather than depending on procedural controls aimed atdetecting failure 
前瞻性地设计和选择控制措施，以避免故障和事件，而不是依赖过程控制来检测故障。

No consideration of potential causes of data integrity failures andrelevant controls 
不考虑数据完整性失效的潜在原因并采取相关控制

Some application of controls, typically procedural approaches aimed atdetecting failures 
应用了一些控制措施，但通常是用于检测故障的过程方法

Technical and procedural controls applied, but dependent on individualproject or system 
应用技术和过程控制，但依赖于单个项目或系统

Technical and procedural controls are applied in most cases, based on anestablished risk-based decision process 
基于既定的以风险为基础的决策过程，大多数情况下均应用了技术和程序控制

Integrity fully designed into processes before purchase of systems andtechnology, including appropriate controls 
在购买系统和技术之前，充分设计流程的完整性，包括适当的控制

IT Architecture
IT架构

Appropriate IT architecture to support regulated business processes anddata integrity 
合理的IT架构来支持业务流程的合规性和数据完整性

No consideration of IT architecture strategy 
没有考虑IT架构策略

IT architecture strategy and decisions not documented, and dependent onlocal SMEs. 
没有文件规定IT架构策略和决策，依赖于个别SMEs

IT architecture considered, and generally supports data integrity andcompliance, but is typically defined on a system by system basis.
有考虑IT架构，并通常支持数据完整性和合规性，但是通常只是就某一系统而言的考虑

Established IT architecture policy and strategy, with full considerationon how this supports data integrity. 
建立IT架构政策和策略，充分考虑了如何支持数据完整性

IT architecture strategy regularly reviewed against industry andtechnical developments.
根据行业和技术发展，定期回顾IT架构

IT Infrastructure 
IT基础设施

Qualified and controlled IT infrastructure to support regulatedcomputerized systems 
经确认的和受控的IT基础设施以支持受监管的计算机化系统

No infrastructure qualificationperformed 
无基础设施确认

No established process for infrastructure qualification. Some performed,dependent on local SMEs. 
没有建立基础设施确认规程。有一些，依赖于个别SMEs。

Infrastructure generally qualified, according to an established process,but is often a document driven approach, sometimes applied inconsistently 
基础设施一般已确认，按照一个既定的过程，但往往是文档驱动的方法，有时应用不一致

Established risk-based infrastructure qualification process, ensuringthat current good it practice is applied, supported by tools and technology 
建立了基于风险的的基础设施确认规程，确保应用现行良好IT规范，并得到工具和技术的支持

Infrastructure approach regularly reviewed against industry andtechnical developments.
根据行业和技术发展，定期回顾IT基础设施