Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Navigating FDA and ISO Compliance with Digital Signatures and Signing Intent

March 13, 2024

In FDA (U.S. Food and Drug Administration) and ISO 27002 compliant processes, digital signatures play a crucial role in ensuring the integrity, authenticity, and security of electronic records and signatures. The use of digital signatures is outlined in the FDA’s regulations, particularly in the context of electronic records and electronic signatures, as specified in Title 21 of the Code of Federal Regulations (CFR) Part 11 and ISO/IEC 27002:2013 respectively.

 

Digital signatures are not just for PDF documents though. Most FDA/ISO compliant processes require digital signature approvals for changes to software as well, also known as Pull Requests. Essentially files containing code are documents that need to undergo a strict review and approval process, just like any other controlled documents that are part of the change management.

 

 

Here are the key elements related to digital signatures, signing intent, and the role of the signee in an FDA/ISO compliant process:

  1. Digital Signatures:
    • Authentication: Digital signatures serve as a means of electronic authentication, confirming the identity of the person associated with the signature. Approving a pull request and signing the approval with a signature token ensures the approver uniquely identified.
    • Data Integrity: The unique approval signature in combination with the git commit hash of the pull request commit help ensure the integrity of the pull request approval as both signature and the commit hash cannot be changed or tampered with.
    • Non-repudiation: Digital signatures provide non-repudiation, meaning the signer cannot later deny their involvement in the signing process.
  1. Signing Intent:
    • Explicit Intent: The signing process should involve explicit intent from the individual to sign. This means the person signing understands and intends to authenticate the information. The pull request reviewer must pro-actively select a reason for the their signature approval.
  1. Role of the Signee:
    • Designated Roles: Compliance regulations emphasize the importance of defining and assigning specific roles to individuals involved in the electronic signature process. In Atlassian Bitbucket the pull request reviewers group membership(s) can serve as a role. When a reviewer signs a pull request can simply select the group they are signing for to assume their role.
    • Responsibilities: Each role or reviewer group should have defined responsibilities. Naturally Bitbucket comes with easy to use access controls ensuring that only authorized individuals can perform specific actions, including signing. Reviewers are only added to pull requests if they are a member of a nominated signature-reviewer group.

You are one step away from signed pull request approvals with Bitbucket (cloud) and Workzone

Workzone for Bitbucket allows to configure signature reviewer groups

When reviewers approve a pull request they are asked to sign their approval with a personal token and select a role/intent.

All signatures, git commit hash and role/intent are safely recorded in the pull request’s history.

 

 

Visit Workzone for Bitbucket today!

As always,

Happy coding.

Sean

Izymes

Comment
Watch
Like # people like this
301 views

1 comment

Comment

Log in or Sign up to comment
Matteo Gubellini _SoftComply_
Matteo Gubellini _SoftComply_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 14, 2024

Hi,

Good to see you can now apply e-signatures to pull requests.

So far our customers had to create an export of all of them at the end of the project and approve them in a separate document. The FDA was ok with it, but it was far from ideal and not fully compliant if you ask me.

Signatures should be concurrent to the approval action, not to mention what to do if someone approving a pull requests leaves the company before signing it (I've been there).

We will recommend this App if asked.

 

Like Sean Manwarring _Izymes_ likes this
Sean Manwarring _Izymes_

Sean Manwarring _Izymes_

Marketplace Partner
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
Explore the Marketplace

About this author

Head of Marketing at Izymes

Izymes

Australia

2 accepted answers

56 total posts

View profile
groups-icon
App Central
TAGS
AUG Leaders

Atlassian Community Events

    See all events