ISO 13485 §8.5 continual improvement, CAPA process, and management review cadence already feeding quality system improvements.
Annual review of security defect management process, trend analysis of deployed security defects, and improvement actions feeding back into the security development lifecycle.
Management review minutes with security defect metrics and documented improvement actions — security absent from management review is a recurring gap.
Maps to
IEC 81001-5-1: §4.1.6 Continuous improvement, §4.1.8 Periodic review of SECURITY defect management
ISO 13485: §4.1 General requirements, §8.5 Improvement
Requirement text
The manufacturer shall establish activities for continuously improving the security development life cycle, including analysis of security defects in deployed software items and products. The manufacturer shall also establish activities for conducting periodic reviews of the software problem resolution process, examining security-related issues since the last review to determine if the management process was complete, efficient, and led to resolution. Periodic reviews shall be conducted at least annually.
Why this clause exists
Security development processes that are implemented once and never revisited systematically degrade — threat landscapes evolve, new attack techniques emerge, and post-market incidents reveal weaknesses in development practices that were not evident at launch. Organizations that lack a formal continuous improvement mechanism for their security development lifecycle tend to discover this degradation only when a significant vulnerability is disclosed that traces back to a process failure they had no mechanism to detect. IEC 81001-5-1:2021 clauses 4.1.6 and 4.1.8 address this through two complementary activities: an ongoing improvement loop that analyzes security defects in deployed products, and an at-least-annual periodic review of the problem resolution process that evaluates whether security issues were managed completely, efficiently, and to resolution. The annual review requirement was deliberately aligned with ISO 13485's management review cadence — allowing organizations to integrate security process review into existing management structures rather than creating a separate governance mechanism. FDA expects continuous improvement evidence as part of post-market cybersecurity programs referenced in the 2023 guidance, and regulators increasingly probe whether lessons from disclosed vulnerabilities are documented in process improvement records.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- No periodic security process review cycle — After initial implementation, organizations do not establish a recurring review cycle to evaluate security process effectiveness based on post-market incidents, vulnerability trends, and regulatory changes. Lessons learned from security incidents are not fed back into process improvements.