ISO 14971 risk management process structure, risk management plan, and risk file — 81001-5-1 builds a parallel security risk track on that foundation.
Threat modeling as the mandatory identification method, CVSS-based risk estimation distinct from safety probability scales, residual risk documentation with compensating controls.
Security risk management plan referencing threat modeling methodology and acceptability criteria — conflating safety probability with security exploitability is a critical FDA finding.
Maps to
IEC 81001-5-1: §4.2 SECURITY RISK MANAGEMENT
ISO 14971: §4.1 Risk management process
IEC 62304: §4.3 Software safety classification
Requirement text
The manufacturer shall establish a process for managing risks associated with security using threat modelling. The process shall use threat modelling to identify vulnerabilities, estimate and evaluate associated threats, control those threats, and monitor the effectiveness of security risk controls, taking into account intended use and use environment. The manufacturer shall establish criteria for risk acceptability. Security risk management should incorporate outcomes of threat modelling activities and follow industry best practice. Residual risk associated with a vulnerability that remains in the system shall be documented, along with respective compensating controls.
Why this clause exists
The most consequential architectural error organizations make when implementing IEC 81001-5-1 is treating security risk management as an extension of their ISO 14971 safety risk process — using probability of occurrence as a risk parameter, applying clinical severity scales to cybersecurity impact, and accepting residual security risk on the same grounds as residual safety risk. FDA has explicitly rejected this approach: cybersecurity risks are not probabilistic in the same sense as hazard-based safety risks, because a competent adversary changes the probability calculus deliberately. IEC 81001-5-1:2021 clause 4.2 requires a security risk management process built on threat modeling — a methodology that reasons about adversarial capability and intent, not actuarial probability — and mandates that the process document residual risk and compensating controls for every vulnerability that remains uncontrolled. The integration point with ISO 14971 is required but the processes are distinct: safety risk considers whether a device malfunctions; security risk considers whether an adversary could make it malfunction deliberately. CVSS scoring provides the industry-standard quantification method, replacing the probability times severity framework that ISO 14971 uses for safety.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- Security risk management siloed from safety risk management — Organizations attempt to handle cybersecurity risks within their existing ISO 14971 process without establishing a distinct security risk management process. While integration points are necessary, cybersecurity risks require different assessment methods (CVSS, exploitability) and different expertise than safety risks. Conflating safety severity with cybersecurity exploitability leads to inaccurate risk assessments.