ISO 13485 accompanying documentation requirements and IEC 62304 software release documentation covering IFU and product information.
Four required release documentation elements: secure operation guidelines, 81001-5-1 conformance scope, account management guidance, and explicit residual security risk disclosures per Annex E.
Security guide released with the product containing all four elements — release documentation lacking residual risk disclosure is a common Notified Body major non-conformity for SaMD.
Maps to
IEC 81001-5-1: §5.8.2 Release documentation
Requirement text
As a part of the software release activity (or activities), the manufacturer shall establish requirements for accompanying documentation including: a) secure operation guidelines; b) process rigor and conformance documentation including the scoping (Clause 4), tailoring (Clause 5), and information on coverage per Annex E; c) account management guidelines (if applicable); and d) appropriate information about relevant residual risks to security remaining in the health software.
Why this clause exists
Security release documentation — the information that customers, operators, and regulators receive at the time of release — is the mechanism by which the manufacturer communicates the security posture of the released version and enables operators to make informed deployment decisions. A release issued without an SBOM denies operators the information they need to assess component vulnerability exposure; a release without security configuration guidance forces operators to guess at secure configuration; a release without a disclosure of known residual risks leaves operators unable to plan compensating controls. IEC 81001-5-1:2021 clause 5.8.2 requires that release documentation include specific security content, and the combination of SBOM, security configuration guidance, and residual risk disclosure creates the information foundation for post-market security management. FDA's Section 524B requirements specifically mandate SBOM submission as part of the premarket cybersecurity package, reflecting the same rationale: operators and regulators cannot assess what they cannot see.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- Release notes lack security-relevant information — Release documentation does not include security-relevant information for operators — security patches applied, known residual vulnerabilities, required security configuration, or changes to security posture from the previous version.