ISO 14971 §10 post-production activities and ISO 13485 post-market surveillance covering field data collection and feedback to the risk management process.
Post-release monitoring of security risk control effectiveness against evolving threats, cross-product issue propagation, and third-party notification when problems are found in supplier source code.
Post-market surveillance plan including security control monitoring activities — PMS programs focused on safety complaints without security control effectiveness review are a moderate gap.
Maps to
IEC 81001-5-1: §7.5 Monitoring the effectiveness of RISK CONTROLS
Requirement text
Monitor the effectiveness of risk controls by collecting and reviewing information during the post-release phase. Inform other activities and processes of identified issues, including for other products and revisions. Inform third parties if problems are found in third-party source code. Issues identified in the threat model of released health software shall be addressed per clauses 9.4 and 9.5.
Why this clause exists
Security risk controls that were effective at the time of product release may become ineffective as the threat landscape evolves: new attack techniques emerge that bypass previously adequate authentication controls; vulnerabilities in supporting infrastructure expose controls that assumed a secure platform; adversary capabilities advance to make previously computationally infeasible attacks feasible. Risk control effectiveness monitoring is the mechanism by which the manufacturer maintains awareness of whether the controls documented in the Security Risk Register continue to provide the protection they were designed to provide. Without this ongoing monitoring, the security risk management process is a point-in-time activity that provides assurance only for the conditions that existed at release — and medical devices operate for years or decades in environments that change constantly. IEC 81001-5-1:2021 clause 7.5 requires that the effectiveness of security risk controls be monitored post-market, linking the risk management process to the post-market surveillance activities in clause 6 and closing the lifecycle loop.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- Post-market monitoring of security controls absent — After release, there is no process to monitor whether security controls remain effective as the threat landscape evolves. New attack techniques and vulnerability classes can render previously adequate controls insufficient.