Skip to content
CROSSWALK

Identification of Applicability

Maps to

IEC 81001-5-1: §4.1.3

Requirement text

The manufacturer shall identify which products or parts of products the secure life cycle applies to. This is about product types and their components (e.g., software items), not individual product instances.

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • The manufacturer SHALL identify the products or parts of products to which the secure life cycle applies.
  • The identification SHALL cover product types and their components, not just individual product instances.
  • Criteria for determining applicability SHALL be documented.

Common gaps

No documented applicability determination per product

moderate

Manufacturers fail to document which products and software items are subject to the secure lifecycle. The determination of applicability is assumed rather than formally assessed through threat modeling and documented with explicit inclusion/exclusion rationale.

Evidence signals

  • FILE_EXISTS

    (Software.*BOM|SBOM|Product.*Scope|Applicability.*Matrix|Security.*Scope)

  • CONTENT_MATCH

    Does this document identify which products or software components are subject to a secure software development life cycle?

Audit defense

The applicability document (Doc ID: [your document ID]) identifies [your product] and its constituent software items that are subject to the IEC 81001-5-1 secure life cycle, based on assessed IT exposure and data interfacing characteristics per clause 4.1.3.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.