Skip to content
CROSSWALK

Third-Party Supplier Security

Maps to

ISO 13485: §7.4

IEC 81001-5-1: §4.1.5

Requirement text

The manufacturer shall ensure that third-party suppliers perform applicable security life cycle activities for each software item that is: (a) mainly developed specifically for the manufacturer and for a specific purpose, AND (b) can have an impact on security. The manufacturer shall communicate security requirements to such third-party suppliers.

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • Third-party suppliers of custom-developed software items SHALL perform applicable security life cycle activities.
  • The obligation applies only when the software item is mainly developed specifically for the manufacturer AND can have a security impact.
  • Security requirements related to each such software item SHALL be communicated to the third-party supplier.
  • Contracts or agreements with qualifying suppliers SHALL address security life cycle obligations.

Common gaps

Supplier security evaluation missing or superficial

major

Manufacturers rely on supplier self-assessments or ISO 27001 certificates without evaluating whether suppliers' security practices are adequate for the specific software components supplied. Cloud providers (AWS, Azure) are qualified as standard OTS suppliers without assessing their security-specific Shared Responsibility Model or uptime/patching SLAs.

Evidence signals

  • FILE_EXISTS

    (Supplier.*Agreement|Quality.*Agreement|Vendor.*Security|Supply.*Chain.*Security|Third.*Party.*Security)

  • CONTENT_MATCH

    Does this document address security requirements, obligations, or assessments for third-party software suppliers or custom-developed software components?

Audit defense

Our supplier quality agreements (Doc ID: [your document ID]) include security life cycle obligations for third-party suppliers of custom software components used in [your product], with documented security requirements communicated to each qualifying supplier per clause 4.1.5.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.