Skip to content
CROSSWALK

QMS and Security Responsibilities

Maps to

ISO 13485: §4.1

IEC 81001-5-1: §4.1.1, 4.1.2

Requirement text

The manufacturer shall perform security activities in the product life cycle on the basis of an established and documented quality management system (ISO 13485 or equivalent). The manufacturer shall designate and document the organizational roles and personnel responsible for each of the activities and processes required by this standard.

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • Security activities SHALL be performed on the basis of an established and documented QMS.
  • The QMS SHALL comply with ISO 13485 or an equivalent quality management system standard.
  • Organizational roles responsible for each security activity and process SHALL be designated.
  • Organizational roles responsible for each security activity and process SHALL be documented.
  • Personnel assigned to roles SHALL be documented (may be identified by functional role rather than name).

Common gaps

Security activities not integrated into QMS

major

Organizations treat cybersecurity as a standalone IT concern rather than integrating security activities into their ISO 13485 quality management system. Security roles and responsibilities are undefined or assigned informally without documented RACI matrices covering each IEC 81001-5-1 process.

Evidence signals

  • FILE_EXISTS

    (Quality.*Manual|QMS.*Scope|Security.*Policy|RACI|Roles.*Responsibilities)

  • CONTENT_MATCH

    Does this document define organizational roles and responsibilities for security activities within a quality management system context?

Audit defense

Our quality management system (Doc ID: [your document ID]) explicitly incorporates IEC 81001-5-1 security activities for [your product]. Organizational roles and personnel accountable for each security process are designated in the accompanying RACI matrix, satisfying clauses 4.1.1 and 4.1.2.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.