Skip to content
CROSSWALK

Security Expertise and Training

Maps to

ISO 13485: §6.2

IEC 81001-5-1: §4.1.4

Requirement text

The manufacturer shall establish activities for identifying and providing security training and assessment programs to ensure that personnel assigned to the organizational roles and duties defined in 4.1.2 have demonstrated security expertise appropriate for those processes. Results of these activities include role descriptions, training profiles, and training records.

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • An activity (or activities) for identifying required security training SHALL be established.
  • Security assessment programs SHALL be established to verify personnel competence.
  • Personnel assigned to security roles SHALL demonstrate security expertise appropriate for their processes.
  • Role descriptions SHALL be produced as outputs of the training activity.
  • Training profiles SHALL be produced as outputs of the training activity.
  • Training records SHALL be produced as outputs of the training activity.

Common gaps

Security training is generic awareness rather than role-specific competency

major

Organizations provide generic cybersecurity awareness training (phishing, passwords) rather than role-specific competency training aligned to IEC 81001-5-1 activities. Developers lack secure coding training, testers lack security testing methodology training, and threat modeling personnel lack formal training in frameworks like STRIDE. FDA has noted that 'staff performing threat modeling is not adequately trained.'

Evidence signals

  • FILE_EXISTS

    (Training.*Record|Competency.*Matrix|Security.*Training|Role.*Description)

  • CONTENT_MATCH

    Does this document record security training, competency assessments, or role-based training profiles for personnel responsible for security activities?

Audit defense

Our security training program (Doc ID: [your document ID]) documents role descriptions, training profiles, and training records for all personnel performing security activities on [your product], demonstrating the competency required by clause 4.1.4.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.