Maps to
ISO 13485: §4.1.3, 8.5
IEC 81001-5-1: §4.1.6, 4.1.8
Requirement text
The manufacturer shall establish activities for continuously improving the security development life cycle, including analysis of security defects in deployed software items and products. The manufacturer shall also establish activities for conducting periodic reviews of the software problem resolution process, examining security-related issues since the last review to determine if the management process was complete, efficient, and led to resolution. Periodic reviews shall be conducted at least annually.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Atomic constraints
- •An activity (or activities) for continuously improving the security development life cycle SHALL be established.
- •Continuous improvement activities SHALL include analysis of security defects in deployed software items and products.
- •An activity (or activities) for periodic review of the software problem resolution process SHALL be established.
- •Periodic reviews SHALL examine security-related issues managed since the last review.
- •Periodic reviews SHALL assess whether the management process was complete, efficient, and led to resolution.
- •Periodic reviews SHALL be conducted at least annually (or as part of ISO 13485 4.1.3 monitoring and measurement).
Common gaps
No periodic security process review cycle
moderateAfter initial implementation, organizations do not establish a recurring review cycle to evaluate security process effectiveness based on post-market incidents, vulnerability trends, and regulatory changes. Lessons learned from security incidents are not fed back into process improvements.
Evidence signals
- •
FILE_EXISTS
(Management.*Review|Security.*Review|Defect.*Analysis|Problem.*Resolution.*Review|Corrective.*Action)
- •
CONTENT_MATCH
Does this document record a periodic review of security defect management, continuous improvement of security processes, or analysis of deployed security defects?
Audit defense
Our annual security management review (Doc ID: [your document ID]) documents the periodic assessment of the security problem resolution process for [your product], including analysis of deployed defects and improvement actions, satisfying clauses 4.1.6 and 4.1.8.