Skip to content
CROSSWALK

Secure Design Best Practices

Maps to

IEC 81001-5-1: §5.3.2

Requirement text

The manufacturer shall establish an activity (or activities) to identify, enforce, and maintain secure design best practices. The manufacturer shall document secure design best practices including but not limited to: a) documenting all trust boundaries as part of the design; b) least privilege; c) using proven secure software items/designs where possible; d) economy of mechanism (striving for simple designs); e) using secure design patterns; f) attack surface reduction; g) removing backdoors, debug access and debug information used during development, or documenting their presence and protecting them from unauthorized access; and h) protecting any remaining debug information from unauthorized access. The manufacturer shall define a security architecture as part of defense-in-depth, including these practices as appropriate.

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • All trust boundaries must be documented as part of the design.
  • Least privilege must be applied (granting only the privileges necessary to perform intended operations).
  • Proven secure software items and designs must be used where possible.
  • Economy of mechanism (simple designs) must be applied.
  • Secure design patterns must be used.
  • Attack surface must be reduced.
  • Backdoors and debug access must be removed or documented with controls for unauthorized access protection.
  • Remaining debug information must be protected from unauthorized access.
  • A security architecture incorporating these practices must be defined as part of defense-in-depth.
  • Physical security controls must be addressed for devices with physical interfaces (USB, serial, JTAG) that could provide unauthorized access.
  • Network security controls must be addressed including segmentation, encrypted communications, and firewall policies for network-connected devices.
  • Host security controls must be addressed including OS hardening, patch management, and unnecessary service removal for devices with general-purpose operating systems.
  • Application security controls must be addressed including input validation, secure authentication, session management, and error handling.
  • Identity and Access Management (IAM) controls must be addressed including role-based access control, multi-factor authentication where appropriate, and credential management.
  • Each of the eight secure design practices (5.3.2 a through h) must be addressed in the security architecture documentation with either an implementation description or an explicit justified tailoring decision.

Common gaps

Trust boundaries not documented in architecture

major

Software architecture documentation does not identify trust boundaries between components, networks, and users. Without documented trust boundaries, threat modeling cannot systematically identify where data crosses security perimeters and where controls are needed.

Evidence signals

  • FILE_EXISTS

    Security.*Architecture|Secure.*Design|Trust.*Boundary|Architecture.*Diagram

  • CONTENT_MATCH

    Does this document describe secure design practices including trust boundary documentation, least privilege, attack surface reduction, and removal or protection of debug access and backdoors?

Audit defense

The Security Architecture and Secure Design practices document for [your product] (Doc ID: [your document ID]) documents all trust boundaries and demonstrates application of the eight required secure design best practices, with a security architecture defining how they combine for defense-in-depth.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.