Skip to content
CROSSWALK

Security Release Documentation

Maps to

IEC 81001-5-1: §5.8.2

Requirement text

As a part of the software release activity (or activities), the manufacturer shall establish requirements for accompanying documentation including: a) secure operation guidelines; b) process rigor and conformance documentation including the scoping (Clause 4), tailoring (Clause 5), and information on coverage per Annex E; c) account management guidelines (if applicable); and d) appropriate information about relevant residual risks to security remaining in the health software.

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • Accompanying documentation must include secure operation guidelines.
  • Documentation must include process rigor and conformance documentation covering Clause 4 scoping and Clause 5 tailoring.
  • Documentation must include coverage information per Annex E.
  • Account management guidelines must be provided where applicable.
  • Information about relevant residual security risks must be included in release documentation.
  • Secure operation guidelines must address configuration requirements for secure deployment, including required network configurations, access control settings, and secure communications settings.
  • Residual security risk disclosures must identify specific unmitigated or accepted risks by category, explaining what the risk is and what compensating controls the operator should implement in their environment.
  • Residual security risk disclosures must address data retention and data protection risks, including any patient data or sensitive health information that persists in the device or its communications, and recommended handling procedures.
  • Where the device generates or stores protected health information, the accompanying documentation must include guidance on secure retention of active data and secure disposal of data at end of use.
  • Accompanying documentation must be updated with each software release to reflect changes in the security posture, new residual risks, and updated configuration guidance.

Common gaps

Release notes lack security-relevant information

moderate

Release documentation does not include security-relevant information for operators — security patches applied, known residual vulnerabilities, required security configuration, or changes to security posture from the previous version.

Evidence signals

  • FILE_EXISTS

    Security.*Guide|Security.*White.*Paper|Security.*Manual|Accompanying.*Documentation|Residual.*Risk

  • CONTENT_MATCH

    Does this document provide secure operation guidelines, account management guidance, residual security risk disclosures, and IEC 81001-5-1 conformance scope information for the health software?

Audit defense

The Security Guide released with [your product] (Doc ID: [your document ID]) provides secure operation guidelines, account management instructions, residual security risk information, and IEC 81001-5-1 conformance documentation covering scoping, tailoring, and Annex E coverage.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.