Skip to content
CROSSWALK

Security Risk Estimation and Evaluation

Maps to

ISO 14971: §5.4

IEC 81001-5-1: §7.3

IEC 62443-4-1: §SR-2

Requirement text

Estimate security risk using CVSS or a similar scoring method (e.g., MITRE, ISO/IEC Guide 51, ISO 14971). Evaluate estimated risks to determine whether they are acceptable. Inform the product risk management process about updates to the threat model.

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • Security risks SHALL be estimated using CVSS or a comparable scoring method.
  • Estimated risks SHALL be evaluated for acceptability.
  • Updates to the threat model SHALL be communicated to the product risk management process.

Common gaps

Risk estimation uses safety-derived scales inappropriate for cybersecurity

major

Cybersecurity risks are estimated using probability/severity scales designed for safety risks under ISO 14971. FDA rejects 'probability of occurrence' for cybersecurity because security exploits are not random events. Risk must be assessed based on exploitability, attacker capability, and attack complexity using frameworks like CVSS or SSVC.

Evidence signals

  • FILE_EXISTS

    CVSS.*Scoring|Security.*Risk.*Assessment|Risk.*Estimation|Threat.*Risk.*Table

  • CONTENT_MATCH

    Does this document apply a quantitative or semi-quantitative risk scoring method (such as CVSS) to security threats, with documented acceptability criteria and evaluation outcomes?

Audit defense

Our Security Risk Assessment (Doc ID: [your document ID]) applies CVSS scoring to all threats identified in the [your product] threat model, with documented acceptability thresholds. Risk evaluation outcomes are linked to the ISO 14971 Risk Management File, ensuring security risks are treated with the same rigor as safety risks.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.