Step-by-step Guide to ISO 13485 Compliance

Quality Management Systems (QMS) help medical device developers create high-quality products that are safe, efficient, and compliant with regulatory requirements. However, the way businesses set up and use a QMS can differ greatly, which inevitably has a knock-on effect on product quality. That’s why the International Organization for Standardization (ISO) developed and published ISO 13485, one of the most important global standards for Quality Management System compliance in MedTech. ISO 13485 compliance demonstrates a commitment to high quality, impeccable safety standards, stakeholder satisfaction, and regulatory compliance. Read on to learn more about this important standard and how you can achieve certification in your organization.

Step-by-step Guide to ISO 13485 Compliance

What exactly is ISO 13485?

ISO 13485:2016 - Quality management systems is a regulatory standard specifically designed to govern the way medical device manufacturers set up and use Quality Management Systems. The third and latest edition of ISO 13485 was published in 2016 and is considered the most up-to-date version.

The purpose of ISO 13485 is to standardize and harmonize the use of QMS in the development of medical devices. In addition to that, the standard is also designed to ensure businesses use their medical device QMS in the most effective way possible while guaranteeing the safest design and production of their products.

By following these guidelines, organizations can reap many key benefits (more on that later) while demonstrating that their medical devices are top-notch and compliant with regulatory requirements. 

Related reading:

Medical Devices Quality Management Systems and Changes in ISO 13485:2016

How is ISO 13485 different from ISO 9001?

If you’re already familiar with ISO 9001, you may be wondering what the point of ISO 13485 for QMS is. To cut a long story short, the main difference between these two standards is their scope and specificity. ISO 9001, originally published in 1987 and most recently updated in 2015, is the international standard for QMS implementation for all industries.

ISO 13485, on the other hand, was born out of a need to have a QMS regulatory standard that was very specific to the development of medical devices. As time went on, medical devices had become increasingly complex, including much more software and leveraging exciting new technological innovations that need quality control for safety and privacy reasons. To that end, ISO 13485 also includes additional requirements regarding documentation, working environments, contamination control, cleanliness, and more. 

In practice, it’s actually not uncommon for medical device manufacturers to certify themselves to both ISO 13485 and ISO 9001, depending on the products and services that they offer. The good news is that complying with ISO 13485 makes ISO 9001 certification much easier since there is a significant overlap between the two standards.

Learn more:

Keeping Pace with Changing EU Medical Regulations

Benefits of complying with ISO 13485

There are plenty of benefits (apart from the fact that you’re complying with regulatory requirements) that come along with achieving your ISO 13485 certification, making the hard work of implementing a medical device Quality Management system thoroughly worth it. Here are a couple of the main ones:

  • Happier customers: Apart from helping with regulatory compliance, ISO 13485 is also designed to optimize the way you manage product quality in your organization. Getting it right means you are in a position to consistently deliver top-quality products and updates to your customers, meeting their needs and keeping them satisfied as a result.
  • Competitive edge: Under the latest version of ISO 13485, companies are responsible for making sure that any subcontractors or third parties they work with also conform to ISO 13485 requirements. As a result, many businesses simply prefer to work with organizations that are already ISO 13485-certified. This means that having the certificate can help you stay a step ahead of the competition, win new clients, and improve the reputation of your business as a whole.
  • Expansion opportunities: Depending on what kind of medical devices you produce, ISO 13485 compliance can be a prerequisite for entering key global markets with your products. It acts as an international stamp of the highest product quality possible. So apart from winning new business, being certified also allows you to expand globally and reach new markets.
  • Cost reduction: ISO 13485 helps you optimize the way you work, in order to produce the most efficient and safe medical devices possible. This also has a positive effect on day-to-day business operations, streamlining them where possible, and ultimately saving time and money on costly reworks.
  • Better knowledge-sharing and collaboration: ISO 13485 lays out really demanding requirements when it comes to documentation. One of the upsides of this is that you end up with a central repository of information that makes it possible for your team to access key information when they need it, which in turn could make collaboration a smoother process.

Next up:

Quality Assurance, Testing and Compliance in Medical Device Development

Practical tips for ISO 13485 compliance

Now that you’re up to speed on ISO 13485 compliance and what it can do for you and your organization, let’s explore the steps of the certification and compliance process.

  • Decide if this is the right standard for you

If you develop medical devices or provide products and services to companies that do, odds are that you will need to comply with ISO 13485, or regulation with similar requirements based on this one. Some of the countries and regions that require ISO 13485 certification are: Europe, Canada, USA, Japan, Australia, Singapore, and Malaysia. For a full list of ISO members who accept this certificate, click here.

  • If the answer is yes, get yourself a copy

Next, you need to get yourself a copy of ISO 13485 and any supporting documents you might need. Make sure that you get a copy of the most recent version of the standard (it makes a difference), familiarize yourself with the requirements, and get ready to kick off your certification journey.

  • Compare and contrast

Now it’s time to assess your organization’s existing processes and figure out where you may be falling short. This helps you identify the gap between what you’re already doing and what you need to be doing to comply with ISO 13485 requirements. Based on this gap analysis, you will know what to include in your implementation plan.

  • Time to create a plan

With the standard itself and your gap analysis in hand, you can now move on to creating an implementation plan and scoping out the project. Your implementation plan should exhaustively outline how you will address the gaps you identified in Step 3; this means including every task you plan to carry out in the process. Your task descriptions should outline responsibility and timelines, as well as what training and resources you’ll need to get it done. Finally, your plan should also include your quality manual, policies, and cost estimates so that you can build a solid business case.

  • Get the buy-in you need

At this stage, it’s important to present your business case to management in order to get the buy-in and support you need to achieve ISO 13485 compliance. Any relevant stakeholders should also be brought up to speed, and employees should be advised and provided with any necessary training. All of this ensures that everyone is prepared well in advance, meaning less disruption to daily business operations and work activities when the compliance process is underway.

  • Execute your plan

Start executing the tasks and activities outlined in your implementation plan. Make sure to monitor progress and document any changes as you go along. You will need to use your new MedTech Quality Management System or updated QMS set up for at least three months in order to qualify for an external audit by a third party.

Need help in streamlining compliance audits for ISO 13485:2016 and FDA Title 21 CFR Part 820? Check out our preconfigured template for codebeamer X!

New call-to-action


  • Review progress

In other words, this is when you conduct an internal audit (to make sure you’re ready for the external ones). First, you need to evaluate how your MedTech QMS is doing and double-check it against an ISO 13485 checklist. Next, management needs to review the QMS data as well, verify that the project is on track and that resources are available to maintain these new processes as well as improve them over time. Finally, make any last changes based on feedback before scheduling a third-party audit.

  • Set up your third-party audit

Choose a certification body with all the necessary accreditations and relevant experience. You will need to fill out an application with all of your business details to get a proposal and once you accept it, kickstart the assessment phase. Then you will have two visits from an auditor, and several reports later you will find out if you have achieved compliance or not.

  • Get (and maintain) your certified status

If you followed the requirements accurately, you will now be ISO 13485 compliant and certified as such for the next three years. In order to stay certified throughout the three-year certification cycle, you need to complete an annual surveillance audit and keep your certification body informed of any major changes to the business.

If you are part of the medical device and pharmaceutical supply chain, either developing devices yourself or providing products and services to organizations that do, chances are you would benefit from ISO 13485 QMS compliance. For more detailed information on the standard, read our Essential Guide to ISO 13485:

Download Intland's Essential Guide to ISO 13485 Medical Devices Quality Management Systems

Try codebeamer X now

Start your online trial of codebeamer X. Your 30-day trial is free – no strings attached, no credit card required!