ISO® 13485 is the internationally recognized quality management system (QMS) benchmark for medical device manufacturers. 

This certification emphasizes establishing a robust quality management system that enhances product and service quality while prioritizing patient safety. Healthcare institutions can gain confidence through ISO® 13485 certification, which helps foster trust among patients, regulatory bodies, and stakeholders. 

Additionally, ISO® 13485 aligns well with the information security needs prevalent in the IT and SaaS industries. As medical technologies continue to digitize and interconnect, data security becomes increasingly important. ISO® 13485’s stringent requirements for risk management and process control extend beyond product quality to ensure the protection of sensitive patient information. 

To simplify your certification journey, the ISMS Connect team has put together this in-depth guide to ISO® 13485. We’ll cover costs, scope, requirements, and best practices to make the entire process easier.

What Is ISO® 13485?

ISO® 13485 is a voluntary quality management system (QMS) developed by ISO to help medical equipment manufacturers design and produce reliably effective devices.

The standard’s scope covers all stages of the product development cycle, including:

  • Design
  • Development
  • Documentation
  • Risk management
  • Production
  • Post-production
  • Non-conforming products
  • Changes & alterations

In each of these areas, ISO® 13485 offers clear guidelines and requirements that allow companies to reduce risk and ensure their products are satisfying both consumer expectations and government regulations.

Benefits of ISO® 13485 Certification

Faster Product Development Cycles

ISO® 13485 certification speeds up processes, shortening the time it takes for a product to go from development to delivery. 

A healthcare equipment manufacturer that wants to introduce a new medical device can use ISO® 13485 guidelines to streamline design, testing, and validation procedures. This not only helps the company bring the device to market faster but also ensures that it meets regulatory standards and customer expectations.

Create a Culture of Continual Improvement

ISO® 13485 promotes continuous improvement by requiring regular assessment and optimization of processes. For example, an IT/SaaS company handling medical data storage and sharing can benefit from ISO® 13485 principles. 

The company can consistently evaluate its information security protocols, identify vulnerabilities, and make improvements to enhance its cybersecurity measures. This helps protect sensitive patient information and adapt to evolving threats.

Evidence-Based Decision-Making

ISO® 13485 certification requires companies to make decisions based on accurate data and evidence. For a healthcare software development company launching a new application, adhering to ISO® 13485 standards means collecting user feedback, conducting thorough testing, and analyzing performance data. 

This data-driven approach allows for informed decisions and the creation of software solutions that meet industry requirements and prioritize users.

Understanding the Cost of ISO® 13485 Certification

The cost of ISO® 13485 certification depends on a range of factors, including:

  • Company size
  • Number of products
  • Complexity of products
  • Level of support required
  • Certification body used

Generally, the cost of ISO® 13485 is reported over 2–3 years since there are ongoing costs like maintenance and re-certification. While it’s impossible to give accurate estimates, a 3-year range for an SMB might be $10,000 to $25,000+ (depending on the amount of work they do in-house).

There are also additional costs you might incur, including:

Assessment and Gap Analysis

Before certification, companies typically conduct an initial assessment or gap analysis. This involves evaluating existing processes against ISO® 13485 requirements to pinpoint areas for improvement. While this step incurs costs, it’s essential for laying the groundwork for certification.

Process Improvement

Aligning your practices with ISO® 13485 standards may necessitate process enhancements or restructuring. This could entail updating documentation, revising workflows, and implementing new procedures. Though costs vary, these changes are crucial for achieving compliance.

Training and Education

ISO® 13485 certification often mandates training employees to understand standard requirements and their application. This might involve workshops, seminars, or hiring experts for in-house training. While upfront costs are involved, this equips your team with vital knowledge.

Documentation and Auditing

Maintaining documentation showcasing adherence to ISO® 13485 includes policies, procedures, records, and reports. Partnering with an accredited certification body for audits incurs fees covering site visits and assessment services.

Certification Body Fees

ISO® 13485 certifications are offered by certification bodies, both accredited and non-accredited. Customers choose certification bodies based on factors such as customer demand, budget, lead time, and implementation level. Accredited certification bodies are considered more reputable and reliable than non-accredited ones.

Certification Body ProcessNon-AccreditedAccredited
Application Scrutiny and Issue of Proposal with details of Stage I and Stage 2 audit man-days
Stage I Document Review Audit$ 500$ 1000
Stage II Certification Audit$ 1000$ 3000
Issue of Certificate$ 500$ 1000
Total$ 2000$ 5000

The certification process involves application scrutiny, document review audit, certification audit, and issuance of the certificate. The costs for small businesses with less than 10 employees range from $2,000 for non-accredited bodies to $5,000 for accredited bodies. Additional fees apply for every additional 10 employees.

How To Prepare for ISO® 13485 Certification

1. Familiarize Yourself with the Guidelines

Before diving into the certification process, it is essential to understand the requirements and guidelines outlined in ISO® 13485. This standard outlines the quality management system (QMS) requirements for the design, development, production, and distribution of medical devices. 

  • Example for Healthcare: A medical device manufacturer must ensure that their QMS includes procedures for risk management, design control, and post-market surveillance to meet ISO® 13485 requirements.
  • Example for IT/SaaS Companies: An IT/SaaS company must align its QMS with data protection regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).

You can view a preview and purchase the complete ISO® 13485 documentation from the ISO website

1 - All Documents

All documents you need for implementing ISO® 27001 or TISAX®. Pre-filled. Continuously updated.

2 - Complete Guide

ISMS Connect’s complete guide covering every requirement you need to fulfill ISO® 27001 & TISAX®. Always up-to-date.

3 - Expert Assistance

Get unlimited access to our consultants. Connect with us in video meetings and in our Community.

For more information and personalized guidance, ISMS Connect offers step-by-step guides and detailed documentation to help you make sense of the standards and ensure compliance. We also offer on-demand expert guidance designed to break down complex ISO® controls[1] [2]  and standards into easy-to-follow steps.

2. Meet Corrective and Preventive Action (CAPA) Standards

Corrective and preventive actions (CAPA) are fundamental aspects of ISO® 13485. 

Corrective actions are actions taken after a problem has arisen designed to fix it. For example, if a newly released model was malfunctioning, the healthcare equipment manufacturer who built it might take corrective action by issuing a recall or a software patch.

Preventative actions are actions taken before a problem arises designed to stop it from happening again. For example, if a medical device’s circuit board overheats, the manufacturer might take preventative action by redesigning the circuit to dissipate heat better.

Companies need to establish processes for identifying and addressing nonconformities and potential issues. This ensures that corrective actions are taken when problems arise and preventive measures are implemented to avoid their recurrence.

  • Example for Healthcare: A healthcare company identifies a potential issue in a medical device during production and promptly investigates to determine the root cause. They implement corrective actions, such as process adjustments or staff training, to prevent the issue from reoccurring.
  • Example for IT/SaaS Companies: An IT/SaaS company receives a data breach report and immediately launches an investigation to determine the extent of the breach. Following the investigation, they implement measures like encryption protocols, two-factor authentication, and employee cybersecurity training to prevent future breaches.

3. Prepare a Quality Plan

A well-defined quality plan serves as a roadmap for achieving ISO® 13485 compliance. The plan should outline the company’s goals, processes, responsibilities, and timelines for certification preparation.

A good quality plan should include the following elements:

  • Definition and Scope: Clearly describe the activities and objectives of the plan.
  • Quality Plan Inputs and Objectives: Identify the inputs and establish documented objectives.
  • Responsibilities and Resources: Clearly define responsibilities and allocate necessary resources for plan implementation.
  • Communications: Specify communication responsibilities and establish a methodology for effective communication.
  • Design and Development: Reference applicable plans, specifications, and regulatory requirements for design and development processes.
  • Manufacturing: Include processes, inputs, and outputs related to production and service provision.
  • Identification and Traceability: If necessary, outline requirements for identifying and tracing products.
  • Customer Property: Describe how customer properties are identified and verified, and how non-conforming products are controlled.
  • Control of Output Deviations: Document how deviations are identified and handled to prevent unintended use of non-conforming products.
  • Audits: Define the extent of audits and how audit results will be used to monitor implementation and verify conformity.

4. Implement Complaint Procedures

Determine the types of complaints that are relevant to your organization. These could include issues related to device functionality, safety, labeling, instructions for use, and more.

After which, develop a complaint procedure document that outlines the steps to be followed when a complaint is received. Include details about how complaints will be documented, investigated, and resolved. Make sure the procedure aligns with ISO® 13485 requirements and any applicable regulations.

  • Example for Healthcare: A healthcare company establishes a dedicated customer support team to handle complaints and inquiries related to their medical devices. They document each complaint and promptly initiate investigations to resolve the issues.
  • Example for IT/SaaS Companies: An IT/SaaS company implements a complaint-handling process through its customer service platform to address user concerns related to its healthcare software. Each complaint is logged, analyzed, and appropriate actions are taken to resolve them.

5. Include Purchasing Controls

Purchasing controls ensure that the materials and services used in the manufacturing or development process meet the necessary quality standards. These controls help prevent defects and non-conformities in the final product.

  • Example for Healthcare: A medical device manufacturer establishes strict supplier evaluation criteria and conducts regular audits to ensure their suppliers meet ISO® 13485 standards. They also maintain records of approved suppliers and their evaluation results.
  • Example for IT/SaaS Companies: An IT/SaaS company implements purchasing controls by carefully selecting vendors that adhere to information security standards and regularly evaluating their performance.

6. Develop MDR Procedures (Medical Device Reporting)

For healthcare companies dealing with medical devices, implementing Medical Device Reporting (MDR) procedures is critical. MDR helps companies identify and report adverse events and product malfunctions, ensuring continuous improvement and patient safety.

  • Example for Healthcare: A medical device manufacturer establishes clear MDR procedures and educates their employees on how to recognize and report adverse events. They maintain records of all reported incidents and analyze the data to identify potential trends.
  • Example for IT/SaaS Companies: An IT/SaaS company develops MDR procedures for their healthcare software to track and report any system malfunctions or vulnerabilities discovered by their users.

7. Conduct the First Internal Audit

An internal audit assesses the company’s QMS to identify areas of improvement and compliance gaps. Conducting internal audits at regular intervals helps companies identify and address issues before the official ISO® 13485 certification audit.

  • Example for Healthcare: A medical device manufacturer conducts an internal audit, involving auditors from different departments, to evaluate their QMS’s effectiveness and compliance with ISO® 13485 standards.
  • Example for IT/SaaS Companies: An IT/SaaS company performs an internal audit that includes evaluating information security controls, data access permissions, and incident response procedures.

8. Implement Corrective Actions

Following the internal audit, any identified nonconformities or issues must be addressed promptly through corrective actions. This demonstrates the company’s commitment to continuous improvement.

  • Example for Healthcare: A medical device manufacturer implements corrective actions by revising certain manufacturing processes based on the findings of the internal audit to ensure compliance with ISO® 13485 requirements.
  • Example for IT/SaaS Companies: An IT/SaaS company takes corrective actions by updating its information security protocols and conducting additional training for its employees on data protection measures.

9. Organize the First Management Review

A management review is a crucial step to assess the QMS’s effectiveness and the progress made toward ISO® 13485 certification. 

The standard defines mandatory inputs and outputs for the management review as follows:

  • Inputs: Inputs include assessing the health of the QMS, feedback on compliance handling, reporting to regulatory authorities, audits, monitoring and measurement processes, corrective and preventive actions, and follow-up on previous reviews.
  • Outputs: Outputs include records of the management review and queries that demonstrate successful addressing of identified outputs.

Top management must actively participate in these reviews and take corrective actions as necessary.

  • Example for Healthcare: The management of a medical device manufacturer holds a review meeting to evaluate the company’s progress towards ISO® 13485 certification, discussing any challenges and necessary adjustments to achieve compliance.
  • Example for IT/SaaS Companies: The executive team of an IT/SaaS company holds a management review to assess the implementation of information security measures and address any gaps in their QMS.

Best Practices in ISO® 13485 Certification

The path to ISO® 13485 certification can be both challenging and rewarding, paving the way for enhanced quality management and regulatory compliance in the healthcare and IT/SaaS sectors. To navigate this journey successfully, it’s essential to adopt a strategic approach. Let’s delve into best practices that Healthcare and IT/SaaS companies can follow when preparing for ISO® 13485 certification.

Find the Right Partner

When embarking on the ISO® 13485 certification journey, it can be helpful to collaborate with experts who have a deep understanding of the standard and how it applies to your specific industry. 

Engaging a consultant or partnering with a certification body that specializes in healthcare or IT/SaaS can provide valuable guidance. For example, a healthcare software company looking to obtain certification can benefit from a partner who understands the complexities of medical data security and can offer tailored guidance.

We understand that information security management can be a complex topic, especially for SMBs. At ISMS-Connect, we offer business clear, jargon-free guidance through step-by-step guides, documents, templates, on-demand support from expert consultants, and access to a community of similar businesses.

500+ customers certified across the Globe

We help small and mid-sized organisations from all sectors succeed in their security strategy.


Secured customers


Certification audit passed


Documents created

We’ve helped 500+ customers implement compliant ISMSs across a range of industries, from healthcare and finance to IT and SaaS. Our fee structure is designed to be transparent and affordable, giving businesses access to as much support as they need at no additional cost.

But don’t just take our word for it. Markus Haas (CEO of Pionsys Informationstechnologie) had this to say about the company’s experience with ISMS Connect:

“We particularly liked the fact that ISMS Connect accelerated the implementation of the ISMS and the creation of the documents. We were able to take a lot of structure and information directly from the templates and integrate it into our ISMS documentation. At the same time, the templates also helped us to develop a better understanding of the ISMS.”

Get started today and fast-track certification.

Educate Stakeholders

Successful certification requires a collective effort. 

You need to involve a range of stakeholders within your organization through education and awareness campaigns. Educate your team members about the importance of ISO® 13485 and how it aligns with your company’s goals. Highlight the benefits of certification, such as improved process efficiency and enhanced reputation.

Perform an Initial Feasibility Assessment

Before diving into the certification process, conduct a feasibility assessment to evaluate your organization’s readiness. Identify existing gaps in processes, documentation, and practices. 

This assessment helps in setting realistic expectations and allows you to allocate resources effectively. For example, an IT/SaaS company focusing on medical data storage can assess its current information security protocols and identify areas that need strengthening to comply with ISO® 13485.

Address Questions Succinctly

As you move forward, anticipate questions from stakeholders and team members about the certification process. Address these inquiries succinctly, clarifying the purpose and benefits of ISO® 13485. 

Provide examples specific to your industry. For instance, if your healthcare organization is asked about the relevance of ISO® 13485, explain how it ensures consistent quality in medical device manufacturing, contributing to patient safety and regulatory compliance.

Create a Plan for Your On-Site Audit

One of the critical phases of ISO® 13485 certification is the on-site audit conducted by an accredited certification body. Develop a comprehensive plan detailing the audit process, the areas to be assessed, and the timeline. 

Ensure that your team is well-prepared for the audit and understands what to expect. If you’re an IT/SaaS company, outline how your information security measures align with ISO® 13485’s requirements and prepare evidence to showcase your compliance during the audit.

Foster a Culture of Continuous Improvement

ISO® 13485 certification is not a one-time accomplishment; it’s a commitment to ongoing excellence. Instill a culture of continuous improvement within your organization. Encourage teams to identify opportunities for enhancing processes, whether in healthcare workflows or IT security protocols. Regularly review your quality management system to ensure it remains aligned with ISO® 13485 standards.

Leverage Technology

Utilize technology to streamline and document your ISO® 13485 efforts. Implement software solutions that aid in tracking progress, managing documentation, and ensuring compliance. For instance, an IT/SaaS company can employ encryption tools to safeguard medical data as part of its information security measures, directly contributing to ISO® 13485 compliance.

Regular Training and Awareness

Maintain a well-informed workforce by conducting regular training sessions and awareness programs. Ensure that employees at all levels understand their roles in upholding ISO® 13485 requirements. 

An informed workforce is more likely to adhere to best practices and contribute to the success of the certification process. 

Studies show that regular error reduction training can reduce deviation by up to 60% over 12 months. That means fewer mistakes that put patients, healthcare providers, and the company’s reputation at risk.


ISO® 13485 certification presents an invaluable opportunity for Healthcare and IT/SaaS companies to strengthen their quality management systems and information security practices. 

The benefits, as discussed in this article, are far-reaching—from accelerated processes and evidence-based decision-making to an enhanced market reputation. By adhering to best practices, including partnering with experts, educating stakeholders, and leveraging technology, businesses can streamline their path to certification.

As you embark on your ISO® 13485 certification journey, ISMS Connect stands ready to empower your progress. Join our community, access resources, and tap into expert guidance to simplify the process, ensuring your business’s success in the realms of quality management and information security.

Ready to elevate your certification journey? Discover ISMS Connect today!