It's one of the most common questions I hear from startup medical device companies and manufacturers transitioning from other industries: "We're already ISO 9001 certified — can't we just use that?"
The short answer is no. And the longer answer explains why that distinction could mean the difference between market access and regulatory shutdown.
This guide breaks down the critical differences between ISO 13485 and ISO 9001, clarifies why medical device companies need the specialized standard, and gives you a practical roadmap for understanding which — or both — applies to your situation.
What Are ISO 13485 and ISO 9001?
ISO 9001: The General Quality Management Standard
ISO 9001 is the world's most widely adopted quality management system (QMS) standard, with over 1.1 million certifications across 188 countries as of the ISO Survey of Certifications. It applies to virtually any industry — manufacturing, services, software, construction — and is built around the concept of continual improvement and customer satisfaction.
ISO 9001:2015 is organized around seven quality management principles: customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. It's a powerful, flexible framework — but flexibility is precisely what makes it insufficient for medical devices.
ISO 13485: The Medical Device QMS Standard
ISO 13485:2016 is the internationally recognized standard specifically developed for organizations involved in the design, production, installation, and servicing of medical devices and related services. Unlike ISO 9001, ISO 13485 is not a general-purpose standard — it is purpose-built for the regulatory requirements of the medical device industry.
As of 2024, ISO 13485 certification is a regulatory requirement or strong expectation in over 100 countries, including the European Union (through the Medical Device Regulation, MDR 2017/745), Canada (Health Canada), Australia (TGA), Japan (PMDA), and Brazil (ANVISA). In the United States, the FDA's Quality System Regulation (21 CFR Part 820) has been harmonized with ISO 13485 through the Quality Management System Regulation (QMSR), which became effective in February 2026.
The Core Philosophical Difference
Here's the fundamental distinction most people miss:
ISO 9001 is built around customer satisfaction and continual improvement. ISO 13485 is built around regulatory compliance and patient safety.
This isn't a subtle difference. It's a different organizing philosophy that touches every clause of the standard.
Under ISO 9001, if your customers are happy and your quality metrics are improving, you're succeeding. Under ISO 13485, customer satisfaction is largely irrelevant if your processes don't meet regulatory requirements — because the "customer" in a medical device context includes patients who may never interact with your organization directly but whose safety depends entirely on the integrity of your QMS.
ISO 13485 clause 0.1 explicitly states that the standard includes requirements for organizations to demonstrate their ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Regulatory compliance is a co-equal requirement, not an afterthought.
Key Differences: ISO 13485 vs. ISO 9001 Side by Side
| Feature | ISO 9001:2015 | ISO 13485:2016 |
|---|---|---|
| Primary focus | Customer satisfaction & continual improvement | Regulatory compliance & patient safety |
| Continual improvement requirement | Mandatory, explicit | Required but subordinate to regulatory compliance |
| Risk management | General risk-based thinking | Formal risk management throughout (aligned with ISO 14971) |
| Design controls | Addressed broadly | Detailed, clause 7.3 — design and development planning, inputs, outputs, review, verification, validation, transfer |
| Regulatory requirements | Mentioned generally | Woven throughout every clause |
| Document and record control | Required | More stringent, with specific retention requirements |
| Sterile device requirements | Not addressed | Specific requirements for sterile products |
| Complaint handling | Customer feedback processes | Mandatory regulatory reporting, vigilance system integration |
| CAPA | Required | More prescriptive, with specific investigation depth requirements |
| Traceability | General | Mandatory, often to specific components and lots |
| Supplier controls | Required | More rigorous, with qualification and monitoring requirements |
| Validation | Process validation addressed | Mandatory validation of manufacturing processes, software, sterilization |
| Advisory notices / recalls | Not specifically addressed | Required documented procedures |
| Applicable industries | Any industry | Medical devices and related services only |
| Regulatory recognition | Limited direct recognition | Required or recognized in 100+ countries |
Seven Reasons ISO 9001 Alone Is Insufficient for Medical Devices
1. Regulatory Bodies Don't Accept ISO 9001 as Equivalent
Health Canada, the EU's Notified Bodies, Australia's TGA, and many other regulators explicitly require ISO 13485 certification or an equivalent QMS demonstrating conformity with ISO 13485 requirements. ISO 9001 certification does not substitute. A CE Mark under EU MDR, for example, requires a Notified Body audit against Annex IX or Annex XI of the MDR — and those audits assess your QMS against ISO 13485:2016.
If you're ISO 9001 certified but not ISO 13485 certified, you cannot legally place medical devices on the EU market through the standard conformity assessment routes.
2. Design Controls Are Far More Rigorous
ISO 9001 addresses design and development in clause 8.3 with reasonable but general requirements. ISO 13485 clause 7.3 is significantly more prescriptive, requiring:
- Documented design and development plans
- Formal design inputs (functional, performance, safety, regulatory requirements)
- Formal design outputs tied directly to inputs
- Design reviews at planned stages
- Design verification (confirming outputs meet inputs)
- Design validation (confirming the device meets user needs and intended use)
- Design transfer procedures
- Design change controls
- A Design History File (DHF)
This level of rigor exists because underdeveloped design controls are one of the FDA's most frequently cited deficiencies. According to FDA's 2023 Warning Letter data, inadequate design controls remain a top-five citation for 21 CFR Part 820 violations. A general QMS simply doesn't impose the discipline needed to catch design failures before they reach patients.
3. Risk Management Is Deeply Integrated
ISO 9001:2015 introduced "risk-based thinking" as a concept, but it doesn't prescribe how risk management should be implemented. ISO 13485 requires risk management throughout the product lifecycle — and this is tightly coupled with ISO 14971:2019, the international standard for risk management for medical devices.
Under ISO 13485, risk management isn't a separate activity you perform once during development. It's integrated into design controls, purchasing controls, production and service controls, post-market surveillance, and CAPA processes. This systematic, documented approach to risk is what regulators evaluate when determining whether your organization can demonstrate that risks to patients are identified, assessed, controlled, and monitored.
4. Post-Market Requirements Are Fundamentally Different
In ISO 9001, customer satisfaction and feedback are monitored to drive improvement. In ISO 13485, post-market activities carry legal and regulatory significance. Clause 8.2 of ISO 13485 requires:
- A documented feedback system that feeds back into design, production, and risk management processes
- Complaint handling with specific investigation requirements
- Reporting to regulatory authorities (vigilance reporting)
- Advisory notice and recall procedures
The EU MDR goes further, requiring a Post-Market Surveillance (PMS) plan, Periodic Safety Update Reports (PSURs) for Class IIa, IIb, and III devices, and Post-Market Clinical Follow-up (PMCF). ISO 9001's customer satisfaction framework cannot support this regulatory infrastructure.
5. Traceability Requirements Are Non-Negotiable
For medical devices, traceability isn't just good practice — it's a patient safety imperative. ISO 13485 clause 7.5.9 requires that organizations maintain the ability to trace a device through its entire production history, including:
- Raw materials and components
- Production personnel and equipment
- Inspection results
- Sterilization records (where applicable)
This traceability is what enables an effective recall. Without it, a company cannot identify which patients received potentially affected devices — a failure that has contributed to serious public health events. ISO 9001's traceability requirements are far less specific.
6. Process Validation Is Mandatory and Prescriptive
ISO 13485 clause 7.5.6 requires validation of any manufacturing process where the output cannot be fully verified by subsequent inspection. For medical devices, this commonly includes sterilization, aseptic filling, injection molding of critical components, welding, and software used in manufacturing.
The standard requires documented protocols, approved methods, established acceptance criteria, and revalidation when changes occur. ISO 9001 addresses validation more generally. The medical device industry's product liability exposure and patient safety stakes demand the more rigorous approach ISO 13485 mandates.
7. The Entire Supply Chain Must Meet Higher Standards
ISO 13485 clause 7.4 imposes more stringent supplier qualification and monitoring requirements than ISO 9001. Medical device manufacturers must:
- Evaluate and select suppliers based on their ability to meet requirements, including QMS requirements
- Define the type and extent of control based on risk
- Maintain approved supplier lists
- Re-evaluate suppliers periodically
For critical suppliers, this often means requiring ISO 13485 certification of the supplier themselves — or conducting supplier audits. The supply chain failures that have contributed to medical device recalls underscore why this rigor is necessary.
Can You Hold Both ISO 9001 and ISO 13485 Certifications?
Yes — and for some organizations, it makes strategic sense. Companies that manufacture both medical devices and non-medical products (industrial equipment, consumer electronics, etc.) may maintain both certifications to serve different market segments.
However, ISO 13485:2016 was deliberately designed so that organizations can align their QMS with both standards simultaneously. The 2016 revision of ISO 13485 aligned its structure more closely with ISO 9001:2015's High-Level Structure (HLS), making integrated QMS implementation more manageable.
For a pure-play medical device company, ISO 13485 alone is typically sufficient and more appropriate. The additional overhead of maintaining ISO 9001 certification is rarely justified unless non-medical markets require it.
Does ISO 13485 Apply to Your Organization?
ISO 13485 clause 1 defines scope: the standard applies to organizations involved in one or more stages of the lifecycle of a medical device, including:
- Design and development
- Manufacturing
- Storage and distribution
- Installation
- Servicing
- Final decommissioning and disposal
Critically, ISO 13485 also applies to suppliers and service providers to medical device companies — even if those organizations don't consider themselves to be in the medical device industry. A contract manufacturer, sterilization facility, software developer creating device software, or labeling company may all be required by their medical device OEM customers to hold ISO 13485 certification.
Citation hook: ISO 13485:2016 applies to any organization involved in any stage of the medical device lifecycle, regardless of whether that organization considers itself a "medical device company" in the traditional sense.
The FDA QMSR: Harmonization with ISO 13485
For U.S.-focused companies, a landmark regulatory change reinforces the primacy of ISO 13485. The FDA's Quality Management System Regulation (QMSR), finalized in February 2024 and effective February 2026, replaces the legacy Quality System Regulation (21 CFR Part 820) with a framework that incorporates ISO 13485:2016 by reference.
This means that compliance with ISO 13485:2016 is now the foundation of FDA QMS compliance for medical device manufacturers. Organizations that built their QMS around ISO 9001 without incorporating ISO 13485 requirements will need to retrofit significant elements — design controls, risk management integration, post-market processes, and more — to meet QMSR expectations.
Citation hook: The FDA's QMSR, effective February 2026, incorporates ISO 13485:2016 by reference, making conformance with ISO 13485 the de facto baseline for U.S. medical device QMS compliance.
Practical Roadmap: Transitioning from ISO 9001 to ISO 13485
If your organization holds ISO 9001 and needs to implement ISO 13485, here's a practical sequence:
- Gap assessment — Compare your current QMS against ISO 13485:2016 clause by clause. Identify what's missing, what needs enhancement, and what can be leveraged.
- Regulatory requirements mapping — Identify all applicable regulatory requirements in your target markets (EU MDR, FDA QMSR, Health Canada, etc.) and map them to your QMS.
- Prioritize design controls and risk management — These are typically the largest gaps for ISO 9001-certified organizations and take the most time to develop properly.
- Update document structure — Implement ISO 13485-compliant documentation, including a Quality Manual, quality policy, quality objectives, and all required procedures and records.
- Training — Ensure all personnel understand the new requirements and their individual responsibilities.
- Internal audit — Conduct a full internal audit against ISO 13485 before engaging a Notified Body or certification body.
- Management review — Conduct a formal management review that addresses all ISO 13485-required inputs and outputs.
- Certification audit — Engage an accredited certification body for Stage 1 (document review) and Stage 2 (site audit) certification.
At Certify Consulting, I've guided organizations through this transition across a wide range of device classifications and markets. The gap between ISO 9001 and ISO 13485 is real but bridgeable — and doing it right the first time avoids the costly rework that comes from trying to retrofit a general QMS after a regulatory finding.
Citation hook: Organizations transitioning from ISO 9001 to ISO 13485 typically find the largest gaps in design controls (clause 7.3), risk management integration, and post-market surveillance processes — not in the general QMS infrastructure they've already built.
Working with an ISO 13485 Expert
With over 200 clients served and a 100% first-time audit pass rate, Certify Consulting has helped medical device companies at every stage — from startups building their QMS from scratch to established manufacturers upgrading from ISO 9001. Whether you need a full gap assessment, implementation support, or pre-audit preparation, having an experienced guide makes the process faster, cheaper, and far less stressful.
You can also explore related guidance on this site, including our in-depth guide to ISO 13485 design controls requirements and our overview of ISO 13485 certification costs and timelines.
Frequently Asked Questions
Can ISO 9001 certification substitute for ISO 13485 in medical device markets?
No. Regulatory bodies in the EU, Canada, Australia, Japan, Brazil, and most other major medical device markets explicitly require ISO 13485 or an equivalent QMS demonstrating conformance with ISO 13485 requirements. ISO 9001 certification does not satisfy these requirements and cannot be substituted for ISO 13485 in conformity assessment procedures.
What is the main difference between ISO 13485 and ISO 9001?
The fundamental difference is purpose and philosophy. ISO 9001 is built around customer satisfaction and continual improvement. ISO 13485 is built around regulatory compliance and patient safety. This difference is reflected in more rigorous requirements for design controls, risk management, traceability, process validation, and post-market surveillance that ISO 9001 does not impose.
Do suppliers to medical device companies need ISO 13485 certification?
Not always by law, but increasingly in practice. ISO 13485 applies to organizations involved in any lifecycle stage of a medical device — which can include suppliers. Many medical device OEMs require key suppliers to hold ISO 13485 certification or demonstrate conformance as part of their supplier qualification process. Contract manufacturers, sterilization facilities, and software developers are commonly asked to certify.
How does the FDA's new QMSR relate to ISO 13485?
The FDA's Quality Management System Regulation (QMSR), effective February 2026, replaces the legacy 21 CFR Part 820 Quality System Regulation and incorporates ISO 13485:2016 by reference. This makes ISO 13485 conformance the foundation of FDA QMS compliance. Organizations already certified to ISO 13485:2016 are well-positioned for QMSR compliance, while those relying solely on ISO 9001 will need significant QMS enhancements.
Can a company be certified to both ISO 9001 and ISO 13485?
Yes. Companies that serve both medical device and non-medical markets often maintain both certifications. ISO 13485:2016 was aligned with ISO 9001:2015's structure to facilitate integrated implementation. However, for organizations exclusively in the medical device space, ISO 13485 alone is typically sufficient and more appropriate.
Last updated: 2026-03-05
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.