Comparison
ISO 9001 vs ISO 13485 — side-by-side
How ISO 9001:2015 and ISO 13485:2016 differ — clause structure, design controls, risk management, regulatory linkage. A side-by-side table for QMS architects.
Both standards live under the ISO/TC 176 family and both define quality management systems. ISO 9001:2015 is generic; ISO 13485:2016 is the medical-device interpretation. They diverge on structure, on tone (13485 is markedly more prescriptive), and on regulatory hooks. Here is the side-by-side.
At a glance
| Topic | ISO 9001:2015 | ISO 13485:2016 |
|---|---|---|
| Structure | High Level Structure (Annex SL), 10 clauses | Pre-Annex SL structure, 8 clauses |
| Audience | Any organisation, any sector | Medical-device organisations |
| Tone | Outcome-oriented; flexible | Prescriptive; regulatory-aligned |
| Risk-based thinking | Throughout (clause 6.1 and woven) | Throughout, but heavier on product risk per ISO 14971 |
| Documented information | Required where it adds value | More explicit minimum set |
| Design and development | One clause (8.3); generic | Detailed clause 7.3 with V&V, transfer, history file |
| Sterile and implantable products | Not addressed | Specific clauses 7.5.5 to 7.5.11 |
| Post-market surveillance | Implied via 9.1 + 9.3 | Explicit feedback (8.2.1), reporting to authorities (8.2.3) |
| Customer property and customer feedback | 8.5.3 customer property; 9.1.2 customer satisfaction | More prescriptive feedback procedure |
| Software validation | Not specifically addressed | Explicitly required (4.1.6, 7.5.6, 7.6) |
| Regulatory linkage | Not explicit | ”And applicable regulatory requirements” throughout |
| Continual improvement | 10.3 | Implied via CAPA + post-market |
| Notified body relevance | None | Direct, basis for CE marking under EU MDR / IVDR |
Clause-by-clause mapping
ISO 9001:2015 follows the Annex SL High Level Structure. ISO 13485:2016 deliberately stayed on the older spine. Mapping requires translation:
| ISO 9001:2015 | ISO 13485:2016 |
|---|---|
| 4 Context of the organisation | 4.1 General requirements |
| 4.4 QMS and its processes | 4.1.2, 4.1.3 |
| 5 Leadership | 5 Management responsibility |
| 5.1 Leadership and commitment | 5.1, 5.2 |
| 5.2 Policy | 5.3 Quality policy |
| 5.3 Roles, responsibilities, authorities | 5.5 Responsibility, authority and communication |
| 6 Planning | 5.4 Planning, 7.1 Planning of product realisation |
| 6.1 Risk and opportunity | 4.1.2 (process risk), 7.1 (product risk via ISO 14971) |
| 6.2 Quality objectives | 5.4.1 Quality objectives |
| 7 Support | 6 Resource management, 4.2 Documentation |
| 7.1.5 Monitoring and measuring resources | 7.6 Control of monitoring and measuring equipment |
| 7.2 Competence | 6.2 Human resources |
| 7.4 Communication | 5.5.3 Internal communication, 7.2.3 Customer communication |
| 7.5 Documented information | 4.2 Documentation requirements |
| 8 Operation | 7 Product realisation |
| 8.1 Operational planning and control | 7.1 |
| 8.2 Requirements for products and services | 7.2 |
| 8.3 Design and development | 7.3 (substantially expanded) |
| 8.4 Externally provided processes | 7.4 Purchasing |
| 8.5 Production and service provision | 7.5 |
| 8.6 Release of products and services | 7.4.3 Verification of purchased product, 8.2.6 Monitoring of product |
| 8.7 Control of nonconforming outputs | 8.3 Control of nonconforming product |
| 9 Performance evaluation | 8 Measurement, analysis and improvement |
| 9.1 Monitoring, measurement, analysis | 8.2 Monitoring and measurement |
| 9.2 Internal audit | 8.2.4 Internal audit |
| 9.3 Management review | 5.6 Management review |
| 10.2 Nonconformity and corrective action | 8.5.2 Corrective action |
| 10.3 Continual improvement | 8.5.1 General (improvement) |
Where the standards substantively differ
Design and development
ISO 9001 clause 8.3 is one clause with sub-bullets. ISO 13485 clause 7.3 is a procedure handbook in nine sub-clauses, with explicit V&V, transfer to manufacturing, design history file, design changes, and design review records. If you ship a medical device, 13485 is the floor.
Risk management
ISO 9001 talks about risk to the QMS and to outcomes. ISO 13485 hooks to ISO 14971 for product risk, which is a far more disciplined, lifecycle- oriented practice with required risk management plan, risk analysis, risk evaluation, risk control, residual-risk evaluation, and benefit-risk analysis. Both are needed in a 13485 environment.
Post-market surveillance
ISO 13485 makes feedback (8.2.1), complaint handling (8.2.2), and reporting to regulatory authorities (8.2.3) explicit. ISO 9001 does not address regulator reporting.
Sterile and implantable products
ISO 13485 has clauses dedicated to cleanliness, contamination control, sterilisation processes, particular requirements for implants, and servicing. ISO 9001 does not.
Software
ISO 13485:2016 explicitly requires validation of software used in the QMS, in production, and in monitoring and measurement. ISO 9001 does not.
When to certify to which
| Situation | Certification |
|---|---|
| Generic services or products without medical use | ISO 9001 |
| Medical-device manufacturer or developer | ISO 13485 (often with regulatory CE / FDA hooks) |
| Medical-device contract manufacturer | ISO 13485 + IATF or sector overlay if relevant |
| Software-only medical device (SaMD) | ISO 13485 + IEC 62304 + risk management |
| Generic software organisation also serving medical-device customers | ISO 9001 + ISO/IEC 90003 + supplier-side ISO 13485 elements as required by customer |
| Mixed product line (some medical, some not) | Often two scopes, one 9001, one 13485, or 13485 covering all if practicable |
Practical advice
- If you are pre-revenue and aiming at EU medical-device markets, plan to be 13485 and ISO 14971 ready before the first regulatory submission.
- If you already hold ISO 9001 and are entering the medical-device market, plan a 9-to-12-month bridge programme to add the 13485 deltas documented above.
- Do not pretend ISO 9001 covers your medical-device obligations. EU MDR and equivalent regulators reference 13485 directly.
Audit experience differs
The audit experience is also distinct. ISO 9001 audits sample broadly across processes; the auditor expects a working management system and is satisfied with evidence that controls operate. ISO 13485 audits dig deeper, design history files are reviewed in detail, sterile-process validation evidence is examined, post-market surveillance is sampled against incidents in the public adverse-event registries. Auditors of 13485 are typically chosen for sector experience and notified-body qualifications. Plan for the 13485 audit to consume more time per auditee, with more documentary evidence requested up front.
A second practical difference is the relationship with regulators. ISO 9001 conformance is independent of any regulator; you decide whether to certify and which body to certify with. ISO 13485 conformance is the gateway to regulatory market access, under EU MDR, conformity assessment modules invoke ISO 13485 directly; under MDSAP, audits cover Australia, Brazil, Canada, Japan and the US in a single programme. The 13485 certificate becomes part of the technical documentation submitted to notified bodies and competent authorities.
Documentation expectations also differ in tone. ISO 9001 lets you choose how prescriptive procedures need to be; ISO 13485 expects defined procedures for many specific topics, design transfer, sterile-barrier control, traceability of components in implantable devices, advisory notices, and so on. Light-touch documentation that satisfies a 9001 auditor will not pass a 13485 surveillance audit.
Cost and timeline
Initial certification to ISO 9001 typically runs 12 to 16 weeks for a small organisation, with a stage 1 plus stage 2 audit and modest documentation effort. Initial certification to ISO 13485 typically runs 6 to 12 months for a medical-device organisation, with substantial design-control documentation, ISO 14971 risk file build-out, supplier audits, and process validation. Annual surveillance and three-year recertification follow the same cadence in both schemes.
Budget-wise, expect 13485 certification to cost 1.5 to 3 times what a 9001 certification costs for an equivalent organisation, driven by audit day count, sector-specialised auditor rates, and the documentation review effort.
Common confusion to avoid
Two patterns trip up teams new to medical devices:
- Treating the ISO 9001 certificate as adequate evidence for medical- device customers. Most medical-device OEMs require ISO 13485 from suppliers contributing to product realisation. A 9001 certificate is a starting point; it is not a substitute.
- Assuming that adopting ISO 13485 alone solves regulatory access. The certificate proves the QMS conforms; it does not prove the device is conformant. Device conformity flows through the relevant regulation (EU MDR, FDA QSR, equivalent national rules) and the conformity assessment route applicable to the device’s risk class.