BSI vs ISOQAR: Which ISO Training and Certification Body Is Right for You? (2026)

Choosing between BSI vs ISOQAR for ISO training or certification affects your audit experience, certificate recognition, and long-term compliance costs. This guide compares both providers across training depth, certification scope, accreditation, and sector expertise to help manufacturers make the right call before committing to a registrar.

How to choose between two of the industry’s most recognized ISO training providers and certification bodies

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


BSI vs ISOQAR- Choosing the Wrong One Costs You More Than Money

Picking an ISO certification body feels like a minor administrative decision. It is not. The registrar you choose affects your audit experience, your certificate’s market recognition, your auditors’ industry familiarity, and — if things go sideways — how difficult it is to address nonconformances before your customers find out.

Most manufacturers approach this backward. They pick a certification body based on price alone, then spend three audit cycles wishing they’d done more homework upfront.

BSI Group vs ISOQAR are two of the most widely used ISO certification bodies in the manufacturing sector. They both carry accreditation. They both offer training. But they are not interchangeable — and the differences matter depending on where you are in your certification journey.

I’ve worked through multiple ISO surveillance audits and seen firsthand what separates a productive audit from one that generates unnecessary findings. The certification body’s auditor competency in your specific industry makes an outsized difference. A registrar with deep manufacturing experience sends auditors who understand the shop floor context. One without that background sends auditors who flag process gaps that aren’t actually gaps.

👉 Before you select a certification body, know where your QMS actually stands. Run a clause-by-clause gap check before your Stage 1 audit → Download the Manufacturing Compliance Checklist

In This Guide:

  • What BSI Group and ISOQAR each offer
  • How their training programs compare
  • Pricing expectations for each provider
  • How to transition between registrars
  • Which certification body fits which situation
  • Accreditation and recognition considerations

👉 Start Here

If you’re evaluating ISO training providers or certification bodies, start with these:


Quick Recommendation Matrix

Comparison infographic showing BSI and ISOQAR training and certification offerings with a recommendation matrix by industry and certification scenario.
Use this quick recommendation matrix to compare BSI and ISOQAR based on industry requirements, certification goals, and budget considerations.

Not sure which provider fits your situation? Use this table to find your answer in 30 seconds.

SituationBest ChoiceWhy
Aerospace / AS9100BSISector expertise + ANAB accreditation
Medical Device / ISO 13485BSIDeep regulatory knowledge + global recognition
Welding / FabricationISOQARISO 3834 programs + manufacturing auditors
Automotive / IATF 16949BSIExclusive recommended provider
Lowest certification costISOQARCompetitive mid-market pricing
Global supply chain recognitionBSIStrong brand + ANAB accreditation
Lead Auditor credentialsBSICQI/IRCA recognized qualifications
ISO 9001 / 14001 / 45001 domesticEitherBoth are strong; ISOQAR saves money

BSI Group Overview

BSI Group (British Standards Institution) is one of the oldest and most recognized standards and certification bodies in the world. Founded in 1901, BSI helped develop many of the ISO standards manufacturers rely on today. They offer both training programs and third-party ISO certification services across a wide range of standards.

For manufacturers, BSI’s primary value is depth. Their training catalog covers awareness, requirements, implementation, internal auditor, and lead auditor levels across ISO 9001, ISO 14001, ISO 45001, ISO 13485, AS9100, ISO 50001, IATF 16949, and more. Courses are available in-person, online, and as on-demand eLearning.

BSI operates globally and holds accreditation through ANAB (ANSI National Accreditation Board) in the United States, making their certificates recognized by customers and supply chains throughout North America, Europe, and beyond.

BSI is typically the right choice when:

  • You need a globally recognized certificate with strong brand recognition in your customer base
  • Your industry requires aerospace (AS9100) or medical device (ISO 13485) certification — BSI has deep sector-specific expertise in both
  • You want training and certification through the same provider for continuity
  • Your team needs formal qualifications (Lead Auditor, Lead Implementer) with CQI and IRCA recognition

For AS9100 training and certification, BSI is the strongest option available. Their aerospace auditors understand IAQG requirements and supply chain flow-down in ways that generalist registrars don’t.


ISOQAR Overview

ISOQAR is a UKAS-accredited certification body and training provider that has built a strong reputation in the manufacturing and industrial sectors. They are recognized for practical, no-nonsense auditing and competitive pricing — two things that matter to fabrication shops, contract manufacturers, and industrial operations running lean.

ISOQAR offers certification services across ISO 9001, ISO 14001, ISO 45001, ISO 50001, ISO 3834 (welding), and more. Their training catalog covers the same standards with courses at awareness, requirements, and auditor levels.

One important distinction: ISOQAR holds UKAS accreditation (United Kingdom Accreditation Service), which is recognized internationally through IAF Multilateral Recognition Arrangements. For most US manufacturers supplying domestic customers, UKAS-accredited certificates are fully accepted. If your customer base or contract requirements specify ANAB accreditation explicitly, verify acceptance before proceeding.

ISOQAR is typically the right choice when:

  • You want competitive certification pricing without sacrificing accreditation quality
  • Your standard is ISO 9001, ISO 14001, ISO 45001, or ISO 50001
  • You are a small-to-mid-size manufacturer looking for an auditor who understands production environments
  • You need ISO 3834 welding quality certification alongside your ISO 9001

In one ISO 9001 surveillance audit I was involved in, the ISOQAR auditor had 20+ years of background in heavy fabrication. He understood weld maps, WPS/PQR documentation flow, and traceability requirements for structural components without needing to be walked through the basics. He wasn’t flagging documentation because it didn’t match a textbook template — he was evaluating it against how the work actually gets done. That is the difference a manufacturing-experienced auditor makes. It turns the audit into a productive process review instead of a documentation scavenger hunt.

Infographic outlining five factors to evaluate when selecting an ISO auditor including experience, accreditation, standard knowledge, audit approach, and communication style.
Use this five-point checklist to evaluate ISO auditors beyond credentials and select a partner that supports long-term compliance success.

If you are building or improving your QMS before committing to a certification body, make sure your documentation is audit-ready first. A gap in your documented procedures will surface at Stage 1 regardless of which registrar you use. 9001Simplified is the fastest route to getting your ISO 9001 documentation in order without hiring a consultant.


Training Comparison: BSI vs ISOQAR

Both providers cover the same core standards — but their training structures differ in depth and delivery.

FeatureBSI GroupISOQAR
ISO 9001 TrainingAwareness → Lead AuditorAwareness → Auditor
ISO 14001 TrainingAwareness → Lead AuditorAwareness → Auditor
ISO 45001 TrainingAwareness → Lead AuditorAwareness → Auditor
ISO 13485 TrainingRequirements → Lead AuditorRequirements level
AS9100 TrainingFull course suiteLimited
ISO 3834 WeldingLimited✅ Dedicated courses
ISO 50001 Training✅ Full suite✅ Full suite
CQI/IRCA Recognized✅ YesVerify by course
eLearning / On-Demand✅ Extensive library✅ Available
Lead Auditor Qualification✅ Yes✅ Yes

For internal auditor training, both providers deliver solid programs. If your team needs to conduct clause-by-clause internal audits before certification, either option will build that competency. See the ISO Training for Manufacturing Teams guide for a breakdown of which course level fits which role.

For Lead Auditor qualification, BSI’s CQI and IRCA-recognized programs carry stronger market recognition — particularly if your quality team members want a credential that travels with their career beyond your facility.

⚠️ Most common finding in audit prep: Organizations train their quality manager but leave production supervisors and department heads out of the loop. Auditors ask process owners questions directly. If your department heads can’t speak to how they implement clause requirements in their area, you will generate findings. Training awareness courses for your leadership team is not optional — it’s the difference between a clean audit and one with four or five observations.

👉 If your team hasn’t completed ISO awareness training before your Stage 1 audit, get that scheduled now → ISOQAR ISO Training Courses


Certification Body Comparison

Training and certification are two separate decisions. You do not have to use the same provider for both — but many manufacturers do for continuity.

FactorBSI GroupISOQAR
Accreditation BodyANAB (US), UKAS (UK)UKAS
Certificate RecognitionGlobal — strong US market presenceStrong in UK/EU; widely accepted in US
Standards CoveredISO 9001, 14001, 45001, 13485, AS9100, 50001, IATF 16949ISO 9001, 14001, 45001, 50001, 3834
Sector ExpertiseAerospace, Medical Device, Automotive, ManufacturingManufacturing, Industrial, Welding
Pricing TierPremiumCompetitive / Mid-market
Customer SupportGlobal account teamsRegional support focus

On IATF 16949: BSI is the recommended provider for IATF 16949 certification and training. If your facility serves automotive Tier 1 or OEM customers requiring IATF 16949, BSI is your path.

If you are still deciding which certification body to use, review the Best ISO Certification Bodies guide for a broader comparison across registrars operating in the US market.


Pricing Expectations

Neither BSI nor ISOQAR publishes fixed certification prices — costs are quoted based on your facility size, employee count, number of sites, and scope of certification. That said, here is what manufacturers typically see in practice.

Cost FactorBSI GroupISOQAR
Pricing tierPremiumCompetitive / Mid-market
Initial certification (Stage 1 + Stage 2)Higher — reflects global brand + ANAB accreditationLower — reflects leaner overhead structure
Annual surveillance auditsHigherLower
Three-year recertificationHigherLower
Training coursesMid-to-premium rangeCompetitive

What this means in practice: For a single-site manufacturing operation certifying to ISO 9001, the difference between BSI and ISOQAR over a three-year certification cycle can be meaningful — often several thousand dollars. If budget is a constraint and your customer requirements don’t specify ANAB accreditation by name, ISOQAR delivers accredited certification at a lower cost of entry.

If your customers are global, require ANAB accreditation specifically, or operate in aerospace or medical device supply chains, BSI’s premium is justified — certificate recognition and auditor expertise are worth the price difference.

For a full breakdown of what ISO certification costs across facility types and employee counts, see How Much Does ISO Certification Cost.


Which One Is Right for You?

The decision comes down to three factors: your standard, your customer base, and your budget.

If you are certifying to ISO 9001, ISO 14001, or ISO 45001 for domestic customers: Either provider works. ISOQAR typically offers more competitive pricing at the certification level. BSI brings stronger brand recognition if your customers are multinational or if you are entering new markets.

If you are certifying to AS9100 or ISO 13485: Choose BSI. Their sector expertise in aerospace and medical device is a meaningful advantage. Aerospace primes and medical OEMs recognize BSI certificates without question.

If you need ISO 3834 welding quality certification: ISOQAR has dedicated ISO 3834 programs that BSI does not match. For fabrication shops and welding operations seeking this certification alongside ISO 9001, ISOQAR is the stronger choice.

If you are under cost pressure and need to certify a small manufacturing facility: Start with ISOQAR. Their pricing is competitive and their auditors have practical manufacturing experience. You can always transition registrars at your next recertification cycle if your customer requirements change.

If you are certifying to ISO 9001 and have not yet built your QMS documentation, that has to come before selecting a registrar. See ISO Documentation Kits for Manufacturers for what a complete documentation package requires. If you are in the early stages, read How Long Does ISO Certification Take before committing to a timeline.


Ready to move forward? Choose your path:

👉 BSI Group Training & Certification →

👉 ISOQAR Training & Certification →


Transitioning Between Registrars

Infographic showing the five stages of the ISO certification three-year cycle including Stage 1 audit, Stage 2 audit, surveillance audits, and recertification.
Understand how ISO certification progresses from initial audits through surveillance and recertification over a standard three-year cycle.

Starting with one certification body doesn’t lock you in forever. Manufacturers switch registrars more often than people assume — usually at the recertification audit (year three), which is a natural changeover point that requires minimal additional cost or disruption.

Common reasons manufacturers switch:

  • Customer requirements change to specify ANAB accreditation — triggering a move from ISOQAR to BSI
  • Budget pressure at renewal — triggering a move from BSI to ISOQAR
  • Scope expansion into aerospace or medical device — where BSI’s sector expertise becomes a hard requirement
  • Auditor relationship issues — a legitimate reason that doesn’t get discussed enough

How a registrar transition works: You notify your current certification body that you will not be renewing. You engage your new registrar and provide your existing quality documentation, prior audit records, and certificate history. The new registrar typically conducts a full Stage 1 and Stage 2 certification audit rather than a transfer audit — treat it as a fresh certification. Your certificate gap between expiry and new issuance should be managed carefully to avoid lapsing supplier qualification status with key customers.

One practical note: If you start with ISOQAR for cost reasons but later need ANAB accreditation as your customer base expands, transitioning to BSI at your next recertification cycle is straightforward. Your QMS doesn’t change — only the registrar conducting the third-party audit changes.


Accreditation and Recognition

Both BSI and ISOQAR hold accreditation through recognized national accreditation bodies. Neither is operating outside the formal accreditation structure.

What accreditation means: A certification body must itself be audited and approved by a national accreditation body to issue certificates that are recognized in international trade. ANAB is the primary accreditation body in the United States. UKAS is the UK equivalent. Both are signatories to the IAF Multilateral Recognition Arrangement, which means certificates from UKAS-accredited bodies are accepted in countries that recognize IAF MLA — including the United States.

Practical impact for US manufacturers: If your customer’s supplier quality requirements specify “ANAB-accredited certification,” you need BSI (who holds ANAB accreditation in the US). If the requirement simply states “accredited third-party certification,” ISOQAR’s UKAS accreditation typically satisfies that requirement. When in doubt, verify directly with your customer’s supplier quality team before committing to a registrar.

⚠️ Never assume a certificate from any registrar will satisfy a specific customer requirement without verifying the accreditation language in your customer’s supplier quality manual. This is one of the most common and avoidable supplier audit findings.


FAQ

Is BSI Group the same as BSI Standards?

No. BSI Group encompasses both the standards development organization (which develops British Standards and co-develops ISO standards) and BSI’s commercial divisions, which include training and third-party certification services. When you purchase BSI training or certification, you are working with the commercial division. When ISO references BSI as a participating standards body, that is the standards development function.

Can I use BSI for training and ISOQAR for certification?

Yes. Training and certification are completely separate purchasing decisions. Many organizations train internally with one provider and use a different registrar for third-party certification. The certification body does not require or expect that you used their training programs.

Is ISOQAR accredited for ISO 9001 certification in the United States?

ISOQAR holds UKAS accreditation, which is recognized in the US through the IAF Multilateral Recognition Arrangement. Most US customer supplier quality requirements accept UKAS-accredited certificates. If your customer specifies ANAB accreditation by name, verify with them directly.

How much does ISO 9001 certification cost through BSI vs ISOQAR?

Certification costs depend on your facility size, employee count, scope of certification, and number of sites. BSI typically prices at a premium compared to ISOQAR. Both will provide a formal quote based on your specific situation. See the How Much Does ISO Certification Cost guide for a full cost breakdown.

Do BSI and ISOQAR both offer surveillance audits?

Yes. ISO certification requires an initial certification audit (Stage 1 and Stage 2), followed by annual surveillance audits, and a recertification audit every three years. Both BSI and ISOQAR follow this standard cycle.

Which provider is better for a first-time ISO 9001 certification?

Either can work. If your facility is small and cost-conscious, ISOQAR is a practical starting point. If your customers are international or your growth strategy involves aerospace or medical device markets, starting with BSI gives you a certificate with broader recognition from day one.

Can ISOQAR certify my facility to AS9100 Rev D?

ISOQAR’s primary certification scope covers ISO 9001, ISO 14001, ISO 45001, ISO 50001, and ISO 3834. For AS9100 Rev D certification, BSI is the recommended path — they have dedicated aerospace sector expertise and are recognized by aerospace prime customers and their supply chains.

What is the difference between a Lead Auditor and an Internal Auditor course?

An Internal Auditor course trains your team to conduct clause-by-clause internal audits within your own organization — a mandatory requirement under ISO 9001 Clause 9.2. A Lead Auditor course qualifies individuals to lead third-party certification audits at external organizations. For most manufacturers, Internal Auditor training is the operational priority. Lead Auditor qualification is relevant for quality professionals building external consulting or auditing credentials.

How do I switch from ISOQAR to BSI, or vice versa?

Notify your current certification body before your recertification audit (year three). Engage the new registrar, share your existing QMS documentation and audit history, and plan for a full Stage 1 and Stage 2 audit cycle with the new provider. Coordinate timing carefully to avoid a lapse in your certificate that could affect your supplier qualification status with customers.


📥 Free Resources

  • ISO 9001 Roadmap — Step-by-step implementation guide for manufacturers building or improving a quality management system
  • Manufacturing Compliance Checklist — Practical compliance reference covering key ISO, OSHA, and quality requirements for production environments
  • Supplier Quality Checklist — Evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts

Not Sure What to Do Next?

🔹 Still researching your options — Review the Best ISO Certification Bodies guide to see how BSI and ISOQAR compare against other major registrars operating in the US market.

🔹 Ready to start trainingBSI Group’s ISO training catalog covers awareness through Lead Auditor across all major standards. ISOQAR’s training courses are a strong alternative for manufacturing-focused teams.

🔹 Need to build your QMS documentation before you’re ready for a registrar9001Simplified gives you a complete ISO 9001 documentation kit built for manufacturers — no consultant required.

The Standards Navigator covers ISO certification, training, and compliance across all major manufacturing standards. Use the guides here to make informed decisions before you write a check to any registrar.


Stay Ahead of ISO Certification Changes

Manufacturers who struggle with ISO certification don’t usually fail on the standard itself. They fail because they chose a registrar without verifying accreditation requirements, skipped team training before their Stage 1 audit, or walked in without knowing where their QMS had gaps.

The organizations that certify cleanly — and hold their certificates without recurring findings — treat certification prep as an operational priority, not a paperwork exercise. They train their teams early, verify their documentation against the standard, and choose a certification body that understands their industry.

The Standards Navigator covers ISO training, certification body selection, and QMS implementation for manufacturers who want to get this right the first time.

👉 Get updates on ISO training and certification body selection 👉 Be first to access new compliance resources for manufacturers

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.

ISO 13485 Implementation Roadmap: How to Build a Compliant Medical Device QMS in 2026

ISO 13485:2016 is now US federal law under the FDA QMSR, making a compliant medical device QMS mandatory rather than optional. This roadmap walks manufacturers through a seven-phase implementation — from gap assessment and scope through risk management, documentation, CAPA, and certification — covering both the international certification path and FDA inspection readiness for US manufacturers building from the ground up.

A step-by-step guide to implementing ISO 13485:2016 — from gap assessment to certification and FDA QMSR readiness

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


Building a Medical Device QMS Is No Longer Optional in the United States

For years, ISO 13485 sat in a strange position for US manufacturers. It was the global benchmark for medical device quality management — required to sell in the EU, Canada, and most of the world — but inside the United States it was voluntary. You complied with FDA’s Quality System Regulation, and ISO 13485 was a nice-to-have for export.

That changed on February 2, 2026. FDA’s Quality Management System Regulation (QMSR) took effect, replacing the old Quality System Regulation and incorporating ISO 13485:2016 by reference directly into 21 CFR Part 820. The practical effect is blunt: ISO 13485:2016 is now part of US federal law. FDA inspections are conducted against it. The standard you could once ignore at home is now the framework your inspector arrives with.

So whether you are a US manufacturer preparing for your first QMSR-aligned FDA inspection, or an international supplier chasing your first ISO 13485 certificate to unlock the EU market, you face the same task: build a quality management system that survives outside scrutiny. This roadmap walks you through it — clause by clause, phase by phase — from the day you decide to start to the day a registrar or an FDA investigator walks through the door.

This ISO 13485 implementation roadmap is a long article because building a medical device QMS is a long project. Use the table of contents to jump to where you are.


Before you build anything, find out where you actually stand. Most teams overestimate how compliant their existing processes are — and discover the gaps during the certification audit or FDA inspection, when fixing them is expensive and the clock is running. Run a clause-by-clause check against ISO 13485:2016 first.

👉 Download the free ISO 13485 Gap Assessment Checklist and benchmark your QMS in an afternoon, before you commit budget to implementation.


In This Guide

  • Why ISO 13485 implementation looks different in 2026 (QMSR, EU reforms)
  • The realistic timeline and cost of a full implementation
  • A seven-phase roadmap from gap assessment to certificate
  • How risk management (ISO 14971) and design controls fit into the QMS
  • The documentation you actually need — and where teams over-build
  • Internal audit, management review, and Stage 1 / Stage 2 audit preparation
  • FDA QMSR inspection readiness for US manufacturers
  • The mistakes that fail audits — and how to avoid them


👉 Start Here (Top Resources)

If you are implementing ISO 13485 from scratch, these are the three resources that move the project fastest:

  • Build your documentation without a consultant. A complete, pre-written ISO 13485 documentation kit gives you the quality manual, procedures, and records templates structured to the standard — so you spend your time tailoring, not drafting from a blank page. 👉 See the ISO 13485 documentation kits at 9001Simplified
  • Get the official standard. You cannot implement a clause you have not read. Buy ISO 13485:2016 from the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026. ANSI serves international buyers and offers standards in multiple languages.
  • Train your internal team. Your management representative and internal auditors need formal training. BSI Group offers ISO 13485 training courses spanning awareness through lead auditor.

What Makes 2026 Different

ISO 13485:2016 is still the current edition — and it will be for a while. ISO postponed the next revision deliberately to let the 2016 edition “bed in,” with a new version not expected before roughly 2028–2029. So the standard you implement today is the standard you will operate under for years. That stability is good news: it means your implementation work has a long shelf life.

What has shifted is the regulatory context around the standard.

In the United States, the QMSR is the headline. FDA now incorporates ISO 13485:2016 into 21 CFR Part 820, layered with a handful of FDA-specific additions — labeling, UDI, and certain record and definition provisions — that go beyond the ISO text. A critical nuance: the QMSR is “version locked” to the 2016 edition. Future ISO 13485 revisions will not automatically apply in the US unless FDA initiates new rulemaking. Certification to ISO 13485 is still not legally required in the US — FDA inspects you directly — but building your QMS to the standard is now the most direct path to QMSR compliance.

In the European Union, the pressure point is notified body capacity, not the standard itself. EU Implementing Regulation 2026/977, published in May 2026 and applying from February 25, 2027, finally imposes hard maximum timelines on notified bodies — 30 days to review an application and sign a contract, 120 days for the QMS audit, 90 days for product verification, and 20 days to issue the certificate, with capped clock-stops and transparent quotations. For manufacturers, the message is that the certification path is becoming more predictable, but you still need a clean, audit-ready QMS to take advantage of it.

One more 2026 wrinkle worth flagging if your devices touch biocompatibility: FDA’s recognition of the sixth edition of ISO 10993-1 is partial. Notably, FDA does not recognize Clause 6.9 on biological risk estimation, holding that it conflicts with the recognized risk management standard ISO 14971:2019. If your risk files cite ISO 10993-1 wholesale, that is now a deficiency-letter risk in US submissions. Keep biological risk inside the ISO 14971 framework. We cover biocompatibility in depth separately — for this roadmap, just know that your risk management process is the anchor, not the 10993 series.

If you sell only in the US → build to ISO 13485:2016 for QMSR compliance and skip certification unless a customer demands it. If you sell internationally → you need an actual ISO 13485 certificate from an accredited registrar, so plan for a Stage 1 / Stage 2 audit. If you sell in both markets → build one QMS to ISO 13485:2016 and bolt on the FDA-specific QMSR additions; do not run two parallel systems.

QMSR vs ISO 13485 at a Glance

The two frameworks now share a core, but they are not identical. This is where US and international readers diverge — and where a single well-built QMS can serve both.

DimensionISO 13485:2016FDA QMSR (21 CFR Part 820)
Legal statusVoluntary international standardMandatory US federal regulation
Core requirementsThe full ISO 13485 QMSIncorporates ISO 13485:2016 by reference
Proof of complianceCertificate from accredited registrarFDA inspection — no certificate issued
Added requirementsNone beyond the standardLabeling, UDI, certain records & definitions
Risk managementReferences ISO 14971Requires ISO 14971 framework; rejects ISO 10993-1 Clause 6.9
Version handlingISO may revise (~2028–2029)“Version locked” to the 2016 edition
Who needs itAnyone selling internationallyAny device manufacturer marketing in the US

For the full treatment, see our dedicated FDA QSR vs ISO 13485 comparison.


Timeline and Cost: What to Expect

A realistic ISO 13485 implementation runs 6 to 12 months for a small-to-mid-size manufacturer building from a limited starting point. Companies already operating a mature ISO 9001 system or a legacy QSR-based system can move faster; companies starting from informal processes should plan for the full year.

ISO 13485 implementation timeline infographic showing a phased 6 to 12 month roadmap for medical device manufacturers progressing from gap assessment through certification.
A visual roadmap showing a realistic ISO 13485 implementation timeline from assessment through certification readiness.
PhaseTypical durationWhat drives it
Gap assessment & scope2–4 weeksSize of the gap between current practice and the standard
Process & documentation build8–16 weeksWhether you draft from scratch or start from templates
Implementation & operation8–12 weeksYou need real records, not just documents — audits want evidence
Internal audit & management review3–4 weeksMust be complete before a registrar will proceed to Stage 2
Certification (Stage 1 + Stage 2)6–10 weeksRegistrar scheduling and any nonconformity closure

On cost, the single biggest variable is whether you hire a consultant to draft your system or build it yourself from a structured template. Consultant-led implementations commonly run $15,000–$50,000+ depending on device class and company size. A template-driven build can cut the documentation labor dramatically. For a full breakdown, see our guide on how much ISO 13485 certification costs.


Phase 1 — Foundation: Scope, Standard, and Leadership Commitment

Everything downstream depends on getting three things right at the start.

Define your QMS scope. ISO 13485 lets you exclude certain requirements — for example, design and development (Clause 7.3) if you are a contract manufacturer building to a customer’s design. But exclusions must be justified and documented, and you cannot exclude something just because it is inconvenient. Map which clauses apply to your role: manufacturer, specification developer, contract manufacturer, sterilization provider, or importer. Your scope statement is the first thing a registrar reads and the boundary an FDA investigator works within.

Acquire and read the standard. This sounds obvious and gets skipped constantly. You cannot delegate compliance with a document nobody on the team has read end to end. Buy the official ISO 13485:2016 text from the ANSI Webstore — apply coupon CC2026 for 5% off through the end of 2026 — and have your management representative work through it clause by clause. If you also need the risk management standard, ISO 14971:2019 is available there too. ANSI’s catalog covers international buyers and multiple languages, which matters if your QMS spans sites.

Secure genuine leadership commitment. Clause 5 puts top management on the hook — quality policy, quality objectives, resource allocation, and management review are not delegable to a quality manager working in isolation. The fastest implementations have an executive sponsor who clears roadblocks. The ones that stall have a quality team trying to impose a system the leadership treats as paperwork.

If you are a contract manufacturer → document your design and development exclusion now, with justification, before you build the rest of the system around it.

⚠️ Common pitfall: Claiming a Clause 7.3 exclusion you can’t defend. If your team does any design input — even tweaking a customer’s spec for manufacturability — a registrar may reject the exclusion and you’ll be retrofitting design controls mid-project. Decide your true scope honestly before you build.


Most ISO 13485 projects don’t fail on the standard — they fail on documentation that nobody can find, follow, or defend in an audit. Before you write a single procedure, make sure you know which records the standard actually requires.

👉 Run the gap assessment and map your existing documents against the clauses — it turns “we think we’re covered” into a defensible list.


Phase 2 — Plan: Processes, Roles, and Competence

ISO 13485 is a process-based standard. Before documentation, map your actual processes and how they connect — the “sequence and interaction” the standard requires.

Identify your core processes. At minimum: management processes (planning, review, resourcing), product realization (design, purchasing, production, servicing), and support processes (document control, records, CAPA, internal audit). For each, define inputs, outputs, owners, and the records that prove it ran.

Appoint a management representative. Clause 5.5.2 requires a member of management responsible for the QMS. This person owns the system, reports its performance to leadership, and is typically the registrar’s main point of contact.

Plan competence and training. Clause 6.2 requires that personnel performing work affecting product quality are competent — with records to prove it. This includes your internal auditors, who must be trained and independent of the areas they audit. Formal training shortens the learning curve here; BSI Group’s ISO 13485 course catalog runs from awareness through lead auditor, and the lead-auditor tier is what equips your internal audit program to find problems before the registrar does. For audit methodology itself, note that the underlying guidance standard, ISO 19011, was updated to a 2026 edition in May 2026 — worth referencing when you write your internal audit procedure.

⚠️ Common pitfall: Treating internal auditor “independence” as a formality. Having someone audit their own department is one of the most common nonconformities — and it quietly undermines every finding that audit produces. Cross-train auditors so no one reviews work they own.


Phase 3 — Risk Management and Design Controls

This is where ISO 13485 separates itself from ISO 9001, and where the most consequential implementation decisions live.

Risk management is the spine. ISO 13485 threads risk-based thinking through the entire product lifecycle, and it leans on ISO 14971:2019 as the method. You need a risk management process, a risk management file for each device or device family, and evidence that risk controls are verified and monitored in production and post-market. As noted earlier, keep biological risk inside this ISO 14971 framework rather than importing a separate scoring approach — that alignment is exactly what FDA expects under the QMSR.

Design controls (Clause 7.3) apply if you develop devices. This is the discipline FDA investigators scrutinize hardest, because design failures are where patients get hurt. You need:

Design control elementWhat it requires
Design and development planningA documented plan with stages, reviews, and responsibilities
Design inputsRequirements derived from intended use, user needs, and regulation
Design outputsSpecifications that can be verified against inputs
Design reviewFormal reviews at planned stages with independent reviewers
Design verificationEvidence outputs meet inputs
Design validationEvidence the device meets user needs in actual or simulated use
Design transferControlled handoff to production
Design changesControlled, reviewed, and documented changes
Design history file (DHF)The complete record of the above

If you are a US manufacturer, the QMSR keeps design controls firmly in play — they map directly onto the ISO 13485 Clause 7.3 requirements, which is one reason a single ISO-aligned system now serves both purposes.

If you are preparing your first device submission → build the risk management file and design history file in parallel with the QMS, not after. Auditors and investigators expect to see them populated, not planned.

⚠️ Common pitfall: Building the risk file as a one-time document for the submission, then never touching it again. Risk management is a living, lifecycle requirement — production and post-market data have to feed back into it. A risk file frozen at launch is a finding waiting to happen.


Phase 4 — Build the Documentation

Now you write the system. ISO 13485 expects a defined documentation hierarchy: a quality manual, documented procedures, work instructions, forms, and the records they generate.

ISO 13485 documentation architecture infographic showing the five-layer quality management documentation hierarchy from quality manual through records.
A visual breakdown of the five documentation layers used to build and maintain an ISO 13485 quality management system.

The required documents. ISO 13485:2016 explicitly requires certain documented procedures — document control, record control, management review, internal audit, control of nonconforming product, CAPA, and several product-realization procedures among them. A medical device file (technical documentation) is required for each device type. Our breakdown of ISO 13485 documentation requirements lists exactly what the standard mandates versus what is optional.

Where teams over-build. The most common documentation mistake is writing procedures more detailed and rigid than the operation can actually follow. Every sentence in a procedure is a commitment an auditor can hold you to. If your procedure says calibration happens every 90 days and a record shows 95, that is a nonconformity you created with your own words. Write to what you do; improve what you do separately.

Start from a structured template, not a blank page. Drafting an entire ISO 13485 documentation set from scratch is where 6-month projects become 12-month projects. A complete documentation kit gives you the quality manual, every required procedure, and the records templates already structured to the clauses — so your team spends its hours tailoring language to your operation instead of reinventing the architecture of a QMS.

👉 See what’s included in the 9001Simplified ISO 13485 documentation kit — it is the no-consultant route most small manufacturers should evaluate first.

Set up document and record control before you generate volume. Clauses 4.2.4 and 4.2.5 require controlled documents and controlled records. Get the control mechanism — versioning, approval, retention, retrieval — working before you have hundreds of documents to retrofit.

⚠️ Common pitfall: Over-documenting. Teams write procedures so detailed and rigid that the floor can’t actually follow them — then every deviation from their own paperwork becomes a nonconformity. Document what you genuinely do, keep procedures lean, and push the specifics down into work instructions where they’re easier to change.


Phase 5 — Implement and Operate

A documented QMS proves nothing. Auditors and investigators want records that show the system ran.

This is the phase teams underestimate. You can write a CAPA procedure in a day; demonstrating that CAPA actually works requires real CAPAs opened, investigated, and closed over weeks. Plan for an operating period — typically 8 to 12 weeks minimum — where the system runs and generates genuine evidence: training records, calibration records, completed reviews, supplier evaluations, nonconformance reports, and CAPA records.

A registrar will not progress to a certification audit, and an FDA investigator will not be satisfied, by documents alone. Both want to trace a process from requirement to record to outcome. Build that evidence trail before you invite anyone to inspect it.

If you are under customer pressure to certify quickly → start operating the system in parallel with finishing documentation, so your evidence trail is already accumulating when the documents are signed off.

⚠️ Common pitfall: Booking the certification audit before the system has actually run. A registrar can tell the difference between a QMS that has operated for three months and one that generated all its records last week. Backdated or thin evidence is the fastest way to turn a Stage 2 audit into a list of nonconformities.


Phase 6 — CAPA, Supplier Controls, and Production Controls

Three areas generate the most audit findings and FDA 483 observations. Get them right and you de-risk the entire certification.

CAPA (Corrective and Preventive Action). This is the single most-cited area in medical device QMS audits. A weak CAPA system — actions opened and never closed, root causes not actually identified, effectiveness never verified — signals to an auditor that the whole system is decorative. Your CAPA process must show genuine root cause analysis, defined actions, and verified effectiveness. Our deep dive on CAPA requirements in ISO 13485 covers the failure modes in detail.

Supplier and purchasing controls (Clause 7.4). You are accountable for what your suppliers provide. You need defined supplier evaluation criteria, approved-supplier records, and controls proportionate to the risk the purchased product carries. Flow your quality requirements down in writing — handshake arrangements do not survive audits.

Production and process controls (Clauses 7.5). This includes process validation for any process whose output cannot be fully verified by later inspection — sterilization and certain welding or molding processes are classic examples — plus identification, traceability, and handling of product. Cleanliness, contamination control, and installation/servicing requirements apply where relevant to your device.

A documentation kit accelerates this layer too. The CAPA log, supplier evaluation forms, nonconformance records, and validation templates are exactly the high-stakes documents you do not want to invent under deadline.

👉 A structured kit gives you defensible templates for all three areas so your effort goes into running the processes, not formatting the paperwork.

Avoid the recurring traps documented in our guide to common mistakes in ISO 13485 QMS implementation — most failures are predictable.

⚠️ Common pitfall: Closing CAPAs without verifying effectiveness. “We retrained the operator” is not a closed CAPA — it’s an action with no proof it worked. Auditors reopen these constantly. Every CAPA needs a defined effectiveness check and evidence it passed before you close it.


Phase 7 — Internal Audit, Management Review, and Certification

Before any external party inspects you, inspect yourself.

Internal audit (Clause 8.2.4). Conduct a full internal audit of your QMS against ISO 13485 using trained, independent auditors. This is your dress rehearsal — the audit that finds problems while you still control the timeline and the narrative. Document findings, open CAPAs, and close them.

Management review (Clause 5.6). Top management formally reviews QMS performance against defined inputs — audit results, customer feedback, process performance, CAPA status, and more — and produces documented outputs and decisions. Registrars treat a missing or hollow management review as a serious gap.

The certification audit (international path). An accredited registrar conducts a two-stage audit:

StageFocusOutcome
Stage 1Documentation review and readinessConfirms the system is ready for Stage 2; identifies gaps
Stage 2On-site implementation auditVerifies the system operates as documented; raises any nonconformities

Close any nonconformities, and the registrar issues your certificate — typically valid for three years with annual surveillance audits. Choosing an accredited registrar matters; verify accreditation through bodies like ANAB or the relevant IAF member. Our guide to the best ISO certification bodies walks through selection.

⚠️ Common pitfall: Running a hollow management review to check the box. A review that doesn’t actually examine audit results, CAPA status, and process performance — and produce real decisions — is treated by registrars as a serious gap, because it signals leadership isn’t engaged. Make it substantive, and keep the minutes.


FDA QMSR Inspection Readiness

If you are a US manufacturer, your “certification audit” may instead be an FDA inspection — and the bar is the QMSR, which now runs on ISO 13485:2016 plus FDA’s additions.

Practical readiness steps:

  • Map ISO 13485 to the QMSR additions. Most of your ISO-aligned system satisfies Part 820 directly. Layer in the FDA-specific requirements — labeling and packaging controls, UDI, and certain record and complaint-handling provisions — that exceed the ISO text.
  • Keep your records inspection-ready, not audit-ready-once. FDA inspections are unannounced or short-notice. The evidence trail from Phase 5 has to be standing, not assembled on demand.
  • Treat CAPA and complaint handling as the focal points. These are where 483 observations concentrate. A clean, closed-loop CAPA system is your strongest signal of control.
  • Understand the relationship between the two frameworks. Our comparison of FDA QSR vs ISO 13485 explains exactly what the QMSR changed and where the frameworks now align.

For US manufacturers selling internationally, the efficient move is one ISO 13485 QMS with the QMSR additions built in — not two systems. The frameworks now overlap by design.


Quick Implementation Checklist

Use this as a high-level progress tracker. Each item maps to a phase above.

  • ✅ QMS scope defined and exclusions justified in writing
  • ✅ Official ISO 13485:2016 (and ISO 14971:2019) acquired and read
  • ✅ Top management commitment secured; quality policy and objectives set
  • ✅ Management representative appointed
  • ✅ Core processes mapped with owners, inputs, outputs, and records
  • ✅ Personnel competence and internal auditor training in place
  • ✅ Risk management process and risk management file established (ISO 14971)
  • ✅ Design controls and design history file in place (if you develop devices)
  • ✅ Quality manual, required procedures, and record templates written
  • ✅ Document control and record control operating before volume builds
  • ✅ System operated long enough to generate genuine records (8–12 weeks)
  • ✅ CAPA system demonstrably closing the loop with verified effectiveness
  • ✅ Supplier evaluation and purchasing controls documented and flowed down
  • ✅ Process validation completed where output can’t be fully verified
  • ✅ Full internal audit completed; findings closed
  • ✅ Management review conducted with documented outputs
  • ✅ Registrar selected (international) or QMSR inspection readiness confirmed (US)
  • ✅ Stage 1 and Stage 2 audit passed; nonconformities closed

FAQ

How long does ISO 13485 implementation take?

For a small-to-mid-size manufacturer building from a limited starting point, plan for 6 to 12 months. Companies with a mature ISO 9001 system or a legacy QSR-based system can move faster, while organizations starting from informal processes should plan for the full year. The longest single phase is usually documentation, followed by the operating period needed to generate real records.

Is ISO 13485 certification required in the United States?

No. FDA inspects US manufacturers directly against the QMSR, which incorporates ISO 13485:2016 — certification by a third-party registrar is not legally required. However, building your QMS to ISO 13485 is now the most direct path to QMSR compliance, and certification is required to sell in the EU, Canada, and most international markets. Many US manufacturers certify anyway to serve global customers and demonstrate a recognized standard of control.

What is the difference between ISO 13485 and the FDA QMSR?

The QMSR, effective February 2, 2026, replaced FDA’s old Quality System Regulation and incorporates ISO 13485:2016 by reference into 21 CFR Part 820, plus FDA-specific additions covering labeling, UDI, and certain records. The two are now largely aligned by design. The QMSR is “version locked” to the 2016 edition, so future ISO 13485 revisions will not automatically apply in the US. See our full FDA QSR vs ISO 13485 comparison for detail.

Do I need ISO 14971 to implement ISO 13485?

Effectively, yes. ISO 13485 threads risk-based thinking through the product lifecycle and relies on the methodology in ISO 14971:2019 for risk management. You need a documented risk management process and a risk management file for each device. We explain the relationship in ISO 14971 vs ISO 13485.

Can a contract manufacturer exclude design controls?

Yes, if you build strictly to a customer’s design and do not perform design and development activities. ISO 13485 permits excluding Clause 7.3, but the exclusion must be justified and documented in your QMS scope. You cannot exclude a requirement simply because it is burdensome — only because it genuinely does not apply to your role.

What causes most ISO 13485 audit findings?

CAPA weaknesses lead the list — actions that never close, root causes not genuinely identified, and effectiveness never verified. Document and record control, supplier controls, and process validation are also frequent finding areas. Our guide to common ISO 13485 QMS mistakes covers the recurring patterns.

Should I hire a consultant or use a documentation kit?

It depends on device class, internal capacity, and budget. Consultant-led implementations offer hands-on guidance but commonly run $15,000–$50,000 or more. A structured documentation kit gives you the full QMS architecture — manual, procedures, and record templates — at a fraction of that cost, so your team tailors rather than drafts from scratch. Many small manufacturers start with a kit and bring in targeted consulting only for device-specific risk and design questions.

What is ISO 13485 and who needs it?

ISO 13485 is the international quality management system standard for organizations involved in the medical device lifecycle — design, production, storage, distribution, installation, and servicing. It applies to manufacturers, specification developers, contract manufacturers, sterilization providers, and importers. Our primer, What Is ISO 13485?, covers the fundamentals.


📥 Free Resources

Practical tools to support your implementation — download what fits your project:

  • ISO 13485 Gap Assessment Checklist — free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements, clause by clause, before committing to implementation.
  • ISO 9001 Roadmap — step-by-step implementation guide for organizations building or improving a quality management system, useful if you operate an ISO 9001 base alongside 13485.
  • Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments.
  • Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts.
  • AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause checklist for aerospace suppliers assessing their QMS before certification, for teams operating across aerospace and medical device lines.

Not Sure What to Do Next?

Your next step depends on where you are in the project:

  • 🔹 If you haven’t assessed your gap yet → start with the free ISO 13485 Gap Assessment Checklist. Don’t commit budget to implementation until you know the size of the gap.
  • 🔹 If you’re ready to build documentation → evaluate a complete ISO 13485 documentation kit before paying consultant rates to draft from scratch. It is the fastest route to an audit-ready document set for most small manufacturers.
  • 🔹 If you’re comparing the US and international paths → read FDA QSR vs ISO 13485 and how much ISO 13485 costs to scope budget and timeline before you choose.

Building an ISO 13485 QMS is a real project, but it is a known one. The clauses are fixed, the phases are sequential, and the failure modes are predictable. Move through it in order, build real evidence as you go, and inspect yourself before anyone else does — and a certification audit or FDA inspection becomes a confirmation, not a gamble. The Standards Navigator exists to make exactly this kind of industrial compliance work clear and survivable for the people who have to actually do it.


Most teams don’t fail ISO 13485 because they misunderstand the standard — they fail because they assumed they were compliant and found out during the audit. The organizations that struggle treat the QMS as paperwork to satisfy a registrar. The organizations that succeed treat it as the operating system that proves their devices are safe — and they build evidence from day one.

The Standards Navigator covers medical device compliance from QMSR readiness to risk management, CAPA, and certification — written from operational and quality management experience, not generic theory.

  • 👉 Get updates on medical device QMS, ISO 13485, and FDA QMSR compliance
  • 👉 Be first to access new gap assessment tools, documentation guides, and implementation resources

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.

9001Simplified Review (2026): The Honest Verdict for Manufacturers

The 9001Simplified ISO 9001 Certification Toolkit gives manufacturers a complete DIY path to certification — 100+ templates, integrated training, and expert support for $2,490. This review covers what’s included, who it’s right for, and how it compares to hiring a consultant.

What’s actually in the ISO 9001 Certification Toolkit, what it costs, and whether it passes a real audit — from someone who’s been on both sides of the table

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


Most Manufacturers Waste Thousands on ISO 9001 Implementation

Here’s the reality on the shop floor: most small and mid-size manufacturers approach ISO 9001 certification one of two ways. They hire a consultant and spend $15,000–$75,000. Or they try to build documentation from scratch, spend months spinning their wheels, and still end up with gaps that auditors find on Day 1 of the Stage 2 audit.

There’s a third option that most quality managers don’t know exists. A purpose-built documentation toolkit that gives you everything a consultant would build — procedures, forms, audit checklists, training — for a fraction of the cost.

I’ve spent 25 years in heavy industrial operations. I’ve been through ISO 9001 audits on both sides of the table — as the quality manager prepping the QMS and as the internal auditor running clause-by-clause reviews. I know what auditors look for. I also know what kills implementation momentum.

This 9001Simplified review covers the highest-traffic ISO 9001 documentation toolkit on the market — so you can make an informed decision before you invest.

👉 Before you read further: If you’re not sure whether your current QMS covers every ISO 9001 requirement, run a clause-by-clause gap check first. Download the free ISO 9001 Roadmap — a step-by-step implementation guide built specifically for manufacturers.

In This Guide

  • What’s included in the 9001Simplified Certification Toolkit
  • Who it’s built for — and who it’s not
  • How it compares to hiring a consultant
  • What the toolkit does well and where the gaps are
  • Pricing and whether the ROI holds up
  • My verdict after 25 years in industrial quality

Table of Contents


👉 If You Want to Skip the Trial-and-Error

If you want to skip the trial-and-error and build a QMS that will pass audit the first time, this is the most direct path available to manufacturers without a consultant:

Get the 9001Simplified Certification Toolkit

  • 100+ pre-built procedures and forms covering every ISO 9001:2015 clause
  • 14 role-specific training courses — from shop floor employees to lead auditor
  • Expert document review before you implement — a lead auditor checks your work
  • Unlimited consulting support until you’re certified
  • Free ISO 9001:2026 upgrade included
  • One-time cost: $2,490 — no recurring fees, company-wide license

Not ready to buy yet? Here’s the full resource set:

ResourceWhat It DoesBest For
9001Simplified Certification ToolkitComplete DIY ISO 9001 certification systemManufacturers building a QMS without a consultant
ISO 9001:2015 StandardThe official standard — required for implementation leadsClause-by-clause reference during documentation
ISO 9001 Roadmap (Free)Step-by-step implementation guide for manufacturersStarting point before any toolkit purchase

9001Simplified Review- First, What Is It?

9001Simplified Review with Quality management system binder and digital audit checklist displayed on an industrial workstation with PPE and manufacturing equipment in the background.
Quality documentation and digital compliance tools support effective management systems in manufacturing environments.

9001Simplified is a documentation toolkit company that has been producing ISO 9001 implementation tools since 2004. Over 7,000 organizations have used their system — including names like Siemens, Kiewit, and Lawrence Livermore National Laboratory. They claim a 100% certification success rate, which is a meaningful claim given the volume of customers they’ve served.

Their flagship product is the ISO 9001 Certification Toolkit, priced at $2,490. That sounds like a significant investment until you compare it against the alternative. A mid-size fabrication shop hiring an ISO consultant typically spends $25,000–$50,000 all-in before the first audit. 9001Simplified positions the toolkit as a self-directed path to certification with expert backup included — not a replacement for guidance, but a replacement for the consultant’s hourly rate.

The company is also preparing buyers for the upcoming ISO 9001:2026 revision. Buyers receive a free upgrade kit when the new standard publishes — which is expected in late 2026 based on current ISO drafting timelines. If you’re certifying now, that future-proofing matters.


What’s Included in the Certification Toolkit

This is where 9001Simplified earns its price point. The toolkit is genuinely comprehensive.

Core Documentation Package

  • Gap Analysis Tool — assessment tool to identify your starting point before you build anything. This is the right first step. Most shops skip it and build documentation around what they think their QMS covers, not what it actually covers.
  • Quality Management Manual — available in two structures: process-based (mirrors your workflow) or standard hierarchy. The process-based option is the right call for most manufacturers — it maps to how work actually moves through your shop.
  • 45 pre-written procedures — covers every ISO 9001:2015 requirement. These are not generic templates. Each procedure comes with customization instructions explaining how to adapt it to your organization’s specific context.
  • 44 ready-to-use forms and checklists — calibration logs, NCR forms, CAPA templates, supplier qualification records, internal audit checklists. The forms that auditors request most often are all here.

Integrated Training System

This is one of the strongest differentiators. Most documentation kits give you templates and leave you to figure out implementation. 9001Simplified includes 14 online courses covering every role:

  • Implementer Training (for the project lead)
  • Executive Training (for top management buy-in)
  • Manager Training (department leadership)
  • Lead Auditor Training (your internal auditor)
  • Employee Awareness Training (10-seat license for your floor team)

That training coverage matters. ISO 9001 audits find nonconformances not just in documentation — they find them in how well employees understand the QMS and their role in it. A shop with good procedures and undertrained staff fails audits.

Support and Services

  • Expert document review — a lead auditor reviews your completed procedure documentation and provides a detailed feedback report before you implement. This is the quality check that catches gaps before your registrar does.
  • Unlimited consulting support — dedicated access to a 9001Simplified consultant until you achieve certification.
  • Certification support kit — registrar selection guidance, audit preparation templates, insider tips on Stage 1 and Stage 2 audit management.
  • Marketing kit — ready-made materials to communicate your certification to customers. Useful for shops where ISO 9001 is a customer contract requirement.

Real concern: will auditors actually accept this documentation?

Short answer: yes — but only if you customize it correctly. The toolkit gets you 80–90% of the way there. The last 10–20% depends on whether your implementation lead adapts the procedures to your actual processes — not just fills in the blanks with your company name.

This is where most documentation kit failures happen. Not in the templates themselves, but in how they’re applied. The expert document review included in the toolkit exists specifically to catch this. A lead auditor reviews your completed procedure and flags anything that reads as generic or doesn’t reflect your actual operations. That review is what separates a toolkit-based QMS that passes from one that generates a finding list.

👉 If you’re working toward certification and not sure whether your QMS documentation is audit-ready, the gap analysis step is non-negotiable. 9001Simplified’s toolkit includes that tool as part of the package — use it before you build anything else.


🚨 Most first-time ISO 9001 implementations fail at Stage 2 for one reason: documentation that exists — but isn’t usable in the actual process.

Procedures written around what management thinks happens on the shop floor — not what actually happens — generate observations on Day 1. Auditors don’t just read your quality manual. They follow your processes, interview your people, and look for evidence that documented procedures match actual work.

If you’re not 100% confident your procedures match how your shop operates, you’re at risk of findings. The toolkit’s customization instructions are specifically designed to close that gap before your registrar shows up.


Who This Toolkit Is Built For

It’s the right fit if you are:

✅ A small to mid-size manufacturer (under 500 employees) building a QMS from scratch or rebuilding after a failed audit ✅ A quality manager who has been handed the ISO 9001 project and needs a structured implementation path ✅ A fabrication shop, machine shop, or contract manufacturer under customer pressure to certify ✅ An organization that has tried to implement before and stalled out on documentation

It’s not the right fit if you are:

⚠️ A large enterprise with complex, multi-site operations that require highly customized documentation architecture ⚠️ Already certified and maintaining a mature QMS — you don’t need the full toolkit at this stage ⚠️ Seeking AS9100 Rev D or ISO 13485 documentation — 9001Simplified’s toolkit covers ISO 9001 only. For aerospace or medical device documentation, those standards require sector-specific templates that go beyond what this kit provides.

If you are preparing for your first ISO 9001 certification → the toolkit is designed exactly for your situation. Follow the included project guide, run the gap analysis first, and use the expert document review before you implement.

If you are already ISO 9001 certified and pursuing AS9100 → your ISO 9001 foundation transfers. Focus on the four AS9100-specific requirements that have no ISO 9001 equivalent: risk management, configuration management, first article inspection, and key characteristics. You’ll need sector-specific documentation for those.


9001Simplified vs. Hiring a Consultant

Split-screen comparison showing an ISO 9001 consultant presenting in a conference room and a quality manager reviewing documentation on a manufacturing shop floor.
A side-by-side comparison of traditional ISO 9001 consulting versus a self-guided implementation approach highlights the significant difference in cost.
Factor9001Simplified ToolkitFull Consulting
Cost$2,490 (one-time)$15,000–$75,000+
Timeline3–6 months3–9 months
Internal knowledge builtHigh — your team learns the systemLow — consultant owns the knowledge
Expert accessIncluded (unlimited until certified)Included (at consultant hourly rate)
Documentation ownershipFull — you customize and own every documentVaries — some consultants retain IP
ScalabilityStrong — reuse across departments at no extra costRequires re-engagement for changes
Risk100% success rate claimed (7,000+ customers)Varies by consultant

The math is straightforward. If your fabrication shop spends $2,490 on the toolkit and passes certification, you’ve saved a minimum of $12,500 against the low end of consulting fees — likely much more. The documentation knowledge stays inside your organization. When your registrar comes back for the annual surveillance audit, your team runs it internally instead of calling a consultant at $150/hour.

Most common finding in manufacturer QMS implementations: documentation exists but employees can’t demonstrate they follow it. That’s a training gap, not a documentation gap — and it’s why the included training system matters as much as the templates.


What the Toolkit Does Well

Customization instructions are the differentiator. Most documentation kits give you a template and assume you know how to adapt it. 9001Simplified includes clause-by-clause customization instructions with every procedure. For a quality manager who isn’t a seasoned ISO practitioner, this is the difference between a QMS that auditors accept and one that generates a list of observations.

The process-based manual structure. Organizing your QMS around how work actually flows through your shop — order entry through delivery and customer feedback — is how auditors want to see it. The standard-based structure works, but the process-based option is more defensible in a Stage 2 audit because it demonstrates that you understand the intent of the standard, not just the clause sequence.

Company-wide license. One purchase covers unlimited users. For a 50-person fabrication shop with multiple department heads involved in QMS implementation, this matters. You’re not paying per seat.

Free ISO 9001:2026 upgrade. The DIS for ISO 9001:2026 was approved by ISO member bodies in August 2025. Publication is expected in late 2026 with a three-year transition period. Certifying now under ISO 9001:2015 is the right call — and the included upgrade kit means you won’t have to rebuild your documentation when the transition deadline arrives.


Limitations to Know Before You Buy

No AS9100 or ISO 13485 toolkit. If your shop needs aerospace or medical device certification, 9001Simplified’s toolkit gets you the ISO 9001 foundation — but the sector-specific documentation requirements for AS9100 Rev D or ISO 13485:2016 require additional resources. Plan for that gap.

Implementation still requires internal effort. The toolkit eliminates the need for a consultant, but it doesn’t eliminate the work. Your quality manager or implementation lead will invest significant hours. 9001Simplified estimates 3–6 months for small to mid-size organizations — that’s realistic if the project has dedicated internal resources. Shops where “the quality manager” is also the operations manager, HR, and safety coordinator should plan for the longer end of that range.

Single-standard focus. If you’re building an integrated management system covering ISO 9001, ISO 14001, and ISO 45001 simultaneously, 9001Simplified’s toolkit addresses quality only. You’d need to layer in additional resources for the environmental and safety management system components. See our guide on Integrated Management Systems for how those three standards work together.


Pricing and ROI

The Certification Toolkit is priced at $2,490 — a single one-time fee with a company-wide license and free updates for five years.

How that ROI stacks up:

ComparisonCost
9001Simplified Certification Toolkit$2,490
Low-end consulting engagement$15,000
Mid-range consulting engagement$35,000
Potential savings vs. low-end consulting$12,510
Potential savings vs. mid-range consulting$32,510

For a manufacturer where ISO 9001 certification is a customer contract requirement — or a condition for winning a specific contract — the math gets more compelling. One contract won on the strength of ISO 9001 certification typically pays back the toolkit cost many times over.

You’ll also need the actual ISO 9001:2015 standard for your implementation lead’s reference. The toolkit provides the documentation framework, but your lead auditor training requires access to the standard document itself. Purchase ISO 9001:2015 from the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026.

For a full breakdown of what ISO 9001 certification actually costs from start to finish, see our guide: How Much Does ISO 9001 Cost in 2026?


My Verdict

Framed ISO 9001 certification displayed in a manufacturing office overlooking a fabrication shop, with quality management binders and controlled documents nearby.
An ISO 9001 certificate represents the result of a well-implemented quality management system and successful certification audit.

After 25 years running quality systems in heavy industrial fabrication — welding operations, pressure vessel shops, structural steel fabricators — I’ve seen every flavor of ISO 9001 implementation. Consultants who deliver polished documentation that the shop can’t maintain. Internal builds that miss half the clauses. And documentation kits that are generic enough to be useless.

9001Simplified is the exception. The combination of purpose-built procedures, role-specific training, and expert document review addresses the three most common failure modes in manufacturer QMS implementations: documentation gaps, training gaps, and audit preparation gaps.

For a small to mid-size fabrication shop, machine shop, or contract manufacturer building a QMS from scratch or recovering from a failed audit — this is the most cost-effective path to certification I’ve seen. The $2,490 price point is not a gamble at those stakes. It’s a calculated investment with a clear return.

If you are under customer pressure to certify and can’t afford to build a QMS from scratch → start here. The gap analysis tool alone will tell you within hours where your biggest risks are.


Quick Audit Checklist — Before You Invest in Any Documentation Kit

✅ Have you completed a gap analysis against ISO 9001:2015 Clauses 4–10?
✅ Do you have a designated implementation lead with dedicated time allocated?
✅ Has top management formally committed resources to the certification project?
✅ Do you have a target certification date driven by a customer requirement or contract?
✅ Have you identified your registrar (certification body) in advance?
✅ Does your team have access to the ISO 9001:2015 standard document?

If you answered no to more than two of these → resolve those gaps before purchasing any toolkit. The toolkit accelerates implementation. It doesn’t replace the organizational readiness that certification requires.


FAQ

What is 9001Simplified and who makes it?

9001Simplified is an ISO 9001 documentation toolkit company that has been operating since 2004. Their flagship product is the ISO 9001 Certification Toolkit — a complete DIY certification system used by over 7,000 organizations worldwide. Their consultant team includes IRCA-registered lead auditors and Six Sigma Black Belts with backgrounds in manufacturing, financial services, and regulated industries.

How much does the 9001Simplified Certification Toolkit cost?

The toolkit is priced at $2,490 as a one-time fee with a company-wide license. That covers unlimited users within your organization, 100+ documentation templates, 14 integrated online courses, expert document review, unlimited consulting support until certification, and free updates for five years including the upcoming ISO 9001:2026 revision upgrade.

How long does it take to get ISO 9001 certified using the toolkit?

9001Simplified estimates 3–6 months for small to mid-size organizations using their toolkit. The timeline depends on your organization’s current state of documentation, the availability of your implementation lead, and how quickly your registrar can schedule the Stage 1 and Stage 2 audits. Manufacturers with an existing quality system in place typically move faster than those building from zero.

Does 9001Simplified cover AS9100 or ISO 13485?

No. The Certification Toolkit is specifically designed for ISO 9001:2015. For AS9100 and ISO 13485, 9001Simplified offers consulting, auditing, and certification services — but not a pre-built documentation toolkit. Manufacturers pursuing aerospace or medical device certification need additional sector-specific documentation resources beyond what the ISO 9001 toolkit provides.

Can I modify the templates for my company?

Yes. The toolkit license permits full customization of all templates, including replacing the 9001Simplified logo with your own branding. You own the documentation you create using the templates. Customization instructions are included with every procedure to guide your implementation lead through the adaptation process.

Is the 9001Simplified toolkit suitable for a small fabrication shop?

It’s specifically designed for small to mid-size organizations. The toolkit is configured at purchase for your industry type — manufacturing, service, or both — so fabrication shops, machine shops, and welding operations can select the manufacturing configuration and receive industry-appropriate documentation structures. The process-based Quality Management Manual option is particularly well-suited to manufacturing environments where work flows through clearly defined production stages.

What happens when ISO 9001:2026 is released?

Buyers receive a free upgrade kit when ISO 9001:2026 is published. The DIS was approved by ISO member bodies in August 2025, with publication expected in late 2026 and a three-year transition period. Organizations certifying now under ISO 9001:2015 have until approximately late 2029 to transition. The included upgrade kit means you won’t need to rebuild documentation from scratch when the transition deadline arrives.

Does 9001Simplified include training?

Yes — 14 integrated online courses are included covering every role from employee awareness through lead auditor training. Each learner who completes a course receives a verifiable digital training certificate. The employee awareness training includes a 10-seat license, which covers the shop floor team most manufacturers need to train before the Stage 2 audit.


📥 Free Resources

  • ISO 9001 Roadmap — step-by-step implementation guide for manufacturers building or improving a quality management system
  • Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments
  • Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts

The real risk is not choosing the wrong toolkit.

The real risk is delaying implementation, missing customer requirements, and walking into an audit with a system you know isn’t ready.

ISO 9001 certification tied to a contract, a customer requirement, or a bid qualification is not something you get multiple attempts to get right. One failed Stage 2 audit means another audit cycle, additional registrar fees, and — in some cases — a customer relationship at risk.

If that’s your situation, the question isn’t whether $2,490 is a lot to spend. It’s whether you can afford not to.


Not Sure What to Do Next?

🔹 Building a QMS from scratch or recovering from a failed audit9001Simplified’s Certification Toolkit is the most cost-effective documented path to ISO 9001 certification for manufacturers. One-time fee, expert support included, 100% success rate.

🔹 Need the ISO 9001:2015 standard documentPurchase from the ANSI Webstore — use code CC2026 for 5% off. Your implementation lead needs the standard for accurate clause reference during documentation.

🔹 Not sure where your QMS gaps are → Download the ISO 9001 Roadmap and run a gap assessment before investing in any implementation tool.

The Standards Navigator covers ISO 9001 implementation, certification costs, documentation strategy, and quality management for manufacturers — without the consultant markup.


Stay Ahead on ISO 9001 Compliance

Most manufacturers don’t fail ISO 9001 audits because they don’t understand the standard. They fail because they assumed their documentation was compliant and never ran a structured gap check.

Organizations that pass first-time do two things differently: they run a gap analysis before they build documentation, and they train their team before the Stage 2 audit — not after the first observation.

The Standards Navigator covers ISO 9001 implementation, documentation strategy, and audit preparation for manufacturers across every industrial sector.

👉 Get updates on quality management and ISO 9001 implementation
👉 Be first to access new audit prep tools and implementation resources

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.

AS9100 vs ISO 9001: Key Differences for Aerospace Suppliers (2026 Guide)

AS9100 and ISO 9001 are both quality management system standards — but they serve fundamentally different purposes. AS9100 Rev D incorporates every ISO 9001 requirement and adds over 100 aerospace-specific requirements covering product safety, configuration management, first article inspection, and counterfeit parts prevention. This guide explains exactly where the standards differ, who needs AS9100, and how ISO 9001 certification reduces your implementation timeline.

How AS9100 Rev D builds on ISO 9001 — and what aerospace suppliers need to know before choosing a certification path

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


The Question Every Aerospace Supplier Asks Eventually

You are ISO 9001 certified — or you are thinking about getting there. Then a prime contractor drops a supplier questionnaire on your desk with one question that changes the conversation: Are you AS9100 certified?

Those four letters carry weight in aerospace. They signal that your quality management system has been evaluated against requirements that go well beyond general manufacturing. Traceability, configuration management, first article inspection, counterfeit parts prevention — these are not optional considerations in aerospace. They are audited requirements.

The difference between AS9100 and ISO 9001 is not just a longer checklist. It is a fundamentally different level of risk tolerance built into the standard itself. Understanding that distinction before you invest in certification is the difference between a smooth implementation and a year of unexpected rework.

This guide breaks down exactly where AS9100 expands on ISO 9001, who needs which standard, and how to navigate certification if you are coming from an ISO 9001 foundation.


⚠️ Not sure where your QMS stands against AS9100 requirements? Most aerospace suppliers don’t fail certification audits because they don’t understand the standard. They fail because they assumed their ISO 9001 foundation covered more than it did. Run a clause-by-clause gap check before you commit to an implementation timeline.

👉 Download the free AS9100 Rev D Gap Assessment Checklist →


In This Guide

  • What AS9100 is and how it relates to ISO 9001
  • The four AS9100-specific requirement areas that have no ISO 9001 equivalent
  • A clause-by-clause comparison table
  • Who needs AS9100 vs. who can stay with ISO 9001
  • How to use an existing ISO 9001 certification as a foundation
  • Certification cost and timeline comparison

👉 Start Here — Top Resources for This Topic


What Is AS9100 Rev D?

AS9100 is the quality management system standard for the aerospace, aviation, and defense industries. It is published by SAE International and managed by the International Aerospace Quality Group (IAQG).

Rev D — the current revision — was released in 2016 and aligned AS9100 with the ISO 9001:2015 structure. Every requirement in ISO 9001:2015 is incorporated directly into AS9100 Rev D. The aerospace-specific additions sit on top of that foundation — often embedded within the same clause structure.

The standard uses the term Aerospace Quality Management System (AQMS) rather than QMS — a minor but document-important distinction if your QMS manual language needs to align with the standard.

2026 update: The IAQG is developing IA9100, a globally harmonized successor that will replace regional variants including AS9100 (Americas), EN 9100 (Europe), and JISQ 9100 (Asia-Pacific). Final publication is targeted for Q4 2026 with a 24–36 month transition window. Organizations certifying today should certify to AS9100 Rev D — IAQG guidance confirms this is the correct path now.

For the full scope of AS9100 before comparing it to ISO 9001, see What Is AS9100? — The Complete Guide.


How AS9100 Builds on ISO 9001

ISO 9001:2015 provides the quality management framework. AS9100 Rev D starts there and expands.

LayerStandardWhat It Covers
FoundationISO 9001:2015Quality management system — any industry
Aerospace additionsAS9100 Rev D100+ aerospace-specific requirements on top
CombinedAS9100 Rev D fullComplete aerospace quality management system

You cannot hold an AS9100 certification without meeting every ISO 9001 requirement. The reverse is not true — ISO 9001 certification does not satisfy AS9100 requirements.

In practical terms: if you are already ISO 9001 certified, your QMS covers roughly 70–75% of what AS9100 requires. The remaining 25–30% is where most implementation effort concentrates — and where most audit findings are issued.


The Four Key Differences Between AS9100 and ISO 9001

Infographic comparing the four major differences between AS9100 and ISO 9001, including product safety, configuration management, first article inspection, and counterfeit parts prevention.
AS9100 builds on ISO 9001 by adding aerospace-specific requirements for safety, configuration control, first article inspection, and counterfeit parts prevention.

1. Product Safety and Risk Management

ISO 9001 requires risk-based thinking throughout the QMS. AS9100 goes further — it requires explicit, documented product safety considerations and assigns responsibility for communicating safety-critical requirements throughout the supply chain.

Where ISO 9001 says “consider risk,” AS9100 says “identify critical items, establish controls for key characteristics, and document how safety requirements flow to every affected process.”

In a fabrication or machining environment, this means identifying which dimensions, materials, or process parameters are safety-critical — and creating documented evidence that those specific requirements are controlled and verified at every step.

Most common finding: Organizations carrying over their ISO 9001 risk register without adding the AS9100-required safety-criticality designation to individual product characteristics.

2. Configuration Management

ISO 9001 has no equivalent requirement. AS9100 requires a formal configuration management process that controls the definition of a product throughout its lifecycle — including design documentation, approved deviations, and change control.

Your QMS must include a documented process for managing engineering changes, maintaining configuration baselines, and controlling which revision of a drawing, specification, or process document applies to any given production lot.

If you manufacture to customer-furnished drawings in aerospace, your configuration management process must trace which revision was active at time of manufacture — and any deviations from that revision must be formally approved.

3. First Article Inspection (FAI) Requirements

AS9100 requires that organizations establish, document, and implement a first article inspection process — verifying that the product realization process can produce conforming product before full production begins.

The governing document for FAI in aerospace is AS9102. AS9100 does not replicate all of AS9102’s requirements, but it does require that an FAI process exists and is maintained. If your prime contractor flows down AS9102 requirements, you need to address those specifics as well.

ISO 9001 has no first article inspection requirement. This is one of the clearest examples of the risk gap between the two standards.

If you are already ISO 9001 certified → review your current first article or pre-production verification process. It likely needs formal documentation, defined acceptance criteria, and records retention aligned with AS9100 before your Stage 1 audit.

4. Counterfeit Parts Prevention

AS9100 requires a documented process to detect and prevent the use of counterfeit or unapproved parts in aerospace products. This includes supplier controls, parts identification verification, and handling procedures for suspect material.

ISO 9001 addresses supplier controls but makes no mention of counterfeit parts. In aerospace, this is not a theoretical risk — counterfeit electronic components, fasteners, and raw materials have caused documented failures. AS9100 treats it as an auditable requirement.

Your QMS must include counterfeit part risk mitigation in the procurement process, suspect parts handling procedures, and evidence that your suppliers understand and comply with the requirement.


AS9100 vs ISO 9001: Clause-by-Clause Comparison

Both standards share the same high-level clause structure (Clauses 4–10). The table below shows where AS9100 adds requirements within that structure.

Aerospace engineering drawing with revision control block, quality approval stamp, precision-machined component, and mechanical pencil illustrating AS9100 configuration management and document control requirements.
Configuration management in AS9100 requires organizations to control engineering revisions, document changes, and maintain traceability throughout the product lifecycle.
ClauseISO 9001:2015 RequirementAS9100 Rev D Addition
4 — ContextDetermine internal/external issuesAdd: identify applicable statutory/regulatory requirements for aerospace
5 — LeadershipTop management QMS commitmentAdd: communicate importance of meeting aerospace customer requirements
6 — PlanningRisk and opportunity assessmentAdd: product safety risk — identify safety-critical items explicitly
7 — SupportCompetence, awareness, communicationAdd: employee awareness of contribution to product safety and conformity
8.1 — OperationsPlan production/service provisionAdd: configuration management, counterfeit parts prevention, FAI process
8.4 — External providersSupplier evaluation and monitoringAdd: AS9100 flow-down; approved supplier list management
8.5 — Production controlProcess controls and identificationAdd: key characteristics, critical items, lot/serial traceability
8.6 — ReleaseVerification of conformityAdd: documented authority for concessions/deviations; objective evidence retention
9 — PerformanceInternal audits, management reviewAdd: trend analysis of quality data; corrective action effectiveness review
10 — ImprovementNonconformance and corrective actionAdd: escape point analysis; prevent recurrence at supply chain level

Who Needs AS9100 vs. ISO 9001?

You need AS9100 if:

  • ✅ You manufacture, overhaul, or maintain aerospace or defense components
  • ✅ Your customer is a prime contractor (Boeing, Airbus, Lockheed Martin, Raytheon, L3Harris, etc.)
  • ✅ Your purchase orders or supplier agreements specify AS9100 certification
  • ✅ You are pursuing DCMA oversight or government contract qualification
  • ✅ You are on — or want to be on — an Approved Supplier List (ASL) for an aerospace customer

ISO 9001 alone is sufficient if:

  • ✅ You manufacture for non-aerospace industries only
  • ✅ Your customer requires ISO 9001 but does not specify AS9100
  • ✅ You are a commercial manufacturer considering AS9100 as a future growth target

The gray area — Tier 2 and Tier 3 suppliers:

Not every supplier in the aerospace supply chain is required to hold AS9100. Some Tier 2 and Tier 3 suppliers hold ISO 9001 — but the trend is toward AS9100 flow-down requirements going deeper into supply chains. If your prime contractor has added AS9100 to their supplier qualification requirements in the last two years, that is a signal.

Check the IAQG OASIS database to verify certification status of suppliers you are evaluating — and to understand what your prime contractor is likely to require.

If you are evaluating whether AS9100 applies to your organization → review the supplier flow-down requirements in your prime contractor agreement first. The answer is almost always in the purchase order or the Supplier Quality Requirements (SQR) document.


⚠️ Waiting until a customer audit to discover your AS9100 gaps is a costly mistake. Most findings at Stage 1 audits come from undocumented FAI processes, missing configuration management records, and supplier flow-down gaps — all addressable before the auditor walks in the door.

👉 Run the AS9100 Rev D Gap Assessment now — it takes under 45 minutes →


Can ISO 9001 Certification Serve as a Foundation?

Yes — and it is the most efficient path to AS9100.

If you are already ISO 9001 certified, your QMS infrastructure is in place. Document control, internal audit, CAPA, and management review all carry over. The transition work focuses on the AS9100-specific additions.

👉 Run the AS9100 Rev D Gap Assessment before you build your implementation plan — clause-by-clause, free, takes under 45 minutes →

Realistic scope of the gap for an ISO 9001-certified organization:

AreaISO 9001 StatusAS9100 Gap Work Required
Document controlCompliantMinimal — add configuration management layer
Risk managementCompliantModerate — add product safety and critical item designation
Supplier controlsCompliantSignificant — add AS9100 flow-down, approved supplier list, counterfeit prevention
Production controlsCompliantModerate — add key characteristics, lot/serial traceability
First article inspectionNot addressedNew process — build from scratch or formalize existing practice
Internal audit programCompliantMinimal — add aerospace-specific audit criteria
Split-panel aerospace quality management graphic showing ISO 9001 as the foundation on the left and expanded AS9100 requirements, including first article inspection and configuration management documentation, on the right.
ISO 9001 provides a strong quality management foundation, but AS9100 adds aerospace-specific requirements for configuration management, first article inspection, product safety, and counterfeit parts prevention.

Most ISO 9001-certified organizations completing AS9100 gap remediation report 6–12 months of active implementation before Stage 1 audit readiness. Organizations starting from scratch typically need 12–18 months.

If you are already ISO 9001 certified → focus your implementation effort on the four AS9100-specific requirements that have no ISO 9001 equivalent: product safety documentation, configuration management, first article inspection, and counterfeit parts prevention.


Certification Cost and Timeline Comparison

FactorISO 9001AS9100 Rev D
Standard document cost~$175 (ANSI Webstore) — or buy AS9100 and ISO 9001 together and save~$140 (SAE/ANSI)
Implementation timeline (from scratch)9–12 months12–18 months
Implementation timeline (from ISO 9001)N/A6–12 months
Stage 1 audit cost$1,500–$3,000$2,000–$4,500
Stage 2 audit cost$3,000–$8,000$5,000–$12,000
Annual surveillance audit$2,000–$5,000$3,000–$6,500
Consultant support (optional)$5,000–$25,000$10,000–$40,000
Certification body optionsWide choiceMust be IAQG-approved

For a full breakdown by company size and scope, see How Much Does AS9100 Certification Cost?

One critical distinction: AS9100 auditors must be approved through the IAQG certification scheme. Not every ISO 9001 registrar is authorized to issue AS9100 certificates. BSI Group and ISOQAR are both IAQG-approved — BSI Group offers AS9100-specific audit preparation and lead auditor training if you want to build internal competency before your Stage 2 audit. Verify your certification body’s IAQG approval status before engaging.


How to Get Certified: Next Steps

If you are starting from an ISO 9001 foundation:

  1. Download the gap assessment checklist and work through it clause by clause

If your documentation infrastructure needs rebuilding around the AS9100-specific additions, 9001Simplified’s QMS documentation kits provide the ISO 9001 foundation layer that maps directly into AS9100 implementation — cutting initial document build time by 40–60% compared to starting from blank procedures.

  1. Identify your critical items — flag which product characteristics carry safety implications
  2. Build your configuration management process — a documented change control log is a starting point
  3. Formalize your FAI process — if you already do first article checks informally, document them to AS9102 framework
  4. Update your supplier controls — add AS9100 flow-down language to purchase orders and supplier questionnaires
  5. Select an IAQG-approved certification body — get quotes from at least two before committing
  6. Complete your internal audit against the full AS9100 requirements
  7. Schedule your Stage 1 audit — confirm documentation readiness before Stage 2 is booked

If you are starting without ISO 9001:

Consider building to AS9100 directly — you will need to meet every ISO 9001 requirement anyway. Starting with ISO 9001 as an intermediate milestone adds cost and time without a corresponding benefit unless your customer base genuinely splits between ISO 9001 and AS9100 requirements.

If under customer pressure to certify quickly → prioritize training and select your certification body before building documentation. Audit scheduling lead times at major certification bodies currently run 2–4 months.


📥 Free Resources


AS9100 Rev D gap assessment checklist showing aerospace quality management requirements, audit readiness evaluation, and certification preparation for aerospace manufacturers and suppliers.
Use an AS9100 Rev D gap assessment checklist to identify quality management system weaknesses before your certification audit.

📬 Stay Ahead of Your Next Audit

AS9100 auditors find the same gaps year after year — configuration management records, FAI documentation, and supplier flow-down evidence. We track what is actually being flagged in the field and send it directly to your inbox.

Subscribe and get the AS9100 Rev D Gap Assessment Checklist delivered immediately.

Sign up here →


FAQ

Is AS9100 the same as ISO 9001?

No. AS9100 contains every requirement in ISO 9001:2015 but adds more than 100 aerospace-specific requirements covering product safety, configuration management, first article inspection, counterfeit parts prevention, and traceability. ISO 9001 is a general-industry standard; AS9100 is specific to aerospace, aviation, and defense.

Can I be certified to both AS9100 and ISO 9001?

AS9100 certification already incorporates all ISO 9001 requirements, so holding an AS9100 certificate demonstrates compliance with both. Many organizations hold a single AS9100 certificate. Some certification bodies will issue both certificates simultaneously if your customer base specifically requires the ISO 9001 certificate by name.

Does ISO 9001 certification help with AS9100 certification?

Yes, significantly. An existing ISO 9001 QMS provides the document control, internal audit, CAPA, and management review infrastructure that AS9100 builds on. Most ISO 9001-certified organizations can reach AS9100 audit readiness in 6–12 months rather than the 12–18 months typically required from scratch.

Who manages AS9100?

AS9100 is published by SAE International and managed by the International Aerospace Quality Group (IAQG), a consortium of aerospace manufacturers including Boeing, Airbus, and Lockheed Martin. Certification auditors must be approved through the IAQG scheme.

What is IA9100 and does it replace AS9100?

IA9100 is the globally harmonized successor to AS9100 currently being developed by the IAQG. It will replace regional variants including AS9100, EN 9100, and JISQ 9100. Final publication is targeted for Q4 2026 with a 24–36 month transition window. Organizations should certify to AS9100 Rev D now — IAQG guidance confirms this is the correct path.

Do all aerospace suppliers need AS9100?

Not all — but the requirement is flowing deeper into supply chains. Tier 1 suppliers to major primes almost universally require AS9100. Tier 2 and Tier 3 suppliers are increasingly seeing it added to supplier qualification requirements. Verify your specific requirements by reviewing your purchase orders, Supplier Quality Requirements documents, and any flow-down clauses from your prime contractor.

How long does AS9100 certification take?

From a standing start with no existing QMS: 12–18 months. From an existing ISO 9001 certification: 6–12 months. Timeline depends on scope, number of sites, and the extent of gap remediation required after your initial assessment.

What is the difference between AS9100 and NADCAP?

AS9100 is a quality management system standard covering the organization’s overall AQMS. NADCAP (National Aerospace and Defense Contractors Accreditation Program) is a process-specific accreditation program covering special processes — heat treatment, NDT, chemical processing, welding, and others. Many aerospace suppliers hold both. They are complementary, not competing certifications.


Not Sure What to Do Next?

🔹 Need the AS9100 Rev D standard documentBuy AS9100 Rev D — ANSI Webstore. Use code CC2026 for 5% off.

🔹 Need training before your auditAS9100 Lead Auditor and Implementation Courses — BSI Group

🔹 Building your ISO 9001 foundation firstBuy ISO 9001:2015 — ANSI Webstore and review the ISO 9001 Certification Guide before committing to an AS9100 timeline.

The gap between ISO 9001 and AS9100 is real — but it is not insurmountable. Aerospace suppliers make this transition every day. The ones who do it efficiently run their gap assessment first, build their implementation plan around the actual findings, and select a certification body before they start writing procedures. The Standards Navigator covers every step of that process. Start with the gap assessment — everything else follows.


AS9100 vs ISO 9001: The Gap Is Closeable. Start with the Right Information.

The aerospace suppliers that struggle with AS9100 transition are almost always the ones working from assumptions — assuming their ISO 9001 foundation covers more than it does, assuming FAI is informal enough to pass, assuming their supplier flow-down language is sufficient.

The ones that pass their first AS9100 Stage 1 audit without major findings are the ones who ran the gap assessment before they called a consultant.

At The Standards Navigator, AS9100, ISO 9001, and the full aerospace compliance landscape are covered in plain-language, field-level detail — from the standard itself to implementation strategy, audit preparation, and certification body selection.

👉 Get updates on aerospace quality standards, implementation guidance, and compliance insights delivered directly.

👉 Be first to access new AS9100 guides, checklists, and tools as they publish.

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.

How Much Does AS9100 Certification Cost in 2026? A Complete Breakdown

AS9100 Rev D certification costs vary significantly by company size, existing QMS maturity, and audit scope. This guide breaks down every cost component — from the standard itself to Stage 2 audit fees and ongoing surveillance costs — with realistic 2026 figures for small shops through large manufacturers.

AS9100 Rev D certification costs, audit fees, implementation expenses, and how to budget for aerospace quality compliance

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


The Number That Stops Most Aerospace Suppliers Cold

You need AS9100 certification. Your prime contractor has made that clear. The question isn’t whether you’ll pursue it — it’s whether you can survive the budget shock when you start getting quotes.

Most shops walk into this process expecting a number and walk out with a range so wide it feels useless. That’s not an accident. AS9100 certification costs depend on a half-dozen variables that the certification bodies won’t resolve until they’ve assessed your operation in detail.

Here’s what I can tell you: the cost is real, the range is legitimate, and if you understand the components, you can budget accurately and avoid the expensive surprises that derail timelines.

This guide breaks down every cost element — from the standard itself to the Stage 2 certification audit — and gives you realistic numbers for 2026.


Quality manager reviewing AS9100 certification documentation inside an aerospace manufacturing facility with aerospace components, inspection equipment, and production personnel in the background.
Understanding AS9100 certification costs starts with evaluating your quality system, documentation, internal audits, and aerospace compliance readiness.

Before you start collecting quotes, know where your gaps are. Most organizations underestimate implementation time because they skip the gap assessment. Run ours first — it’s clause-by-clause, it’s free, and it will tell you exactly where you’re exposed before you commit to a timeline.

👉 Download the AS9100 Rev D Gap Assessment Checklist →


In This Guide

  • What drives AS9100 certification costs
  • The cost of the AS9100 standard itself
  • Implementation and consulting costs
  • Training costs
  • Certification body (registrar) audit fees
  • Ongoing surveillance and recertification costs
  • Total cost estimates by company size
  • How to reduce your certification spend without cutting corners
  • FAQ

👉 Start Here — Top Resources for AS9100 Certification

Before diving into the numbers, these are the resources readers at this stage actually use:


What Drives AS9100 Certification Costs

AS9100 certification costs are not fixed. Every quote you receive will be shaped by these variables:

Cost DriverLow-Cost ScenarioHigh-Cost Scenario
Company sizeUnder 50 employees500+ employees
Number of sitesSingle facilityMultiple locations
Existing QMSISO 9001 already certifiedNo QMS in place
Process complexitySimple machining or assemblyDesign authority, software, multi-discipline
Consultant involvementInternal resources onlyFull consultant engagement
Certification body choiceRegional, competitive pricingTier 1 global registrar
Timeline pressure18–24 months6–9 months (expedited)

The aerospace and defense sectors carry stricter safety and quality requirements than general industry. That rigor gets reflected in audit time. AS9100 audits run longer than ISO 9001 audits for the same organization size — plan for it.


Cost of the AS9100 Standard

You cannot implement a standard you haven’t read. The official AS9100 Rev D document is the starting point for everything that follows.

AS9100 Rev D is maintained by SAE International and the International Aerospace Quality Group (IAQG). It is available through the ANSI Webstore alongside related aerospace standards.

Current pricing (2026):

  • AS9100 Rev D standard: approximately $170–$220 (PDF or print)
  • AS9100 standards collection package: available with multi-standard savings

Purchase AS9100 Rev D — ANSI Webstore → Use code CC2026 for 5% off through December 31, 2026.

You will also want access to related documents during implementation:

  • AS9104/1 — requirements for aviation, space, and defense quality management system certification programs (your registrar follows this)
  • AS9101 — quality management systems audit requirements for aviation, space, and defense organizations
  • ISO 9001:2015 — AS9100 incorporates ISO 9001 in full; you need both if your team doesn’t already know the base standard

If you are already ISO 9001 certified, your team knows the foundation. The incremental cost is the delta — roughly 25% of AS9100’s requirements go beyond ISO 9001.


Implementation and Consulting Costs

This is where the range gets wide. Implementation costs depend almost entirely on where you’re starting from.

Starting from scratch (no QMS)

If your shop has no documented quality management system, expect 12–24 months of internal effort and significant documentation work. A consultant will accelerate this but adds direct cost.

Typical consulting fee structures:

Engagement TypeTypical CostWhat You Get
Full implementation consulting$15,000–$60,000+Gap assessment through Stage 2 audit support
Project-based (documentation only)$5,000–$15,000QMS manual, procedures, work instructions
Hourly advisory$150–$350/hourTargeted support for specific gaps or audit prep
Pre-assessment (gap audit only)$2,000–$5,000Structured gap report against AS9100 requirements
AS9100 certification cost drivers infographic showing seven variables that affect certification costs, including company size, QMS maturity, number of sites, consultant involvement, certification body selection, implementation timeline, and timeline pressure, with Year 1 investment ranges by organization size.
AS9100 certification costs vary significantly based on company size, QMS maturity, site count, implementation strategy, and certification scope.

Starting from ISO 9001

This is the most common scenario for mid-size manufacturers moving into aerospace supply chains. Your QMS foundation is intact. The work is additive — closing the gap on AS9100-specific requirements including:

  • Risk management (beyond ISO 9001 Clause 6 — more prescriptive in aerospace)
  • Configuration management
  • First article inspection (FAI) requirements per AS9102
  • Key characteristics identification and control
  • Product/process change control
  • Counterfeit parts prevention

Budget $8,000–$25,000 in consulting if you need external support for the transition. Internal teams with a qualified QMS lead can do much of this work without outside help.

If you are building your QMS documentation from scratch, documentation kits can cut your build time significantly. 9001Simplified’s documentation packages cover ISO 9001 foundations that map directly into AS9100 implementation — the same clause structure, the same documented information requirements, ready to adapt for aerospace-specific additions.


Training Costs

AS9100 certification requires trained internal auditors. It also requires that your quality team understands the standard at a level that holds up under registrar scrutiny. Training is not optional — it’s both a certification requirement and a practical necessity.

Training cost ranges (2026):

Training TypeFormatTypical Cost
AS9100 Awareness (overview)Online, self-paced$200–$600/person
AS9100 Internal AuditorClassroom or virtual, 3 days$1,200–$2,500/person
AS9100 Lead Auditor (Probitas-certified)Classroom or virtual, 5 days$1,800–$2,500/person
Implementation workshopOn-site, 2 days$3,000–$8,000 (group)

Most organizations certify 1–2 internal auditors and send 1–2 quality personnel through awareness training. Budget $3,000–$8,000 for a small to mid-size shop’s initial training investment.

AS9100 Training Courses — BSI Group →

BSI Group offers AS9100 lead auditor, internal auditor, and implementation training with both virtual and classroom options. Their aerospace quality training is recognized across the IAQG community.


Certification Body (Registrar) Audit Fees

The registrar audit is the largest single external expense. This is what you pay the certification body to perform Stage 1 (document review), Stage 2 (on-site certification audit), and issue the AS9100 certificate.

How registrars determine your audit time:

AS9100 audit time is calculated using IAQG and IAF guidelines — typically based on employee count, process complexity, number of shifts, and scope of operations. Aerospace audits are more labor-intensive than general industry audits of equivalent size.

Auditor day rates (2026):

Auditor fees typically run $1,500–$3,000 per audit day, plus travel and accommodation where on-site presence is required. Virtual audit options can reduce travel costs but are not available for all certification bodies or scopes.

Initial certification audit duration by company size:

Company SizeTypical Audit DaysEstimated Audit Fee Range
Under 25 employees2–3 days$3,000–$9,000
25–100 employees3–5 days$4,500–$15,000
100–250 employees5–8 days$7,500–$24,000
250–500 employees7–12 days$10,500–$36,000
500+ employees10+ days$15,000–$60,000+

Registration fees, application fees, and certificate issuance fees are additional — typically $500–$2,000 depending on the certification body.

OASIS database registration is mandatory. Your certification body will register your AS9100 certificate in the IAQG OASIS database — this is how prime contractors verify supplier certification status. Confirm your registrar is OASIS-registered before engaging.

Most organizations that fail their Stage 2 audit don’t fail because they misunderstood the standard. They fail because they assumed their documented system matched what was actually happening on the floor. Before you schedule your audit, run a structured internal audit against every AS9100 clause. Your gap assessment checklist will tell you where you’re exposed.

👉 Download the AS9100 Rev D Gap Assessment Checklist →


Ongoing Costs After Certification

AS9100 certification cycle infographic showing the three-year certification timeline, including initial certification, Year 1 surveillance audit, Year 2 surveillance audit, and Year 3 recertification audit requirements.
AS9100 certification is not a one-time event. Organizations must complete surveillance audits and recertification audits throughout a continuous three-year certification cycle.

AS9100 certification is a three-year cycle with annual surveillance audits. Budget for the full cycle, not just the initial certification.

Ongoing cost structure:

ActivityFrequencyTypical Cost
Annual surveillance auditYears 1 and 2$2,000–$8,000/year
Recertification auditYear 3$4,000–$15,000
Internal audit programOngoingInternal labor cost
Management reviewAnnual minimumInternal labor cost
Continual improvement activitiesOngoingVariable

Three-year total external cost (registrar fees only):

  • Initial certification: $5,000–$36,000
  • Year 1 surveillance: $2,000–$8,000
  • Year 2 surveillance: $2,000–$8,000
  • Year 3 recertification: $4,000–$15,000
  • Three-year total (registrar fees): $13,000–$67,000

This is external cost only. Internal labor — quality manager time, audit preparation, document maintenance, management review — adds significantly to the true cost of maintaining certification.


Total AS9100 Certification Cost by Company Size

Quality manager reviewing an AS9100 certification budget and cost estimate inside an aerospace manufacturing facility while evaluating certification planning, audit expenses, and compliance investments.
Effective AS9100 certification planning requires understanding both initial implementation costs and ongoing audit expenses throughout the certification cycle.

These figures represent all-in estimates for the first year of certification, including the standard, implementation, training, and audit fees. Consulting costs assume partial external engagement.

Company SizeStandard + TrainingImplementationAudit FeesTotal Year 1 Estimate
Small (under 25 employees)$2,000–$4,000$3,000–$10,000$4,000–$10,000$9,000–$24,000
Mid-size (25–100 employees)$3,000–$6,000$8,000–$25,000$6,000–$18,000$17,000–$49,000
Large (100–250 employees)$4,000–$8,000$15,000–$40,000$10,000–$28,000$29,000–$76,000
Enterprise (250+ employees)$7,000–$10,000$25,000–$80,000+$20,000–$60,000+$52,000–$150,000+

These ranges align with industry data showing SMEs spending $8,000–$30,000 for initial certification (audit fees alone) and total first-year costs of $10,000–$50,000 for organizations with some QMS foundation already in place.

If you are already ISO 9001 certified, reduce the implementation estimate by 30–50%. Your documentation foundation, internal audit program, and management system structure already exist. You are closing gaps, not building from scratch.


How to Reduce Your AS9100 Certification Costs

Cost reduction in AS9100 certification comes from three levers: preparation quality, consultant leverage, and timeline management.

Lever 1 — Do the gap assessment before anything else

A structured gap assessment identifies your actual compliance posture before you engage a consultant or registrar. Organizations that skip this step pay consultants to discover what they could have identified themselves. The AS9100 Rev D Gap Assessment Checklist is built for exactly this purpose.

Lever 2 — Build internal competency before engaging consultants

Train your internal quality lead before you bring in external help. One person with a solid understanding of AS9100 Rev D requirements will cut your consulting hours significantly. The pre-certification investment in AS9100 internal auditor training pays for itself on the first consultant engagement.

Lever 3 — Don’t rush the timeline

Compressed timelines require more consultant hours, more registrar pre-assessment support, and more internal overtime. An 18–24 month implementation done at a sustainable pace typically costs 20–35% less than a 9–12 month expedited push. If your customer isn’t pressing a specific date, don’t create artificial urgency.

Lever 4 — Get multiple registrar quotes

Audit fees vary significantly between certification bodies. Get quotes from at least three accredited registrars before committing. Verify OASIS registration status through the IAF and confirm aerospace-specific auditor qualifications before selecting on price alone.

Lever 5 — Use documentation frameworks

Documentation build time is one of the largest internal cost drivers for organizations starting from scratch. Pre-built QMS documentation frameworks — procedure templates, quality manual structures, record templates — cut initial build time by 40–60% compared to building from blank documents.

9001Simplified’s documentation kits provide the ISO 9001 foundation layer that maps directly into AS9100 implementation. If you need the quality management system built before you can tackle aerospace-specific additions, this is the fastest starting point available.


📥 Free Resources


Not Sure What to Do Next?

🔹 If you need to purchase the AS9100 Rev D standardBuy it through the ANSI Webstore using code CC2026 for 5% off. That is the official SAE/IAQG document — there is no substitute.

🔹 If your team needs AS9100 trainingBSI Group’s AS9100 training catalog covers internal auditor, lead auditor, and implementation training in virtual and classroom formats.

🔹 If you need to build your QMS documentation9001Simplified’s documentation packages give you the ISO 9001 foundation layer that AS9100 builds on.

The Standards Navigator covers every step of the AS9100 certification journey. Start with the gap assessment, understand what you’re building, and make every dollar in your certification budget count.


Frequently Asked Questions

How much does AS9100 certification cost for a small company?

A small company with under 25 employees can expect total first-year AS9100 costs of $9,000–$24,000, assuming some QMS foundation exists. This includes the standard, basic training, limited consulting, and the certification audit. Companies with no existing quality management system should budget toward the higher end or beyond, particularly if a full-service consultant is needed.

Is AS9100 more expensive than ISO 9001 to certify?

Yes, typically 20–40% more for the initial certification audit alone. The audit takes longer because AS9100 has additional requirements beyond ISO 9001 — risk management, configuration management, first article inspection, and more — that require specific auditor competency and additional audit time. If you are already ISO 9001 certified, the premium is lower because your foundation is in place.

How long does AS9100 certification take?

Most organizations complete initial AS9100 certification in 12–24 months. Organizations already certified to ISO 9001 with a competent internal quality function can target the lower end of that range. Compressed timelines of 6–12 months are possible but increase cost and risk of audit failure.

How long does AS9100 certification take?

Most organizations complete initial AS9100 certification in 12–24 months. Organizations already certified to ISO 9001 with a competent internal quality function can target the lower end of that range. Compressed timelines of 6–12 months are possible but increase cost and risk of audit failure.

Do I need a consultant to get AS9100 certified?

No, but it depends on your internal capability. Organizations with an experienced quality manager who understands AS9100 requirements can implement with minimal external support. The gap assessment, internal auditor training, and documentation frameworks reduce the dependency on consultants significantly. Most small to mid-size shops benefit from targeted consulting support on specific gaps rather than full-service engagement.

What happens if I fail my AS9100 Stage 2 audit?

A Stage 2 audit failure does not end the process. The registrar will issue nonconformances — major or minor. Major nonconformances require a corrective action plan and evidence of resolution before certification is issued, which may require a return visit. This adds cost (additional audit days) and delays your timeline. Prevention is the correct strategy: run structured internal audits against every clause before your Stage 2 date.

How much do annual surveillance audits cost for AS9100?

Annual surveillance audits typically cost $2,000–$8,000 per year depending on company size and registrar. They are shorter than the initial certification audit — usually 1–3 days — but are required in Years 1 and 2 of the three-year certification cycle. Recertification in Year 3 costs similarly to the initial certification audit.

Can I use a virtual audit for AS9100 certification?

Some certification bodies offer hybrid or virtual audit options, which can reduce travel costs meaningfully. However, not all registrars and not all scopes are suitable for fully virtual audits under AS9100 requirements. Confirm with your certification body before assuming virtual is available for your operation.

What is the OASIS database and why does it matter for cost?

The IAQG OASIS database is the official registry where AS9100 certificates are recorded. Prime contractors and customers verify supplier certification through OASIS — not through the certificate document alone. Your certification body is required to register your certificate in OASIS. Registrars that are not OASIS-registered cannot issue valid AS9100 certifications. There is no workaround. Selecting an unaccredited or non-OASIS-registered body wastes your entire investment.


The Standards Navigator provides practical guidance on ISO standards and industrial compliance for manufacturing professionals. For more on the AS9100 certification process, see our complete AS9100 guide and our Buy AS9100 article.


Don’t schedule your AS9100 audit until you know where your gaps are. Most certification delays and re-audit fees trace back to assumptions about compliance that a structured gap check would have caught. Run the AS9100 Rev D Gap Assessment Checklist before you commit to a timeline — it’s clause-by-clause, it’s free, and it takes less time than one conversation with a consultant.

👉 Download the AS9100 Rev D Gap Assessment Checklist →


Stay Ahead of Every Audit — Join The Standards Navigator

Most quality managers find out about a new requirement when an auditor cites it.

Don’t be that team.

The Standards Navigator publishes practical breakdowns of ISO standards, aerospace compliance requirements, and audit preparation guidance written by someone who has spent 25 years on the floor — not in a classroom.

No filler. No generic compliance tips. Just the specific guidance that keeps your QMS audit-ready and your certification on track.

What subscribers get:

✅ New articles on AS9100, ISO 9001, ISO 13485, and industrial compliance standards — as they publish
✅ Practical audit prep guidance tied to real nonconformance patterns
✅ Early access to gap assessment checklists, implementation tools, and documentation resources
✅ Cost breakdowns and certification body comparisons you won’t find condensed anywhere else

Subscribe

* indicates required

No spam. No sales pitches. Unsubscribe any time. Join the quality managers, compliance professionals, and aerospace suppliers who read The Standards Navigator every week.

Buy AS9100 Rev D Standard: Where to Get the Official Document in 2026

AS9100 Rev D is the quality management standard for aviation, space, and defense — and it must be purchased from an authorized source. This guide covers where to buy it, current pricing, format options, what the document includes, and what the upcoming IA9100 transition means for buyers in 2026.

How to purchase AS9100 Rev D from authorized sources — pricing, formats, and what comes with the standard

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


If You’re Sourcing AS9100, You Need to Get This Right

AS9100 Rev D is the quality management standard for aviation, space, and defense. If you’re a supplier to Boeing, Lockheed Martin, Raytheon, or any prime contractor in the aerospace sector, there’s a good chance AS9100 certification is either already required or will be before your next contract renewal.

Getting the standard wrong at the start creates problems that compound. Counterfeit copies circulate online. Outdated revisions get used for implementation. Organizations spend months building a QMS to the wrong requirements and then face nonconformances during Stage 1 audit because the auditor is working from the current text and they’re not.

This guide covers exactly where to buy AS9100 Rev D, what you’re actually getting when you purchase it, the formats available, and what to know about the upcoming transition to IA9100.


In This Guide:

  • Where to buy AS9100 Rev D from authorized sources
  • Pricing and format options (PDF vs. print)
  • What the standard document includes
  • Related aerospace standards worth purchasing together
  • What the IA9100 transition means for buyers in 2026
  • How to verify your certification body is OASIS-listed

👉 Start Here — Top Resources for AS9100

👉 Buy AS9100 Rev D (PDF or Print): ANSI Webstore — Official SAE/AS9100 Standard — use code CC2026 for 5% off through December 31, 2026

👉 Save on Standard Bundles: ANSI Standard Packages — up to 50% off

👉 Build Your AS9100 QMS Documentation: 9001Simplified — Documentation Kits for Aerospace QMS

👉 AS9100 Training Courses: BSI Group — AS9100 Training and Certification

👉 ISO 9001 Training (Foundation for AS9100): ISOQAR — ISO/AS9100 Training Courses


Where to Buy AS9100 Rev D

AS9100 Rev D is published by SAE International on behalf of the International Aerospace Quality Group (IAQG). It is not freely available. To access the official, enforceable text of the standard, you must purchase it from an authorized source.

There are three legitimate options:

SourceFormat AvailableBest For
ANSI WebstorePDF, print, multi-user, bundlesU.S. buyers; international orders; bundle purchases — multiple languages available
SAE International (sae.org)PDF, printDirect from publisher; SAE members may receive discounts
BSI GroupPDF, printUK and European buyers; combined standard and training purchases
Comparison infographic showing authorized AS9100 Rev D purchase sources versus unauthorized sources, including pricing ranges, compliance benefits, and risks of unofficial copies.
Purchasing AS9100 Rev D from authorized sources helps ensure document accuracy, compliance, support, and access to the latest revision.

The ANSI Webstore is the recommended source for most buyers. It carries the full SAE AS9100 series in PDF and print formats, processes international orders, offers standards in multiple languages, and includes bundle packages that reduce per-standard cost when you need more than one document. Use code CC2026 at checkout for 5% off through December 31, 2026.

Avoid third-party resellers offering discounted PDFs, “free downloads,” or document-sharing platforms. Copies obtained outside authorized channels are almost always outdated, incomplete, or counterfeit — and your registrar will ask to see that you’re working from a current, controlled copy of the standard.

See also: Where to Buy ISO Standards — Complete Guide to Official Sources


Pricing and Formats

AS9100 Rev D pricing through the ANSI Webstore runs approximately $200–$260 for a single-user PDF. Hardcopy print editions are similarly priced. Multi-user and enterprise licenses are available for organizations that need broader access.

FormatPrice RangeNotes
Single-user PDF$200–$260Immediate download; searchable; single-user license only
Hardcopy (print)$200–$260Physical copy; useful for shop floor reference; single license
PDF Multi-User$400–$500Shared access across your implementation team
Enterprise License$1,000–$1,800Organization-wide access; contact ANSI for quote
Bundle (AS9100 + related standards)Up to 50% offBest value when purchasing multiple aerospace standards together

If you’re buying AS9100 alongside AS9102 (first article inspection), AS9101 (audit requirements), or ISO 9001, the ANSI standard bundle packages are worth evaluating — savings of up to 50% off list price apply when you bundle. That’s meaningful when you’re stacking multiple documents for a full implementation.

For a full breakdown of what AS9100 certification costs beyond the standard itself — including registrar fees, audit costs, and consultant expenses — see How Much Does ISO Certification Cost?


What the Standard Includes

AS9100 Rev D is the full quality management system requirements document for aviation, space, and defense. It is built on the ISO 9001:2015 framework — every clause from ISO 9001 is present — with aerospace-specific additions layered on top.

When you purchase AS9100 Rev D, you get:

  • The complete text of all 10 clauses, including all aerospace add-ons
  • Annex A — mapping of clause additions to ISO 9001 structure
  • Annex B — quality management principles (informative)
  • Bibliography of related standards

Key aerospace-specific requirements that go beyond ISO 9001 include:

Requirement AreaAS9100-Specific Addition
Product safetyDedicated clause — must identify, document, and manage product safety risks
Counterfeit parts preventionExplicit controls required for prevention, detection, and disposition of counterfeit EEE parts
Configuration managementRequired for products throughout lifecycle — more rigorous than ISO 9001 traceability requirements
First article inspectionReferenced requirement — cross-references AS9102 for full FAI requirements
Human factorsAddressed explicitly — organizations must consider human factors in their processes
Operational risk managementExpanded beyond ISO 9001 risk-based thinking — more prescriptive requirements

The standard text itself does not include implementation guidance, checklists, or templates. Those are separate documents. If your team needs a ready-made documentation system, 9001Simplified’s aerospace documentation kits are built to the AS9100 clause structure and can significantly compress implementation time.

See also: ISO Documentation Packages — Are They Worth It for Manufacturing?


⚠️ Most teams don’t fail AS9100 audits because they misread the standard. They fail because they assumed their existing QMS covered it. If you haven’t run a clause-by-clause gap check against Rev D, do it before you schedule your Stage 1.

👉 Download the AS9100 Rev D Gap Assessment Checklist — free


AS9100 Rev D references several companion standards. If you’re implementing or certifying to AS9100, these are the documents your auditor will expect you to know — and in some cases, demonstrate compliance with.

StandardWhat It CoversRequired?
AS9101FAudit requirements for aviation, space, and defenseUsed by your registrar during audits — worth understanding
AS9102BFirst Article Inspection (FAI) requirementsFrequently customer-mandated; cross-referenced in AS9100
AS5553Counterfeit parts avoidance, detection, mitigationDirectly referenced by Clause 8.1.4 of AS9100
ISO 9001:2015Quality management system requirements (base standard)AS9100 incorporates ISO 9001 in full — purchasing separately is optional
AS9110QMS requirements for aviation maintenance organizationsMRO-specific — not needed unless you’re an aviation maintenance operation
AS9120QMS requirements for aviation distributorsDistributors only — not a manufacturing standard

For most manufacturers, the priority purchases alongside AS9100 Rev D are AS9102 if your customers require FAI, and AS5553 if you handle electronic or electromechanical components. Both are available through ANSI standard bundle packages. The full SAE International aerospace standards catalog is available if you need to browse the complete series before deciding.

If you are also ISO 9001 certified — or working toward it as a foundation for AS9100 — see What Is AS9100? for a full breakdown of how the two standards relate clause by clause.


The IA9100 Transition — What Buyers Need to Know in 2026

This is the most important context for anyone buying AS9100 in 2026.

The IAQG is in the process of rebranding and revising AS9100 Rev D as IA9100 — where “IA” stands for International Aerospace. The name change reflects the IAQG’s goal of publishing a single, unified global document rather than separate regional versions. The target publication date is late 2026, aligned with the anticipated release of ISO 9001:2026.

What this means practically:

  • AS9100 Rev D remains the current, enforceable standard. Buy it now if you need to implement or certify to AS9100. It is the document your registrar will audit against.
  • The transition window after IA9100 publishes will likely be two to three years. Organizations with current AS9100 Rev D certificates will have time to transition — similar to how ISO 9001:2015 gave organizations three years to move from 2008.
  • Key changes expected in IA9100 include expanded product safety requirements, new information security clauses, stronger counterfeit parts controls, and alignment with the revised ISO 9001 high-level structure.
  • You are not behind by purchasing Rev D today. Every organization that certifies in 2026 will need to transition later — that’s standard practice in ISO and aerospace standards management.
Timeline infographic showing the expected transition from AS9100 Rev D certification to IA9100 publication and the anticipated 2-3 year aerospace industry transition period.
This timeline illustrates the expected path from AS9100 Rev D certification to the future IA9100 standard and transition window.

⚠️ Buyer’s Note: If you see a listing for “IA9100” or “AS9100 Rev E” as a published, purchasable standard in 2026, verify the source carefully. As of June 2026, IA9100 has not been published. AS9100 Rev D (2016) is the current edition.

For a deeper look at what AS9100 requires and how certification works, see What Is AS9100? — Complete Guide to the Aerospace Quality Standard.

See also: ISO Implementation Timeline for Manufacturers and Best ISO Certification Bodies — Ranked and Reviewed for 2026


How to Verify Your Certification Body Is OASIS-Listed

Not every ISO 9001 registrar is accredited to certify AS9100. This is a common mistake — organizations assume that because a CB holds ISO 9001 accreditation, they can issue an AS9100 certificate. They can’t unless they hold separate AS9100 accreditation.

The IAQG maintains the OASIS database — the authoritative registry of AS9100-certified organizations and accredited certification bodies. Before you sign with a registrar:

  • ✅ Search the OASIS database to confirm your CB is listed and active for AS9100
  • ✅ Verify ANAB accreditation for AS9100 in North America — this is the recognized accreditation body
  • ✅ Ask specifically which aerospace sectors and scopes the CB is accredited for — aerospace scopes vary
  • ✅ Confirm your organization’s OASIS listing after certification — your prime contractor customers will check it

An AS9100 certificate from an unaccredited CB is not recognized by prime contractors, DoD, or the commercial aerospace supply chain. This is not a technicality. It is a disqualifier for contract eligibility in most aerospace programs.

If you are evaluating which certification body to use → see Best ISO Certification Bodies — Ranked and Reviewed for 2026 for a full breakdown of accredited options.

If you are comparing AS9100 certification against your existing ISO 9001 scope → see ISO 9001 Certification Guide for how the two audit processes compare.er for contract eligibility.


Frequently Asked Questions

Where can I buy AS9100 Rev D officially?

AS9100 Rev D is published by SAE International and available through authorized resellers including the ANSI Webstore, SAE.org directly, and BSI Group. The ANSI Webstore is the recommended source for U.S. and international buyers — use code CC2026 for 5% off through December 31, 2026.

How much does AS9100 Rev D cost?

A single-user PDF runs approximately $200–$260 through most authorized resellers. Hardcopy editions are similarly priced. Multi-user PDFs run $400–$500, and enterprise licenses run $1,000–$1,800. Bundle pricing through ANSI reduces costs significantly when you’re purchasing multiple aerospace standards together.

Is AS9100 Rev D the same as ISO 9001?

No — but it contains all of ISO 9001:2015. AS9100 Rev D incorporates the full ISO 9001:2015 text and adds aerospace-specific requirements on top: product safety, counterfeit parts prevention, configuration management, first article inspection references, human factors, and expanded operational risk management. If you are certified to AS9100, you are also meeting ISO 9001 requirements — but not the reverse.

Should I wait for IA9100 before implementing AS9100?

No. AS9100 Rev D is the current, enforceable standard. IA9100 is expected in late 2026 with a transition window of approximately two to three years after publication. If your customers require AS9100 certification now, implement and certify to Rev D. You will transition to IA9100 when it’s published, as every currently-certified organization will need to do.

Can I share the AS9100 PDF with my whole team?

Not on a single-user license. Standard single-user PDF licenses do not permit multi-user access. If your implementation team needs simultaneous access, purchase a multi-user license. Using a single-user PDF across your organization is a license violation your registrar may flag during document control review — a finding you do not want going into Stage 1.

Do I need to buy AS9101 separately?

AS9101F (audit requirements) is used by your registrar, not your organization. You are not required to purchase it, but many quality managers find it useful for understanding what auditors will look for during Stage 1 and Stage 2 assessments. It’s available separately through ANSI.

What’s the difference between AS9100, AS9110, and AS9120?

AS9100 is for aerospace manufacturers. AS9110 is for aviation maintenance, repair, and overhaul organizations. AS9120 is for aviation distributors. Most companies in the aerospace manufacturing supply chain need AS9100. The standard you need is determined by your scope of work, not your customer’s preference.

Is a free version of AS9100 available anywhere?

No. There is no legally free version of AS9100 Rev D. Documents labeled “free AS9100 download” online are either counterfeit, illegally distributed, or are summaries rather than the full standard text. Your QMS must be built from the official, current document — auditors will ask to see your controlled copy.


📥 Free Resources for Aerospace QMS Implementation


Not Sure What to Do Next?

🔹 If you’re ready to buy the standard: AS9100 Rev D — ANSI Webstore — use code CC2026 for 5% off

🔹 If you need multiple standards: ANSI Standard Packages — up to 50% off bundles

🔹 If you need training before you implement: BSI Group — AS9100 Training Courses

🔹 If you’re not sure whether AS9100 applies to you: What Is AS9100? — Complete Guide

🔹 If you need to find an accredited registrar: Best ISO Certification Bodies — Ranked for 2026

🔹 If you want to check your gap before you commit: AS9100 Rev D Gap Assessment Checklist — free download

The Standards Navigator covers AS9100, ISO 9001, ISO 13485, and the full range of standards affecting aerospace, manufacturing, and defense supply chains. If you found this useful, there’s more where it came from.


Stay Ahead of AS9100 and IA9100 Changes

The IA9100 transition is coming. When it publishes, certified organizations will have a limited window to update their QMS. Subscribers to The Standards Navigator get clause-level breakdowns, implementation guidance, and audit prep resources delivered directly — before the deadline pressure hits.

👉 Subscribe below and get the AS9100 Rev D Gap Assessment Checklist free. Know exactly where your QMS stands before your next audit.

Subscribe

* indicates required

CAPA Requirements in ISO 13485 (2026)

CAPA under ISO 13485 is more than corrective action paperwork. Learn what auditors and FDA investigators actually evaluate, common CAPA failures, Clause 8.5 requirements, effectiveness verification expectations, and how CAPA now fits into modern QMSR inspection strategy.

What the FDA’s newest inspection data reveals about where medical device manufacturers are still getting it wrong — and how to close the gaps before your next audit.

Last Updated: May 2026


Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items covering ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.


The FDA Just Changed How It Measures Your CAPA System — And Most Manufacturers Haven’t Noticed

CAPA was the undisputed number-one FDA 483 finding for years. Not close. Not rotating with other subsystems. Every year, far and away.

That changed in 2026.

Three months of QMSR inspection data is in. Risk management documentation under Clause 7.1 now sits at number one — 25 citations. CAPA-related findings come in at 19 combined. On paper, that looks like good news. It isn’t — at least not entirely.

Here’s the nuance that matters: the inspection model changed. Under the old QSIT system, abbreviated inspections hit CAPA almost every single time. Other subsystems cycled in less frequently. CAPA’s dominance was partly an artifact of inspection structure, not a clean picture of where the industry actually struggled.

The new model looks at everything — every subsystem, every inspection. The categorization changed too. Under the old QSR, all CAPA requirements bundled into one code. Now they fragment. Two separate 8.5.2 entries already appear in the first dataset. CAPA didn’t disappear. The field just got wider.

If you’re managing a QMS for a medical device manufacturer, that means more exposure, not less.


In This Guide

  • What ISO 13485 Clause 8.5.2 actually requires — and what most procedures miss
  • The six mandatory data inputs for your CAPA process under Section 8.4
  • Why the InfuTronix case is the most instructive FDA enforcement example in recent years
  • The difference between measurement and analysis — and why confusing them causes most failures
  • How horizontal analysis works and why auditors look for it specifically
  • Common misconceptions that lead to major nonconformances
  • What to do before your next surveillance audit


Start Here (Top Resources)

🔖 Get ISO 13485:2016 → ANSI Webstore — ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.

🔖 Get ISO 13485 training → BSI Group — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.

🔖 Build your CAPA documentation → 9001Simplified — 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.

🔖 Pursue or maintain ISO 13485 certification → ISOQAR — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.

Browse the Standards Library to identify which standards apply to your compliance area, or view the most widely used standards in medical devices and manufacturing.


What Is CAPA Under ISO 13485?

CAPA cycle diagram showing ISO 13485 Clause 8.5.2 corrective action and Clause 8.5.3 preventive action steps: Identify, Prevent, Monitor, Improve, Correct, Root Cause
CAPA under ISO 13485 follows a closed-loop process: identify issues, determine root cause, implement corrective action, monitor effectiveness, and prevent recurrence through continual improvement.

CAPA — Corrective and Preventive Action — is the mechanism your QMS uses to identify problems, trace them to root cause, and prevent recurrence. Under ISO 13485:2016, CAPA spans two clauses: Clause 8.5.2 (corrective action) and Clause 8.5.3 (preventive action). They operate differently and auditors evaluate them separately.

Corrective action addresses a nonconformity that has already occurred. Preventive action addresses a potential nonconformity that has not yet materialized. The distinction matters because the procedures, triggers, and documentation requirements differ between them.

ISO 13485 places CAPA in the broader context of Clause 8.5, which also covers continual improvement. But the practical application of CAPA runs deeper — it pulls from data collected across Clause 8.4 (analysis of data) and connects to management review, internal audits, and post-market surveillance. A CAPA procedure that treats the clause as standalone almost always fails at audit.

Under the QMSR (Quality Management System Regulation), which took effect February 2, 2026, FDA now explicitly harmonizes its device QMS requirements with ISO 13485. CAPA requirements that previously lived in 21 CFR Part 820.100 now map directly to ISO 13485 Clause 8.5.2. FDA expects those requirements to be met — and QMSR inspections are actively evaluating them.


What Clause 8.5.2 Actually Requires

Clause 8.5.2 sets out six specific requirements for corrective action. Each one has a documentation implication.

1. Review nonconformities — including customer complaints. This means your CAPA trigger list must include complaint data, not just internal defect records. If complaints are logged in one system and CAPA is managed in another, there needs to be a formal connection between them. Auditors check that connection.

2. Determine the causes of nonconformities — root cause analysis is not optional. Documenting “operator error” or “process deviation” without supporting evidence of how that conclusion was reached is a common major nonconformance. You need a documented methodology — 5 Whys, fishbone, fault tree — and evidence it was applied.

3. Evaluate the need for corrective action — not every nonconformity requires a CAPA. The standard requires you to evaluate and document that decision. Organizations that open a CAPA for every minor deviation create administrative burden; organizations that never document the decision to not open a CAPA create audit vulnerability.

4. Determine and implement corrective action — the action must be proportionate to the effects of the nonconformity. This means documented implementation, not just a description of what was planned.

5. Record results of corrective action — effectiveness verification is required. You must demonstrate that the action you took actually resolved the problem. A corrective action record that closes without verification evidence is not compliant.

6. Review corrective action and its effectiveness — this step loops back into your data analysis process. If the same problem recurs, your record should capture that recurrence and the updated response.

The 2026 QMSR inspection data showing two separate 8.5.2 citations reflects how inspectors are now parsing these requirements individually. A finding against root cause determination is a different citation from a finding against effectiveness verification.

At this point, most quality managers in this position should: → Confirm your CAPA procedure addresses all six elements explicitly — and that your records can demonstrate compliance with each one. Get the ISO 13485 Gap Assessment Checklist to verify your current gaps across all 13485 clauses.


The Six Data Inputs for Section 8.4

Clause 8.4 requires you to analyze data from specific sources to drive CAPA and continual improvement. The standard names six:

Data SourceWhat It Covers
FeedbackCustomer complaints, post-market surveillance data, service reports flagged by users
Product conformityInspection results, test data, nonconforming product records
Process and product trendsStatistical process control, yield trends, recurring deviations
Supplier performanceSupplier nonconformances, delivery performance, qualification data
Audit resultsInternal audit findings, certification body findings, customer audits
Service reportsField service records, repair data, failure modes reported post-delivery

Your CAPA procedure must document how data from each of these sources is collected, reviewed, and used to make CAPA decisions. The piece most manufacturers skip entirely is what experienced quality practitioners call horizontal analysis — looking across your data sources, not just within them.


The Analysis Failure: What InfuTronix Got Wrong

The InfuTronix case is the most instructive CAPA enforcement example to come out of FDA inspection activity in recent years. It illustrates the most common failure mode — and it isn’t what most people expect.

InfuTronix had a rule written directly into their CAPA procedure: ten complaints in a rolling 12-month window triggers a CAPA. Simple enough. Documented. Auditable on its face.

Between September 2020 and August 2021, they received 80 complaints reporting power issues, 31 for battery failures, and 67 for leaking administration sets. Not one CAPA was opened.

This was not a data collection failure. The complaints were logged. The threshold was documented. The system simply never connected what was being measured to what that data actually meant.

That is an analysis failure — and it is the most common one FDA finds.

Measurement gets you the number. Analysis tells you what to do with it.

ISO 13485 Section 8.4 requires both, and your procedure needs to address the full cycle: collect the data, analyze it against defined criteria, and produce a documented decision. The decision can be: open a CAPA, escalate to management review, or continue monitoring. All three are defensible. No decision — or a decision made without documentation — is not.

FDA found all of this during inspection. The warning letter that followed cited failure to establish and maintain procedures for implementing corrective action under 21 CFR 820.100(a). Under QMSR, that same finding maps directly to ISO 13485 Clause 8.5.2.

Source: FDA Warning Letter, InfuTronix LLC, June 16, 2022. Available at fda.gov.

ISO 13485 Section 8.4 infographic showing the measurement and analysis cycle with a process flow from data collection to analysis, documented decision making, and outcomes including CAPA, management review, or continued monitoring.
Measurement gets you the number. Analysis determines the response. Under ISO 13485 Section 8.4, organizations must collect data, analyze it against defined criteria, and document a defensible decision.

📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items covering ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.


Horizontal Analysis: The Step Most QMS Procedures Skip

Vertical analysis — reviewing data within a single source — is what most CAPA procedures are built around. You run through complaints. You run through audit findings. You check supplier nonconformances. Each in its own silo.

Horizontal analysis means looking across those sources simultaneously — specifically for patterns that only become visible when you connect the data.

A complaint spike in Q2 means something different when it aligns with a supplier nonconformance from the same quarter. A field failure pattern means something different when it correlates with a process change implemented three months prior. A rising service report trend means something different when internal inspection data for the same product shows clean numbers — because that combination suggests the problem is post-delivery, not in-process.

These cross-source connections are where real problems get caught before FDA finds them. They are also where most QMS procedures have no documented methodology whatsoever.

Your CAPA procedure should require a formal cross-source review at defined intervals — typically aligned with management review. The review should produce a documented output: either a CAPA trigger, a decision to continue monitoring with rationale, or escalation to a different quality subsystem.

Certification bodies increasingly audit for this specifically. The question is not just “do you have a CAPA procedure?” It’s “does your analysis process look across all six data sources and produce a documented decision?”


➡️ ANSI Webstore — Get ISO 13485:2016, the standard your CAPA procedure must align with. ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.


Common CAPA Misconceptions

“A CAPA is only needed when something goes seriously wrong.”

The standard doesn’t set a severity threshold for opening a CAPA — it requires a documented decision about whether a nonconformity warrants one. The mistake isn’t opening too many CAPAs. It’s failing to document the evaluation. Auditors don’t penalize organizations for opening few CAPAs; they penalize organizations that can’t show they evaluated the data and made a deliberate decision.

“Closing the CAPA once the action is implemented is sufficient.”

Clause 8.5.2 requires effectiveness verification — evidence that the corrective action actually resolved the problem. Closing a CAPA at implementation is one of the most consistently cited findings in ISO 13485 surveillance audits. Effectiveness verification must be documented, must use defined criteria, and must happen at a point in time when there is enough post-implementation data to draw a conclusion.

“Our CAPA system is separate from complaint handling and that’s fine.”

It isn’t. The connection between complaint data and CAPA decisions must be explicit and documented. A complaint handling procedure that logs data and a CAPA procedure that never receives it create exactly the kind of system failure the InfuTronix case illustrates. If there is no formal handoff between your complaint system and your CAPA trigger evaluation, that gap will be found.


What Auditors Look For in CAPA Reviews

Whether the auditor is from a certification body or an FDA investigator conducting a QMSR inspection, the CAPA review follows a consistent pattern. Understanding it in advance is the most effective preparation.

They start with your procedure. They read it. They look for whether it covers all six elements of Clause 8.5.2 and whether it explicitly addresses the six data inputs from Clause 8.4. Gaps in the procedure are flagged before they look at a single record.

They pull a sample of CAPA records. Typically 3–5 for a surveillance audit, more for initial certification or for-cause inspections. They are looking for: documented root cause methodology, proportionality between the action and the finding, effectiveness verification with criteria and evidence, and closure only after verification.

They look for records that should exist but don’t. This is where analysis failures surface. If complaint data shows a spike and no CAPA was opened, the auditor will ask for the documented decision that concluded no CAPA was needed. If that document doesn’t exist, that is a finding — regardless of whether the decision was actually reasonable.

They check the connection between data sources. Does your management review input include CAPA status? Does your internal audit program look at CAPA effectiveness? Does complaint data flow into your trend analysis? These connections are evaluated systematically.

They review effectiveness verifications. A CAPA closed with “action implemented — problem resolved” and no supporting data is a major nonconformance. Effectiveness verification requires defined criteria established before the action is taken, a monitoring period, and data that demonstrates the criteria were met.

ISO 13485 CAPA audit review infographic showing the key areas auditors evaluate during certification and FDA inspections, including procedures, CAPA records, missing records, data connections, and effectiveness verification.
CAPA audits follow a predictable path. Auditors review procedures, sample records, process connections, and effectiveness evidence to determine whether your system is functioning as designed.

If you are preparing for a certification audit or a QMSR inspection, the FDA QSR vs ISO 13485 (QMSR Transition Guide) is the clearest resource available on how the two frameworks now align.

If you are building CAPA procedures from scratch or rewriting existing ones, the What Is ISO 13485? pillar article covers the full clause-by-clause context you need before the documentation work begins. For a complete breakdown of how ISO 13485 and FDA QMSR requirements interact at the clause level, see ISO 9001 vs ISO 13485.

If you are under active FDA inspection pressure → Get BSI Group ISO 13485 training and ISOQAR certification support immediately. BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally. ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.

ProviderWhat You GetBest For
ANSI WebstoreISO 13485:2016 official standard documentAny organization needing the controlled, compliant version of the standard
BSI GroupISO 13485 training coursesTeams preparing for implementation, audit readiness, or CAPA procedure development
9001SimplifiedQMS documentation kitsOrganizations building CAPA and QMS documentation from scratch
ISOQARISO 13485 certificationOrganizations ready to pursue or maintain certification

Most organizations at this stage need all three:

This combination covers the standard, the knowledge, and the implementation infrastructure.


Frequently Asked Questions

What does ISO 13485 require for CAPA?

ISO 13485 Clause 8.5.2 requires a documented procedure that covers reviewing nonconformities, determining root causes, evaluating the need for action, implementing corrective action proportionate to the problem, recording results, and verifying effectiveness. Preventive action under Clause 8.5.3 follows a parallel structure for potential — not actual — nonconformities.

What is the most common CAPA finding in ISO 13485 audits?

Failure to verify the effectiveness of corrective actions is consistently the most common major nonconformance in surveillance audits. The second most frequent is incomplete root cause analysis — particularly records that name a root cause without showing the methodology used to reach that conclusion.

How many CAPAs should a medical device manufacturer open per year?

There is no target number. A small manufacturer with a mature QMS might open fewer than ten CAPAs annually and pass every audit. What auditors evaluate is whether the documented decision-making process is defensible — not the volume of CAPAs opened. If you are in a situation where your data shows patterns and no CAPAs are being opened, the risk is high regardless of company size.

Does CAPA under QMSR differ from CAPA under the old QSR?

The substance is largely the same. The significant change is that QMSR now explicitly adopts ISO 13485 Clause 8.5.2 as the governing framework, and inspections evaluate every subsystem — not just CAPA, as abbreviated QSIT inspections frequently did. Two separate 8.5.2 citations already appear in early QMSR inspection data, reflecting more granular evaluation of individual requirements within the clause. Read the full FDA QSR vs ISO 13485 Transition Guide for a complete breakdown.

What is the difference between corrective action and preventive action in ISO 13485?

Corrective action (Clause 8.5.2) addresses a nonconformity that has already occurred. Preventive action (Clause 8.5.3) addresses a potential nonconformity that trend data or risk analysis suggests may occur. The distinction is more than semantic — auditors evaluate them separately, the documentation requirements differ, and the trigger criteria for each should be explicit in your procedure.

Can we use a single CAPA form for both corrective and preventive actions?

Yes — many organizations use a combined form with fields that distinguish the type of action. What matters is that the record clearly identifies whether the action is corrective or preventive, that the corresponding clause requirements are addressed, and that the effectiveness verification criteria are appropriate for the action type.

What data sources must feed our CAPA process under ISO 13485?

Clause 8.4 identifies six: feedback (including complaints), product conformity data, process and product trends, supplier performance, audit results, and service reports. Your CAPA procedure should document how each source is reviewed, at what frequency, and how that review produces documented CAPA decisions. If you are using the ISO 13485 Gap Assessment Checklist, the data analysis section will identify exactly where your current procedure has gaps.

How long do we need to keep CAPA records?

ISO 13485 Section 4.2.5 requires records to be retained for a period at least equal to the lifetime of the device, but not less than two years from the date of product release. FDA QMSR requirements align with this. For implantable devices or devices with extended service life, the retention period is typically longer and should be specified in your records control procedure.


Free Resources

📋 Free Download: Manufacturing Compliance Checklist — ISO 9001, 14001, 45001 & OSHA — 50 items with gap scoring across all systems.

📋 Free Download: Supplier Quality Checklist — ISO 9001 Clause 8.4 — all supplier controls auditors evaluate, 45 items with scoring.

📋 Free Download: ISO 9001 Implementation Roadmap — The exact 5-phase process from gap assessment to Stage 2 audit clearance.

📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items — ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.


Not Sure What to Do Next?

→ You need the official ISO 13485:2016 standard → ANSI Webstore — Use CC2026 for 5% off. ANSI is the official U.S. distributor of ISO standards.

→ You need to understand how your CAPA requirements changed under QMSR → FDA QSR vs ISO 13485 Transition Guide

→ You need to train your team on ISO 13485 CAPA requirements → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses.

→ You need to build CAPA documentation from scratch → 9001Simplified Documentation Kits — 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS.

→ You are ready to pursue ISO 13485 certification → ISOQAR — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.

→ You want to assess your full ISO 13485 gaps before spending anything → ISO 13485 Gap Assessment Checklist — free, 64 items

→ You need to understand what ISO 13485 covers before addressing CAPA specifically → What Is ISO 13485?

→ You need to understand how risk management connects to CAPA → What Is ISO 14971? and ISO 14971 vs ISO 13485

→ You need to compare ISO 13485 to ISO 9001 to understand CAPA differences → ISO 9001 vs ISO 13485

→ You want to buy ISO 13485 → Buy ISO 13485

→ You want to browse all medical device standards in one place → explore sector-specific standards or browse standards by compliance area


Still figuring out where to start?

If you are not ready to purchase yet — that is normal. ISO 13485 CAPA decisions typically take weeks from first research to implementation commitment.

The best next step for most organizations at this stage: → Download the free ISO 13485 Gap Assessment Checklist — it takes 20 minutes and tells you exactly where your CAPA and QMS gaps are before you spend anything.

📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items — ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.


The Cost of an Analysis Failure

CAPA is not a form. It is not a procedure sitting in your document management system. It is the mechanism that connects everything your quality system measures to everything your quality system does about it. When that connection breaks — when data is collected, thresholds are documented, and no one asks what the numbers actually mean — FDA finds it. Certification bodies find it. And devices reach the field with problems that could have been caught.

The InfuTronix case isn’t an outlier. Organizations that receive 483 observations for CAPA failures almost always had a procedure. What they didn’t have was an analysis process that produced documented decisions. That gap is what inspection finds — and it’s the gap that costs the most to recover from after the fact.

Under QMSR, the inspection model is now broader. Every subsystem, every inspection. CAPA didn’t disappear from the top of the finding list — it fragmented into more specific citations. That means more exposure, not less.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required

Buy ISO 14971:2019 — Official PDF & Print Sources (2026 Guide)

Where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and why purchasing from an authorized source is non-negotiable for medical device risk management — including why the superseded 2007 edition still circulating online creates real certification and regulatory risk.

Where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and why purchasing from an authorized source is non-negotiable for medical device risk management.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


📥 Free ISO 13485 & ISO 14971 Implementation Checklist — Confirm you have every required risk management document before your first certification audit. → [Download Free Checklist]


ISO 14971 Is No Longer Optional for Medical Device Manufacturers

ISO 14971:2019 was already the international standard for medical device risk management. Since February 2, 2026, it carries additional weight: the FDA’s Quality Management System Regulation (QMSR) incorporated ISO 13485:2016 by reference — and ISO 13485 explicitly requires risk management per ISO 14971. That means ISO 14971 is now embedded in U.S. regulatory expectations for every manufacturer subject to 21 CFR Part 820.

FDA investigators operating under Compliance Program 7382.850 are expected to use the risk management file as their inspection roadmap — following risk documentation into design controls, CAPA, supplier qualification, and post-market surveillance. If your risk management program is not built on ISO 14971, that gap will surface under QMSR inspection.

This guide covers exactly where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and what to watch out for when purchasing.

⚠️ The QMSR compliance date has passed (February 2, 2026). Organizations that have not yet integrated ISO 14971 across their quality system are operating with a gap that FDA inspectors are actively evaluating.


In This Guide

  • What ISO 14971:2019 is and what changed from the 2007 edition
  • Which edition you need — 2019 vs 2007
  • Where to buy the official standard from authorized sources
  • Available formats — PDF, print, multi-user, and bundles
  • How much ISO 14971:2019 costs
  • Who needs to purchase the standard
  • What ISO 14971 does NOT include
  • Common purchasing mistakes to avoid
  • Related standards you will also need


👉 Start Here (Top Resources)

👉 Purchase the official ISO 14971:2019 standard — the current edition for all medical device risk management programs → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026. ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits.

👉 Purchase the required companion — ISO 13485:2016 → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off. ISO 14971 cannot be implemented in isolation — it is a required companion to ISO 13485 and must be purchased and controlled as an external document within your QMS.

👉 Save up to 50% buying both standards together → ISO Standards Packages — ANSI Webstore — the most cost-effective option for organizations purchasing ISO 14971 alongside ISO 13485 and related standards.

👉 Get ISO 13485 training covering risk management requirements → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.

👉 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification — ISOQAR is a UKAS-accredited certification body, one of the most recognized in the industry for ISO 13485 certification.


What Is ISO 14971:2019?

Feature image for an ISO 14971 guide showing medical device risk management concepts, lifecycle risk controls, and the relationship between ISO 14971, ISO 13485, and FDA QMSR requirements.
ISO 14971 is the required risk management framework for medical devices, embedding risk analysis and control throughout the product lifecycle and supporting ISO 13485 and FDA QMSR compliance.

ISO 14971:2019 — Medical Devices: Application of Risk Management to Medical Devices — is the international standard defining the process for identifying hazards associated with medical devices, estimating and evaluating associated risks, controlling those risks, and monitoring the effectiveness of those controls throughout the device lifecycle.

The standard is published by the International Organization for Standardization and is recognized globally as the baseline risk management framework for medical device manufacturers. It applies to all device classes — from Class I low-risk devices through Class III implantables — and to every organization involved in the device lifecycle: manufacturers, component suppliers, contract manufacturers, and service providers.

ISO 14971 does one thing with precision: it defines a formal, documented, lifecycle-integrated process for managing risk in medical device development and manufacturing. Nothing else in the ISO 13485 framework tells you how to manage risk — that is ISO 14971’s job.

Key updates in the 2019 edition include clarified terminology aligned with ISO/IEC Guide 63, updated requirements for risk management plan documentation, strengthened requirements for production and post-production information, and enhanced guidance on benefit-risk analysis. The 2019 edition also removed references to ALARP (As Low As Reasonably Practicable) — replacing it with a more precise framework for determining risk acceptability. For the complete breakdown of what the standard requires, see What Is ISO 14971? — Complete Guide.


ISO 14971:2019 vs ISO 14971:2007 — Which Do You Need?

SituationEdition to Purchase
New risk management program — first implementationISO 14971:2019
Currently using ISO 14971:2007 — planning updateISO 14971:2019
Pursuing ISO 13485 certificationISO 14971:2019
Subject to FDA QMSR (21 CFR Part 820)ISO 14971:2019
EU MDR technical documentationISO 14971:2019
Researching risk management before committingISO 14971:2019

The answer in every case is ISO 14971:2019. The 2007 edition has been superseded. ISO 13485:2016 references ISO 14971 — and certification bodies audit against the current edition. The QMSR regulatory expectation is built on ISO 13485:2016, which requires current-edition conformance.

If your organization is still operating a risk management program built on ISO 14971:2007, purchasing the 2019 edition and conducting a gap assessment is your first step. The changes are substantive enough that a documented gap assessment is expected before your next certification audit.

ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026


Where to Buy ISO 14971:2019 — Official Sources Only

ISO standards are copyrighted intellectual property. They are not available as free downloads and must be purchased from authorized distributors. Every “free ISO 14971 PDF” circulating online is an unauthorized copy — typically an outdated 2007 edition, an incomplete document, or an altered version. Using an unauthorized copy for risk management program development introduces certification risk and potential regulatory exposure simultaneously.

Certification bodies audit against the precise wording of the current official standard. A risk management file built from an outdated or incomplete copy will generate nonconformances — costing far more in audit findings and corrective action cycles than the official document.

ProviderWhat You GetPrice RangeBest ForLink
ANSI WebstoreOfficial current edition, immediate PDF delivery, audit-accepted$150–$200U.S.-based organizations — official distributor, CC2026 coupon availableBuy Here
ISO.org StoreOfficial current edition directly from publisher$158–$198International buyers outside the U.S.iso.org/store
ANSI Bundle PackageISO 14971 + ISO 13485 + related standards$300–$500Organizations purchasing multiple medical device standards — significant savingsBundle Here
Where to buy ISO standards comparison showing ANSI Webstore, ISO Store, and other resellers with pros and risks
Compare ANSI, ISO, and other sources to safely buy ISO standards for certification and compliance

ANSI Webstore is the recommended source for U.S.-based organizations. ANSI is the official U.S. distributor of ISO standards — purchasing through ANSI guarantees the current edition, complete document, licensed PDF with immediate delivery, and a recognized distributor credential accepted by all certification bodies and regulatory authorities.

→ Use coupon code CC2026 for 5% off ISO and IEC standards at the ANSI Webstore through December 31, 2026

At this point, most organizations purchasing ISO 14971 for the first time should: → Purchase the bundle including ISO 13485:2016 and ISO 14971:2019 together from ANSI Standard Packages — the savings over individual purchases typically cover the cost of training materials, and you need both documents on hand before implementation begins.


ISO 14971 Formats Available

FormatPrice RangeBest ForNotes
Single-user PDF$150–$200Individual quality managers and risk managersImmediate delivery, searchable — cannot be shared simultaneously
Printed copy$170–$220Risk management teams, controlled document environmentsUseful for annotating during implementation — slightly higher cost
Multi-user licenseContact ANSIOrganizations with multiple simultaneous usersRequired if multiple team members need access at the same time
Bundle with ISO 13485$300–$500Any organization implementing ISO 13485Best value — you need both; bundle saves 30–50% vs individual

Single-user PDF is the most common choice for quality managers implementing risk management programs. It is immediately accessible after purchase, searchable by clause number, and sufficient for a single implementer building the risk management framework.

Important licensing rule: A single-user PDF license cannot legally be shared across your organization. If your risk management team, design engineers, and regulatory affairs personnel all need simultaneous access, a multi-user license is required. Sharing a single-user PDF via email or shared drive violates the license terms — a detail that is often overlooked during implementation and can create legal exposure.

If you are implementing both ISO 14971 and ISO 13485, purchase them as a bundle. You will need both on hand from day one of your gap assessment — and the bundle consistently saves more than the coupon alone.

ISO Standards Packages — Save up to 50%


How Much Does ISO 14971:2019 Cost?

ItemTypical PriceNotes
Single-user PDF$150–$200Standard purchase from ANSI Webstore
Printed copy$170–$220Physical copy for reference
Multi-user licenseVariesContact ANSI for pricing
Bundle: ISO 14971 + ISO 13485$300–$500Saves 30–50% vs individual purchase
Bundle: ISO 14971 + ISO 13485 + ISO 13485 collection$350–$600Full medical device standards set

Use coupon CC2026 for 5% off at ANSI through December 31, 2026 → Apply at ANSI

In the context of total ISO 13485 certification costs — which range from $15,000 to $100,000+ for most organizations — the ISO 14971 standard purchase is the lowest-cost line item in your entire budget. It is also the one with the highest leverage on audit outcomes. A risk management file built from the correct current edition is foundational. Everything else in your QMS depends on it.

For the complete ISO 13485 certification cost breakdown, see How Much Does ISO 13485 Cost?


Who Needs to Purchase ISO 14971?

ISO 14971:2019 must be purchased by anyone responsible for building, implementing, auditing, or maintaining a medical device risk management program. Specifically:

Risk managers and quality managers building a risk management program from scratch or updating from ISO 14971:2007 — the standard is the only authoritative source for what the process requires. Implementing from a summary or training slide deck rather than the official document is one of the most common reasons risk management files fail certification audits.

Design engineers and product development teams at organizations with design responsibility — risk management under ISO 14971 begins at design input and runs through every design stage. Engineers performing hazard analysis, risk estimation, and risk control selection need the standard directly.

Internal auditors conducting ISO 13485 internal audits — you cannot audit risk management effectiveness against a standard you have not read. Clause 7.1, 7.3, and the full risk management integration requirements across ISO 13485 require familiarity with ISO 14971 clause requirements.

Regulatory affairs professionals preparing FDA QMSR compliance documentation or EU MDR technical files — both regulatory frameworks expect ISO 14971 conformance, and regulatory submissions are evaluated against the standard’s exact requirements.

Organizations currently certified to ISO 14971:2007 planning their 2019 edition gap assessment — purchasing the 2019 edition is step one. The gap assessment cannot be conducted without it.

If you are at this stage:

If you are a quality manager building your first ISO 14971-based risk management program → purchase ISO 14971:2019 and ISO 13485:2016 together from ANSI Standard Packages, then enroll your team in BSI Group ISO 13485 Training before documentation development begins.

If you are currently ISO 14971:2007 compliant and planning your 2019 transition → purchase the 2019 edition, conduct a documented gap assessment focused on the ALARP removal, updated risk acceptability criteria, and post-production information requirements, and update your risk management plan before your next surveillance audit.

If you are a component supplier entering the medical device supply chain → your OEM customer will require ISO 14971-aligned risk management as part of supplier qualification. Purchase the standard before your first supplier audit.


What ISO 14971 Does NOT Include

Professional infographic illustrating what ISO 14971 does not include, highlighting exclusions such as device-specific risk acceptability criteria, clinical evaluation, implementation templates, and IEC 62304 software lifecycle requirements.
Understanding what ISO 14971 does not include is just as important as understanding what it does. The standard defines the risk management framework, but organizations remain responsible for implementation methods, clinical evaluation activities, and device-specific risk decisions.

Understanding what you are not buying is as important as understanding what you are.

ISO 14971 does not provide device-specific risk acceptability criteria. The standard defines the process for determining risk acceptability — it does not tell you what the acceptable residual risk level is for your specific device. That determination is your organization’s responsibility, informed by applicable regulations, clinical data, and the state of the art.

ISO 14971 does not replace clinical evaluation. Risk management and clinical evaluation are complementary but distinct requirements under ISO 13485 and EU MDR. ISO 14971 covers the risk management process — clinical evaluation has its own standards and guidance documents.

ISO 14971 does not provide implementation templates. The standard defines requirements — your organization must build the risk management plan, hazard identification tools, risk estimation worksheets, and risk control documentation. For ready-to-use ISO 13485 QMS documentation including risk management templates, see 9001Simplified Documentation Kits. 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.

ISO 14971 does not satisfy IEC 62304. Organizations developing medical device software need IEC 62304 — software lifecycle processes for medical devices — in addition to ISO 14971. The two standards work together but address different scopes.


Common Purchasing Mistakes to Avoid

Buying ISO 14971:2007 instead of ISO 14971:2019. The 2007 edition is superseded. Third-party sellers frequently carry outdated editions without clear disclosure. Always verify the edition year before completing a purchase. If a price seems unusually low, check the edition.

Downloading unauthorized copies. Every “free ISO 14971 PDF” found through a search engine is an unauthorized copy — typically the 2007 edition, an incomplete document, or an altered version. Using it for risk management program development introduces certification risk. The standard costs $150–$200. A major nonconformance at Stage 2 costs multiples of that in re-audit fees and timeline delays.

Purchasing without checking the edition date. Even on legitimate platforms, searching “ISO 14971” can surface the 2007 edition alongside the 2019 edition. Always confirm “ISO 14971:2019” before adding to cart.

Treating ISO 14971 as a design-only requirement. The most common QMSR and ISO 13485 gap is a risk management program that lives only in design files. Under QMSR, risk-based thinking extends across supplier qualification, production processes, CAPA, complaint handling, and post-market surveillance. Purchasing the standard is step one — reading Clauses 3, 8, and 9 in their entirety is what reveals the full scope of implementation required.

Sharing a single-user PDF with your team. A single-user license covers one user. Sharing via email or shared drive violates the license terms. If multiple team members need simultaneous access, purchase a multi-user license.

Purchasing ISO 14971 without ISO 13485. ISO 14971 does not stand alone in a medical device QMS context. It is a required companion to ISO 13485 — and you need both documents to implement either correctly. Purchase them together.

At this point, most organizations who have identified they need ISO 14971 should: → Purchase the ISO Standards Bundle including ISO 14971:2019 and ISO 13485:2016 together — this is the lowest-cost, most operationally complete starting point for any medical device risk management implementation.


Why Organizations Delay This — And What It Costs Them

The most common reason manufacturers delay purchasing ISO 14971 and building a compliant risk management program is the belief that it can be addressed “during the certification project.”

Here is what consistently happens instead:

Organizations that arrive at Stage 1 of their ISO 13485 certification audit without a documented, ISO 14971-based risk management program receive a major nonconformance — delaying Stage 2 by 3–6 months and adding $5,000–$15,000 in re-audit fees and consultant costs. The risk management file is one of the first things a certification body auditor reviews.

Under QMSR, the stakes are higher. FDA investigators under CP 7382.850 use the risk management file as their inspection roadmap. An absent or inadequate risk management program does not just generate a finding — it gives the inspector a thread to pull through design controls, CAPA, and supplier qualification simultaneously.

The organizations that move first — purchasing the standard, conducting the gap assessment, and building ISO 14971 integration across the QMS before the certification audit — consistently report shorter audit cycles, fewer findings, and lower total certification costs. The ones that treat risk management as a later step discover that it is actually the foundation everything else is audited against.

📥 Free ISO 13485 & ISO 14971 Implementation Checklist — Identify your top 5 risk management gaps before your certification audit. → [Download Free Checklist]


ISO 14971 does not operate in isolation. Organizations building a medical device QMS will need these companion standards:

StandardPurposeRelationship to ISO 14971Where to Buy
ISO 13485:2016Medical device QMS requirementsRequires ISO 14971 throughout — cannot be implemented without itANSI Webstore
ISO/TR 24971:2020Guidance on ISO 14971 applicationNon-mandatory companion — practical guidance on applying ISO 14971 requirementsANSI Webstore
IEC 62304Software lifecycle for medical devicesComplements ISO 14971 for software risk managementANSI Webstore
ISO 9001:2015General QMS foundationUseful reference for organizations building ISO 13485 on an existing ISO 9001 foundationANSI Webstore

Organizations implementing ISO 13485 for the first time should prioritize: ISO 14971:2019 + ISO 13485:2016. These two documents together define what your QMS must do and how risk must be managed within it.

Save up to 50% on ISO Standards Packages — ANSI Webstore


Frequently Asked Questions

What is ISO 14971:2019?

ISO 14971:2019 is the current edition of the international standard for risk management for medical devices. It defines the process for identifying hazards associated with medical devices, estimating and evaluating risks, implementing risk controls, and monitoring effectiveness throughout the device lifecycle. It is a required companion standard to ISO 13485:2016.

Is ISO 14971 required for ISO 13485 certification?

Yes — ISO 13485 explicitly requires risk management per ISO 14971 throughout the QMS. Certification bodies audit risk management processes against ISO 14971 requirements. Under the FDA’s QMSR, ISO 14971 conformance is embedded in U.S. regulatory expectations for all manufacturers subject to 21 CFR Part 820.

What is the difference between ISO 14971:2019 and ISO 14971:2007?

The 2019 edition clarified terminology, updated the risk acceptability framework by removing ALARP references, strengthened post-production information requirements, and enhanced benefit-risk analysis guidance. Any organization currently using the 2007 edition should conduct a gap assessment and transition to the 2019 edition before their next certification audit.

Where is the best place to buy ISO 14971:2019?

The ANSI Webstore is the recommended source for U.S. organizations — it is the authorized U.S. distributor for ISO standards and guarantees the current edition. Use coupon CC2026 for 5% off through December 31, 2026. → ISO 14971:2019 — ANSI Webstore

Can I share my ISO 14971 PDF with my design team?

No — a single-user PDF license cannot be shared simultaneously. If multiple team members need access at the same time, purchase a multi-user license or individual copies. Physically sharing a printed copy sequentially is permitted.

Do I need both ISO 14971 and ISO 13485?

Yes. ISO 14971 and ISO 13485 are required companions — neither can be fully implemented without the other. ISO 13485 defines your QMS framework; ISO 14971 defines how risk must be managed within it. Purchase them together for the best value. → ISO Standards Packages — Save up to 50%

Does ISO 14971 apply to software?

ISO 14971 applies to risk management for medical devices including software as a medical device (SaMD). For the software development lifecycle specifically, IEC 62304 is the companion standard. Risk management under ISO 14971 and software lifecycle management under IEC 62304 are intended to be implemented together.

What is ISO/TR 24971?

ISO/TR 24971:2020 is a technical report providing guidance on the application of ISO 14971. It is not a requirement — it is a non-mandatory companion document offering practical interpretation and application examples. Organizations new to ISO 14971 often find it valuable alongside the standard itself.

How much does ISO 14971:2019 cost?

A single-user PDF typically costs $150–$200 from the ANSI Webstore. Use coupon CC2026 for 5% off through December 31, 2026. Bundles including ISO 14971 with ISO 13485 offer savings of 30–50% compared to individual purchases.


📥 Free Resources

👉 Free ISO 13485 & ISO 14971 Implementation Checklist — Verify every required risk management document is in place before your certification audit 👉 Manufacturing Compliance Checklist — Assess your current compliance status across quality, environmental, and safety requirements 👉 Supplier Quality Checklist — Supplier qualification requirements applicable to medical device supply chains


Not Sure What to Do Next?

You need the official ISO 14971:2019 standardISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

You need the required companion standard ISO 13485:2016ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

You want to save buying both standards togetherSave up to 50% on ISO Standards Packages — ANSI Webstore

You need ISO 13485 training covering risk management requirementsBSI Group ISO 13485 Training

You are ready to pursue ISO 13485 certificationISOQAR ISO 13485 Certification

You want to understand what ISO 14971 requiresWhat Is ISO 14971? — Complete Guide

You want to understand the full FDA QMSR transitionFDA QSR vs ISO 13485: The Complete QMSR Transition Guide

You want to understand how ISO 9001 and ISO 13485 differISO 9001 vs ISO 13485 — Key Differences

You want to understand what ISO 13485 requiresWhat Is ISO 13485? — Complete Guide

You want to understand certification costsHow Much Does ISO 13485 Cost?ISO Certification Cost Calculator

You want to choose the right certification bodyBest ISO Certification Bodies — Ranked & Reviewed


Still figuring out where to start?

If you are not ready to purchase yet — that is normal. ISO 14971 implementation decisions typically take 2–4 weeks from first research to commitment as organizations assess their current risk management program against what certification auditors expect.

The best next step for most organizations at this stage: → Download the free ISO 13485 & ISO 14971 Implementation Checklist — it takes 20 minutes and tells you exactly where your gaps are before you spend anything.

📥 [Download Free Checklist]


The Standard That Makes Everything Else Auditable

ISO 14971 is not a box to check. It is the document that makes every other part of your medical device QMS auditable — design controls, CAPA, supplier qualification, complaint handling, and post-market surveillance all connect back to the risk management file when a certification auditor or FDA investigator starts pulling threads.

Organizations that purchase the official standard, read it completely, and build their risk management program against its actual requirements consistently report fewer findings, shorter audit cycles, and lower total certification costs. The ones that work from summaries, training slides, or outdated editions discover those shortcuts at the worst possible moment.

The standard costs $150–$200. A failed Stage 2 audit costs multiples of that. Buy the official edition.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required

ISO 14971 vs ISO 13485: What’s the Difference and How Do They Work Together? (2026 Guide)

ISO 13485 requires risk management throughout the quality management system. ISO 14971 defines exactly how that risk management must be conducted. This guide covers the precise differences between the two standards, where they integrate clause by clause, and what the FDA’s QMSR means for both.

Last Updated: May 2026

ISO 13485 requires risk management. ISO 14971 defines how to do it. Understanding the precise relationship between these two standards — and what it means under the FDA’s QMSR — is the difference between a QMS that holds up under inspection and one that doesn’t.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


📋 Free Download: ISO 13485 Gap Assessment Checklist Identify your compliance gaps before your first audit — 64 items across 7 sections including ISO 14971 risk management integration and all four FDA QMSR bridge requirements. Download Free Checklist


ISO 13485 Tells You to Manage Risk. ISO 14971 Tells You How.

That single sentence is the most important thing to understand about the relationship between these two standards — and it’s the part most manufacturers either misread or oversimplify.

ISO 13485:2016 is a quality management system standard. It requires risk-based thinking throughout the QMS — in design and development planning, production controls, supplier controls, complaint handling, and post-market surveillance. It references ISO 14971 in a note to Clause 7.1. But it does not specify how risk management must be conducted. It tells you risk management is required. ISO 14971 tells you how to do it.

ISO 14971:2019 is a risk management standard. It provides the structured framework — hazard identification, risk estimation, risk evaluation, risk control, overall residual risk evaluation, risk management review, and post-production monitoring — that gives ISO 13485’s risk management requirements their practical content.

Together they form the twin pillars of medical device quality and safety assurance. Neither is complete without the other for a manufacturer operating in any major regulated market. And under the FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, the relationship between the two standards now carries federal regulatory weight.


In This Guide

  • What ISO 13485 covers and what it requires on risk
  • What ISO 14971 covers and what it adds
  • The key differences between the two standards
  • The precise points where ISO 13485 references ISO 14971
  • The important nuance about whether ISO 14971 is truly mandatory
  • How the FDA QMSR changes the practical answer to that question
  • How to implement both standards together
  • Which standard to buy first and why
  • Frequently asked questions


✅ Start Here (Top Resources)

📋 Buy ISO 13485:2016 (official standard) → ANSI Webstore — ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.

📋 Buy ISO 14971:2019 (required companion) → ANSI Webstore — Purchase both standards together for maximum savings. Use coupon CC2026 for 5% off.

📋 Save buying both standards → ISO Standards Bundles — Up to 50% Off — Purchasing ISO 13485 and ISO 14971 as a bundle through the ANSI Webstore saves significantly compared to individual purchases.

📋 Get ISO 13485 trained before implementation → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.

📋 Get ISO 13485 certified → ISOQAR ISO 13485 Certification — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.


What Is ISO 13485?

Medical device quality management infographic showing ISO 13485 certification concept with medical equipment and headline “What Is ISO 13485? Complete Guide (2026)”.
ISO 13485 defines the quality management system requirements for medical device manufacturers, focusing on regulatory compliance, risk management, and consistent product quality.

ISO 13485:2016 is the international standard for quality management systems specific to the medical device industry. It specifies requirements for a QMS that enables an organization to consistently design, develop, produce, and deliver safe and effective medical devices and related services.

ISO 13485 is used as the baseline QMS framework by regulatory authorities and certification bodies in most major medical device markets — including Health Canada, the EU MDR, MDSAP, and since February 2, 2026, the FDA’s QMSR under 21 CFR Part 820.

ISO 13485 covers the full scope of quality management system requirements:

  • Context of the organization and QMS scope
  • Management responsibility, quality policy, and management review
  • Resource management — personnel, infrastructure, and work environment
  • Product realization — design and development, purchasing, production, and service provision
  • Measurement, analysis, and improvement — internal audits, complaint handling, CAPA, and corrective action

What ISO 13485 requires on risk: ISO 13485 requires risk-based thinking throughout the quality management system. Risk management must be planned as part of product realization (Clause 7.1), integrated into design and development (Clause 7.3), applied to supplier controls (Clause 7.4), and fed by post-market surveillance feedback (Clause 8.2). The standard references ISO 14971 explicitly in its Clause 7.1 note and implicitly throughout its design and development requirements.

What ISO 13485 does not do is specify the methodology for risk management. It does not define how to identify hazards, estimate risks, evaluate acceptability, or control residual risk. That is what ISO 14971 does.

For a complete overview of ISO 13485 requirements, see What Is ISO 13485? Complete Guide.


What Is ISO 14971?

ISO 14971:2019 is the international standard for the application of risk management to medical devices. It provides the structured methodology — terminology, principles, and process — for identifying hazards, estimating and evaluating risks, implementing risk controls, and monitoring risk throughout the entire device lifecycle.

ISO 14971 covers:

  • Risk management planning — scope, lifecycle phases, risk acceptability criteria
  • Hazard identification — under both normal use and fault conditions
  • Risk estimation — probability of harm and severity of harm
  • Risk evaluation — comparison against acceptability criteria
  • Risk control — priority order: design, protective measures, information for safety
  • Evaluation of overall residual risk — including benefit-risk analysis where required
  • Risk management review — pre-release review with identified reviewers
  • Production and post-production information — systematic feedback into the risk management file

What ISO 14971 adds beyond ISO 13485: While ISO 13485 says risk management is required throughout the QMS, ISO 14971 specifies exactly how that risk management must be structured, documented, and maintained. The Risk Management File (RMF) — the central documentation output of the ISO 14971 process — is the evidence base that demonstrates a manufacturer has systematically identified hazards, evaluated risks, implemented controls, and monitored effectiveness.

For a complete overview of ISO 14971 requirements, see What Is ISO 14971? Risk Management for Medical Devices Explained.

Feature image for an ISO 14971 guide showing medical device risk management concepts, lifecycle risk controls, and the relationship between ISO 14971, ISO 13485, and FDA QMSR requirements.
ISO 14971 is the required risk management framework for medical devices, embedding risk analysis and control throughout the product lifecycle and supporting ISO 13485 and FDA QMSR compliance.

ISO 14971 vs ISO 13485 — Key Differences

ElementISO 13485:2016ISO 14971:2019
Standard typeQuality management system standardRisk management standard
PurposeDefine QMS requirements for medical device manufacturersDefine the risk management process for medical devices
ScopeEntire quality management systemRisk management specifically
Risk coverageRequires risk-based thinking throughout QMSSpecifies how risk management must be conducted
Key outputCertified, compliant QMSRisk Management File (RMF)
CertificationCertifiable — third-party certification availableNot certifiable on its own
Published byISO Technical Committee 210 (ISO/TC 210)ISO Technical Committee 210 (ISO/TC 210)
Current editionISO 13485:2016ISO 14971:2019
Applies toManufacturers, suppliers, contract manufacturersAll organizations involved in device lifecycle
Risk methodologyNot specifiedSix-step structured process
Hazard analysisReferenced but not detailedDefined in detail
Risk Management FileNot specifiedRequired
Benefit-risk analysisNot addressedRequired when overall residual risk is unacceptable
Post-production monitoringAddressed through complaint handling and feedbackExplicitly required as ongoing RMF input
QMSR statusIncorporated by reference into 21 CFR Part 820Expected framework; referenced through ISO 13485

Best for:

  • ISO 13485: Any organization that designs, manufactures, or supplies medical devices and needs a certified quality management system
  • ISO 14971: The same organizations — it provides the risk management methodology that ISO 13485’s requirements assume is in place

Where ISO 13485 References ISO 14971

Infographic mapping ISO 13485 clauses to corresponding ISO 14971 risk management requirements, showing how quality management processes trigger risk management activities across the medical device lifecycle.
ISO 13485 establishes quality system requirements, while ISO 14971 provides the risk management framework that connects planning, design, purchasing, feedback, and improvement activities throughout the medical device lifecycle.

ISO 13485 references ISO 14971 at specific points throughout its clause structure. Understanding exactly where these references occur is critical for building a compliant integrated system.

Clause 7.1 — Planning of Product Realization

Clause 7.1 requires that risk management activities be planned as part of product realization. The note to this clause states: “Further information can be found in ISO 14971.” This is the most direct reference to ISO 14971 in the standard.

Clause 7.3 — Design and Development

The design and development requirements of ISO 13485 are where ISO 14971 integration is most intensive. Design inputs must include risk management outputs. Design verification and validation activities must address risks. The Design and Development File (DDF) must reference risk management records.

Clause 7.4 — Purchasing

ISO 13485 Clause 7.4 requires that purchasing controls be proportionate to the risk the external provider poses to the finished device. The extent of supplier qualification, incoming inspection, and monitoring is determined by risk — which requires a risk framework to apply.

Clause 8.2 — Monitoring and Measurement

Post-market surveillance and complaint handling data collected under Clause 8.2 must feed back into the risk management process. ISO 14971 Clause 11 (Production and Post-Production Information) specifies how this information must be systematically reviewed and how it triggers updates to the Risk Management File.

Clause 8.5 — Improvement

CAPA activities under Clause 8.5 must consider risk. Significant quality failures identified through corrective action must evaluate whether the risk management file needs to be updated — connecting the two standards at the improvement level of the QMS.

At this point, most organizations beginning ISO 13485 implementation should:

📋 Purchase both ISO 13485:2016 and ISO 14971:2019 together as a bundle — the clause-by-clause integration means implementing one without the other creates immediate documentation gaps that auditors will identify.

ISO Standards Bundle — ANSI Webstore — Save up to 50% purchasing both standards together


Is ISO 14971 Actually Mandatory Under ISO 13485?

This is one of the most debated questions in the medical device quality community, and the honest answer is more nuanced than most articles present.

The technical answer: ISO 14971 is not formally mandated by ISO 13485. The reference in Clause 7.1 is a note — informative guidance, not a normative requirement. A manufacturer could theoretically implement a risk management process using a different methodology and still demonstrate conformance to ISO 13485’s risk-based requirements.

The practical answer: In the real world, ISO 14971 is effectively mandatory for any organization pursuing ISO 13485 certification or operating in regulated markets. Here’s why:

Certification bodies expect it. When a UKAS-accredited certification body audits your ISO 13485 QMS, the auditors evaluating your risk management program will be assessing it against the ISO 14971 framework — because that is the internationally recognized methodology for medical device risk management. A risk management program that doesn’t follow ISO 14971’s structure will face significant findings regardless of the technical argument about normative versus informative references.

Regulatory bodies reference it. The EU MDR, Health Canada, TGA, and MDSAP all reference ISO 14971 as the expected risk management framework. Operating without it creates regulatory exposure in every major market.

FDA QMSR changes the equation significantly — which brings us to the most important development of 2026.


The QMSR Changes the Practical Answer

The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, incorporated ISO 13485:2016 by reference into 21 CFR Part 820. Since ISO 13485 explicitly references ISO 14971, that reference now carries federal regulatory weight.

Under the FDA’s new inspection program — Compliance Program 7382.850 — FDA investigators are expected to start inspections by reviewing the risk management file and following risk documentation into other quality system areas. The risk management file is the inspection roadmap. If your risk management program is not structured against ISO 14971, your risk management file will not hold up under that inspection approach.

Additionally, the QMSR extended risk management expectations beyond design controls — where the old QSR concentrated them — to the entire quality system. This is precisely what ISO 14971 requires: risk management planning, hazard identification, risk control, and post-production monitoring integrated across the device lifecycle, not just in the design phase.

The bottom line under QMSR: Whether or not ISO 14971 is technically mandatory in the normative sense of ISO 13485, it is the framework FDA investigators will use to evaluate your risk management program. Operating without it under the current inspection regime is an inspection liability.

⚠️ QMSR effective February 2, 2026: If your risk management program is not built on the ISO 14971 framework, this is your highest-priority gap for QMSR compliance.

For the complete QMSR transition guide, see FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide.


How the Two Standards Work Together in Practice

The integration of ISO 13485 and ISO 14971 is not a separate parallel process — it is woven into how the QMS functions. Here is how the two standards interact at each stage of the device lifecycle:

Concept and Planning Stage

ISO 13485 Clause 7.1 requires risk management to be planned as part of product realization. ISO 14971 provides the Risk Management Plan — the document that defines scope, lifecycle phases, risk acceptability criteria, and the methods that will be used throughout the device’s life.

Design and Development

ISO 13485 Clause 7.3 requires design inputs to include risk management outputs and design outputs to be reviewed against inputs. ISO 14971 provides hazard identification and risk analysis — the outputs of which flow directly into design input requirements, design verification criteria, and design validation protocols.

Purchasing and Supplier Controls

ISO 13485 Clause 7.4 requires supplier controls proportionate to supplier risk. ISO 14971’s risk framework defines what “risk” means in this context — the severity and probability of harm that could result from supplier failures. Risk level drives supplier classification, incoming inspection intensity, and qualification requirements.

Production

ISO 13485 Clause 7.5 requires controlled production conditions and validation of special processes. Risk management under ISO 14971 determines which processes require validation (those where outputs cannot be fully verified) and what monitoring is required during production.

Post-Market Surveillance and CAPA

ISO 13485 Clause 8.2 requires systematic collection of post-market information. ISO 14971 Clause 11 requires that production and post-production information be systematically reviewed and fed back into the risk management file. When complaint data or CAPA findings reveal new hazards or indicate that risk estimates were incorrect, the Risk Management File must be updated.

This is where the most common gap exists in practice: organizations that treat risk management as a design-phase deliverable and do not maintain the connection between post-market data and the risk management file. Under QMSR, this gap is visible to FDA investigators within the first day of an inspection.

📋 Free Download: ISO 13485 Gap Assessment Checklist Section 6 covers ISO 14971 risk management integration specifically — risk management plan requirements, RMF structure and completeness, post-production feedback, and QMSR inspection implications. Download Free Checklist


The Risk Management File — Where They Intersect Most Clearly

Infographic comparing ISO 9001 risk-based thinking with ISO 13485 and ISO 14971 medical device risk management requirements using an integrated Venn diagram layout.
Both standards require risk management — but the depth and formality differ significantly. ISO 9001 uses general risk-based thinking, while ISO 13485 requires formal medical device risk management aligned with ISO 14971 throughout the product lifecycle.

The Risk Management File (RMF) is the single most important integration point between ISO 13485 and ISO 14971. It is the documentation output of the ISO 14971 process, and it is the record that connects risk management to every other element of the ISO 13485 QMS.

The RMF is not a single document. It is an organized collection of records that includes:

  • Risk Management Plan — scope, lifecycle phases, acceptability criteria, methodology
  • Risk analysis records — hazard identification, risk estimation
  • Risk evaluation records — comparison against acceptability criteria
  • Risk control records — selected measures, implementation records, verification
  • Overall residual risk evaluation — benefit-risk analysis where required
  • Risk Management Review — pre-release review with identified reviewers
  • Post-production information records — systematic review of real-world performance data

Under ISO 13485, the DDF (Design and Development File) must contain or reference risk management records. Under the QMSR and CP 7382.850, the RMF is where FDA investigators begin their inspection — tracing risk documentation into design controls, CAPA, complaint handling, and post-market surveillance.

A Risk Management File that was completed at device release and has not been updated since is one of the most common and most significant findings under the current inspection approach. The RMF is a living document. It must be updated throughout the device’s commercial life as post-production information is gathered and evaluated.

If your organization is already ISO 13485 certified and is assessing QMSR readiness, the current state of your Risk Management File is the single most important thing to evaluate first.

At this point, most organizations preparing for QMSR inspection should:

📋 Conduct a formal review of whether your Risk Management File has been updated since device release — and whether post-market complaint and CAPA data is systematically feeding into it. This is the highest-frequency inspection gap under CP 7382.850.


From the Shop Floor

After 25 years in heavy industrial manufacturing and quality systems, the most consistent pattern I see when organizations implement both ISO 13485 and ISO 14971 is this: they implement risk management well during design and development, and then they stop.

The Risk Management File is completed before device release. The risk management review is signed off. The certification audit passes. And then for the next three years, every complaint, every CAPA, every production nonconformance is handled in its own system — with no connection back to the risk management file that is supposed to be the living record of everything known about how the device can cause harm.

Three years later, an FDA investigator arrives under CP 7382.850 with the risk management file as their starting point. They trace a complaint about device malfunction into the CAPA system. They find a corrective action that was opened and closed. They look for the connection back to the risk management file — the evaluation of whether this complaint revealed a new hazard or indicated that an existing risk estimate was incorrect. The connection doesn’t exist.

That is not an ISO 13485 finding. It is not an ISO 14971 finding. It is a QMSR finding, because under the QMSR that connection is an expected element of a functioning integrated quality and risk management system.

The organizations that handle this well are the ones that treat the RMF update as a standing agenda item in management review — not a corrective action triggered by an audit finding. Post-market data goes into the RMF review process because the system requires it, not because an investigator asked for it.

That is what the integration of ISO 13485 and ISO 14971 is supposed to produce. It is also what separates manufacturers who pass inspections from those who merely survive them.


Which Standard Do You Buy First?

Both ISO 13485 and ISO 14971 are required for any serious medical device quality management implementation. The practical question is which to acquire and read first.

Buy ISO 13485 first if your organization is beginning the certification journey. ISO 13485 defines the overall QMS framework — understanding its requirements first gives you the context for understanding where and why ISO 14971 integrates.

Buy ISO 14971 immediately after — or together as a bundle. You cannot build a compliant risk management program from summaries or paraphrases. Both standards must be purchased, controlled as external documents within your QMS (as required under QMSR), and read by the people building your system.

For a complete overview of available medical device standards, see the Standards Library — Medical Devices Section.

The bundle option saves significantly. The ANSI Webstore offers the ISO 13485 and ISO/TR 14969 Quality Management Systems Medical Devices Package which includes both documents together at a meaningful discount versus individual purchases.

📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

📋 ISO Standards Bundle — Save up to 50%


Frequently Asked Questions

What is the main difference between ISO 14971 and ISO 13485?

ISO 13485 is a quality management system standard that defines what a medical device manufacturer’s QMS must cover — including the requirement that risk management be applied throughout the system. ISO 14971 is a risk management standard that defines how risk management must be conducted — the six-step process, the required documentation, and the Risk Management File structure. ISO 13485 requires risk management. ISO 14971 specifies how to do it.

Is ISO 14971 required if you have ISO 13485?

ISO 14971 is not formally mandated by ISO 13485’s normative requirements — the reference in Clause 7.1 is a note, not a normative requirement. However, certification bodies evaluate risk management programs against the ISO 14971 framework, and under the FDA’s QMSR (effective February 2, 2026), risk management expectations now carry federal regulatory weight. For practical purposes, ISO 14971 is effectively required for any organization pursuing ISO 13485 certification or operating in regulated markets.

Can you be certified to ISO 14971?

No. ISO 14971 is not a certifiable standard — there is no third-party certification to ISO 14971 itself. ISO 13485 is the certifiable standard. However, ISO 13485 certification implicitly requires that risk management is conducted in a way consistent with ISO 14971, since that is the framework certification bodies evaluate against.

Which came first — ISO 13485 or ISO 14971?

Both standards have long histories. ISO 14971 was first published in 2000, with major revisions in 2007 and 2019. ISO 13485 was first published in 1996, revised in 2003, and again in 2016. The 2016 edition of ISO 13485 was developed with the intent of aligning more closely with the 2012 draft of ISO 14971, ensuring stronger integration between the two standards.

Does ISO 14971 apply to software as a medical device?

Yes. ISO 14971:2019 explicitly applies to Software as a Medical Device (SaMD). The companion document ISO/TR 24971 provides specific guidance on applying ISO 14971 to software, including cybersecurity risk considerations.

How does the QMSR affect the relationship between ISO 13485 and ISO 14971?

The QMSR (effective February 2, 2026) incorporated ISO 13485 by reference into 21 CFR Part 820. Since ISO 13485 references ISO 14971, that reference now carries federal regulatory weight. FDA investigators under the new Compliance Program 7382.850 start inspections with the risk management file — which is the primary output of the ISO 14971 process. The QMSR also extended risk management expectations across the entire QMS rather than concentrating them in design controls as the old QSR did.

What is the Risk Management File and which standard requires it?

The Risk Management File (RMF) is the organized collection of records that documents all risk management activities for a specific medical device — risk management plan, hazard analysis records, risk evaluation records, risk control records, overall residual risk evaluation, risk management review, and post-production information records. It is required by ISO 14971, not ISO 13485 directly. However, under ISO 13485, the Design and Development File must contain or reference risk management records — and under the QMSR, the RMF is what FDA investigators use as their inspection roadmap.

Do I need ISO/TR 24971 as well?

ISO/TR 24971:2020 is the technical report companion to ISO 14971:2019. It provides practical guidance on implementing ISO 14971’s requirements — methods for hazard identification, risk estimation, benefit-risk analysis, and software risk management. Unlike ISO 14971, it is guidance rather than a standard with requirements. For organizations building or rebuilding their risk management program, ISO/TR 24971 is a valuable implementation companion. It is not required, but it is practically useful.

How does ISO 14971 differ from ISO 31000?

ISO 14971 is specific to medical device risk management and defines risk in terms of patient harm — the combination of probability and severity of harm to people. ISO 31000 is a broader enterprise risk management standard with a wider definition of risk that includes any effect on objectives. The two are not interchangeable in the medical device context. ISO 14971 is the expected framework for medical device risk management. ISO 31000 is not.


✅ Free Resources

📋 ISO 13485 Gap Assessment Checklist — 64 items across 7 sections including ISO 14971 risk management integration requirements and all four FDA QMSR bridge requirements. Identify your gaps before your first audit.

📋 Manufacturing Compliance Checklist — ISO 9001, 14001, 45001 & OSHA — 50 items with gap scoring across all compliance systems.

📋 Supplier Quality Checklist — ISO 9001 Clause 8.4 — all supplier controls auditors evaluate, 45 items with scoring.

📋 ISO 9001 Implementation Roadmap — The exact 5-phase process from gap assessment to Stage 2 audit clearance.


Not Sure What to Do Next?

✅ You need the official ISO 13485:2016 standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You need the official ISO 14971:2019 standard 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying both standards together 📋 ISO Standards Bundle — ANSI Webstore — Save up to 50%

✅ You want to identify your ISO 13485 and QMSR compliance gaps before spending anything 📋 Download the Free ISO 13485 Gap Assessment Checklist

✅ You need ISO 13485 training before implementation 📋 ISO 13485 Training — BSI Group

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? Complete Guide

✅ You want to understand what ISO 14971 requires 📋 What Is ISO 14971? Risk Management for Medical Devices

✅ You want to understand the FDA QMSR and its impact 📋 FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide

✅ You want to compare ISO 9001 and ISO 13485 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Guide 📋 How Much Does ISO 13485 Cost?

✅ You want to browse all available medical device standards 📋 Standards Library — Medical Devices & Regulated Manufacturing 📋 Popular Standards — Most Frequently Purchased


Still Figuring Out Where to Start?

If you’re not ready to purchase or certify yet — that’s normal. ISO 13485 and ISO 14971 implementation decisions typically take three to six months from first research to commitment.

The best next step for most organizations at this stage:

📋 Download the free ISO 13485 Gap Assessment Checklist — it covers all 64 clause requirements including the ISO 14971 integration section and the four QMSR bridge requirements. It takes 30 minutes and tells you exactly where your gaps are before you spend anything.

Download Free Checklist — No Cost


ISO 13485 and ISO 14971 Are Not Optional to Each Other

ISO 13485 tells you risk management is required across your quality management system. ISO 14971 tells you how to conduct it. One without the other produces either a QMS with undefined risk methodology or a risk management program without a quality system framework to integrate it.

Under the FDA’s QMSR, effective February 2, 2026, that integration is no longer just a best practice — it is what federal regulatory inspection expects. FDA investigators start with the risk management file. They follow it into design controls, CAPA, complaint handling, and post-market surveillance. A quality management system that treats risk management as a design-phase deliverable rather than a lifecycle discipline will not hold up under that inspection approach.

The organizations that get this right are the ones that treat the Risk Management File as a living operational document — not a certification artifact. They update it because post-market data flows into it systematically. They connect CAPA to it because the system requires the connection. They identify new hazards from real-world performance data because that is what ISO 14971 Clause 11 requires and what QMSR now enforces.

That is what implementing both standards properly actually produces.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required

What Is ISO 14971? Risk Management for Medical Devices Explained (2026 Guide)

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. This guide covers what ISO 14971:2019 requires clause by clause, how its six-step process works across the device lifecycle, what changed in the 2019 edition, and why the FDA’s QMSR makes a well-maintained Risk Management File more critical than ever.

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. Here’s what it requires, how it works, and why the FDA’s QMSR makes understanding it more important than ever.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


From the Shop Floor

Risk management in manufacturing is not a new concept. Every process engineer who has ever run a failure modes and effects analysis on a production line understands the core logic: identify what can go wrong, estimate how likely it is and how bad it would be, put controls in place, and verify those controls work.

What ISO 14971 adds to that foundation is structure, lifecycle scope, and documentation discipline.

After 25 years in heavy industrial manufacturing — including quality systems, process control, and operational risk — the single most consistent gap I see in medical device risk management is the treatment of the Risk Management File as a design-phase deliverable rather than a living operational document. Teams build an impressive RMF during product development, get through their certification audit, and then let the file sit static while the real world generates new information about how the device actually performs.

That approach worked well enough under the old QSR. It does not work under the QMSR.

FDA investigators under CP 7382.850 are not looking at your RMF to confirm it was done — they are using it as a roadmap to evaluate whether your entire quality system is functioning as an integrated risk management framework. A risk management file that hasn’t been updated since device release is not a minor documentation gap. It is evidence that your risk management process is not integrated with complaint handling, CAPA, and post-market surveillance the way the QMSR requires.

The organizations I have seen handle this well treat the RMF update as a standing agenda item in management review — not a corrective action triggered by an audit finding. If post-market data is generating complaints, those complaints are being evaluated in the context of the risk management file every quarter. That is the operating model QMSR expects.


ISO 14971 Is the Standard Your QMS Is Already Required to Implement

If you are pursuing ISO 13485 certification, operating under the FDA’s QMSR, or manufacturing medical devices for any major regulated market, ISO 14971 is not a standard you get to choose whether to implement.

ISO 13485:2016 explicitly requires risk management per ISO 14971 throughout the medical device lifecycle — in design controls, production processes, supplier controls, complaint handling, and post-market surveillance. Under the FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, that requirement now carries federal regulatory weight. FDA investigators under Compliance Program 7382.850 are expected to use the risk management file as their inspection roadmap.

Yet despite being one of the most referenced standards in medical device regulation, ISO 14971 remains one of the least understood. Most manufacturers know it exists. Far fewer understand what it actually requires, how its six-step process works across the device lifecycle, or why the 2019 edition introduced changes that many organizations still haven’t fully implemented.

This guide covers all of it — what ISO 14971 is, what it requires clause by clause, how it integrates with ISO 13485 and the QMSR, and what your risk management program needs to look like in practice.


In This Guide

  • What ISO 14971 is and why it exists
  • Who needs ISO 14971
  • The six-step ISO 14971 risk management process
  • Key clause-by-clause breakdown
  • What changed in the 2019 edition
  • The Risk Management File — what it contains and how it’s structured
  • ISO 14971 and ISO 13485 — how they integrate
  • ISO 14971 under the FDA QMSR
  • ISO/TR 24971 — the companion guidance document
  • How to buy the official standard
  • Frequently asked questions


✅ Start Here (Top Resources)

📋 Purchase the official ISO 14971:2019 standard → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

📋 Purchase the official ISO 13485:2016 standard — required companion → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

📋 Save up to 50% buying both standards as a bundle → ISO Standards Packages — ANSI Webstore

📋 Get ISO 13485 training that covers ISO 14971 integration → BSI Group ISO 13485 Training

📋 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification


What Is ISO 14971?

ISO 14971 is the international standard for the application of risk management to medical devices. The current version — ISO 14971:2019 — is the third edition, published in December 2019. It specifies the terminology, principles, and a structured process for identifying hazards associated with medical devices, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of controls throughout the entire device lifecycle.

The standard applies to:

  • Physical medical devices of all classifications
  • Software as a Medical Device (SaMD)
  • In vitro diagnostic (IVD) medical devices
  • Combination products where the device constituent part requires risk management

Before ISO 14971, there was no universally accepted methodology for risk management in the medical device industry. Different manufacturers used different approaches, different terminology, and different standards for what constituted acceptable risk. ISO 14971 introduced a standardized process that could be consistently applied across the industry globally — giving regulators, certification bodies, and trading partners a shared framework for evaluating whether a manufacturer’s risk management is adequate.

Risk, as defined by ISO 14971, is the combination of two components:

  1. The probability that harm will occur
  2. The severity of that harm

This definition is important because it shapes the entire risk management process. A high-severity potential harm that is extremely unlikely to occur produces a different risk level than a moderate-severity harm that occurs frequently. ISO 14971 requires manufacturers to evaluate both dimensions systematically — not rely on intuition or experience alone.


Who Needs ISO 14971?

ISO 14971 is effectively required for any organization involved in the medical device supply chain. Specifically:

Organizations that must implement ISO 14971:

  • Medical device manufacturers — it is explicitly required by ISO 13485 and referenced throughout FDA QMSR, EU MDR, Health Canada, TGA (Australia), and most other major regulatory frameworks
  • Design-responsible organizations developing medical devices or device software
  • Contract manufacturers producing devices under a design owner’s technical file

Organizations that should implement ISO 14971:

  • Component suppliers whose products are incorporated into medical devices — risk management requirements are increasingly flowed down through quality agreements
  • Software developers producing SaMD or software incorporated into medical devices
  • Sterilization service providers — sterilization process risk must be managed within the device’s overall risk management framework

A critical distinction: ISO 14971 is not legally mandated in the same way a regulation is — regulators like the FDA do not list it as a statutory requirement. However, regulators worldwide recognize ISO 14971 as the state of the art for medical device risk management. Non-conformance with ISO 14971 — or the absence of a risk management program built on its framework — creates significant regulatory exposure. For practical purposes, ISO 14971 is mandatory for any organization intending to demonstrate that their device is safe and effective.


The ISO 14971 Risk Management Process — Six Steps

Infographic illustrating the six-step ISO 14971 medical device risk management process: Risk Analysis, Risk Evaluation, Risk Control, Overall Residual Risk, Risk Management Review, and Post-Production Information.
The six-step ISO 14971 risk management process creates a structured lifecycle approach for identifying hazards, controlling risks, evaluating residual risk, and continuously improving medical device safety.

ISO 14971 defines a six-step risk management process that applies across the entire device lifecycle — from initial concept through design, production, and post-market activities.

Step 1 — Risk Analysis

Risk analysis is the systematic use of available information to identify hazards and estimate the risks associated with a medical device. It consists of two activities:

Hazard identification: Identifying all reasonably foreseeable hazards associated with the device under both normal use conditions and fault conditions. The 2019 edition specifically requires both normal and fault conditions to be considered — a change from the 2007 edition which emphasized fault conditions primarily.

Sources of hazards include:

  • Device energy sources (electrical, thermal, mechanical, radiation)
  • Device materials and their biological interactions
  • Use environment and user characteristics
  • Reasonably foreseeable misuse
  • Software failures and cybersecurity vulnerabilities
  • Interactions with other devices

Risk estimation: For each hazardous situation identified, estimating the risk by determining the probability of occurrence of harm and the severity of that harm. ISO 14971 does not specify acceptable risk levels — manufacturers must establish their own objective criteria based on regulatory requirements, industry standards, and clinical context.

Step 2 — Risk Evaluation

Risk evaluation is the process of comparing estimated risks against the manufacturer’s defined risk acceptability criteria to determine whether risk reduction is required. If the estimated risk exceeds acceptable levels, the process moves to risk control. If the risk is within acceptable limits, it is documented as acceptable residual risk and monitored.

Step 3 — Risk Control

Risk control is the process of implementing and verifying measures to reduce risks that exceed acceptable levels. ISO 14971 requires risk control measures to be implemented in a defined priority order:

  1. Inherent safety by design — eliminate or reduce hazards through design decisions (preferred)
  2. Protective measures — guards, alarms, interlocks in the device or manufacturing process
  3. Information for safety — warnings, instructions for use, training requirements (last resort)

After implementing risk control measures, the residual risk — the risk remaining after controls — must be estimated and evaluated again. The process is iterative: if residual risk is still unacceptable, additional risk control measures must be implemented.

Risk control measures must also be evaluated for introduced risks — a control measure that eliminates one hazard may introduce a new one.

Step 4 — Evaluation of Overall Residual Risk

After all individual risks have been addressed, the overall residual risk of the device must be evaluated — not just each individual risk in isolation. If the overall residual risk is not acceptable using the manufacturer’s risk acceptability criteria, a benefit-risk analysis must be performed.

Benefit-risk analysis (introduced as a formal requirement in the 2019 edition) evaluates whether the clinical benefits of the device outweigh the overall residual risk in the context of the device’s intended use. If the benefits outweigh the risks, and appropriate information is provided to users, the device may be released. If the benefits do not outweigh the risks, the device cannot be released — additional risk control measures are required.

Step 5 — Risk Management Review

Before a device is released for distribution, a formal risk management review must be completed. The 2019 edition changed the title of this clause from “Risk Management Report” to “Risk Management Review” — a deliberate signal that this is an active review activity, not simply a summary document.

The review must confirm:

  • The risk management plan has been fully implemented
  • The overall residual risk is acceptable
  • Appropriate methods are in place to collect and review production and post-production information

Reviewers must be identified in the risk management plan in advance — they cannot be appointed after the fact.

Step 6 — Production and Post-Production Information

Risk management does not end when the device is released. ISO 14971 requires a systematic process for collecting and reviewing information from production and post-market activities throughout the device’s commercial life. This includes:

  • Complaint data and adverse event reports
  • Post-market surveillance information
  • Production nonconformances and CAPA trends
  • New scientific and technical information relevant to device safety

When this information indicates that the risk management process needs to be updated — that a new hazard has been identified, or that an existing risk estimate was incorrect — the risk management file must be revised and risk control measures re-evaluated.


ISO 14971 Clause-by-Clause Breakdown

ClauseTitleKey Content
1ScopeApplicability to all medical devices, SaMD, IVDs, combination products
2Normative referencesISO 9000:2015 for defined terms
3Terms and definitions31 defined terms including risk, hazard, harm, hazardous situation, benefit
4General requirementsRisk management system requirements, management responsibilities, competence requirements
5Risk management planningRisk management plan requirements — device scope, lifecycle phases, risk acceptability criteria
6Risk analysisIntended use, hazard identification, risk estimation
7Risk evaluationComparison to acceptability criteria, benefit-risk analysis (Clause 7.4)
8Risk controlControl option analysis, measure implementation, residual risk evaluation, introduced risks
9Evaluation of overall residual riskOverall residual risk acceptability, benefit-risk if needed
10Risk management reviewPre-release review requirements, reviewer identification
11Production and post-production activitiesInformation collection, new hazard identification, risk file updates

What Changed in ISO 14971:2019

The 2019 edition is the third edition of ISO 14971, replacing the 2007 version. Several changes have practical implementation implications:

Benefit-risk analysis is now a formal requirement. The 2019 edition formally introduced benefit-risk analysis as a defined process step (Clause 7.4) when overall residual risk is not acceptable under the manufacturer’s criteria alone. The 2007 edition referenced this concept but did not treat it as a structured requirement. The FDA’s influence here is direct — the FDA revised its language to place “benefit” before “risk” for novel device submissions, and the ISO 14971 committee adopted this framing in the 2019 revision.

Both normal and fault conditions must be analyzed. Clause 5.4 of the 2019 edition explicitly requires identification of anticipated hazards under both normal use and fault conditions. The 2007 edition emphasized fault conditions — the 2019 edition closes that gap. This has direct implications for FMEA and hazard analysis documentation.

Post-production requirements are more prescriptive. The requirements for production and post-production information collection (Clause 11) are more detailed in the 2019 edition, with stronger emphasis on systematic feedback of real-world performance data into the risk management file.

Risk Management Review replaces Risk Management Report. The title change in Clause 9 (from “report” to “review”) reflects a substantive intent: the activity must be an active review with identified reviewers, not a passive summary document compiled at device release.

EN ISO 14971:2019 + A11:2021 for EU MDR. The European version of the standard includes Amendment A11:2021, which maps ISO 14971 requirements to the General Safety and Performance Requirements (GSPR) of the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). Organizations selling into the EU need the A11 annex — organizations selling only in the U.S. do not, but the normative requirements are identical in both versions.


The Risk Management File

The Risk Management File (RMF) is the central documentation output of the ISO 14971 process. It is the organized collection of records that demonstrates a manufacturer has systematically identified hazards, evaluated risks, implemented controls, and monitored the effectiveness of those controls throughout the device lifecycle.

The RMF is not a single document. It is a defined collection of records that includes:

  • Risk Management Plan (RMP): Defines the scope of risk management activities, the lifecycle phases covered, the risk acceptability criteria, the risk estimation methodology, and the verification activities planned
  • Risk Analysis records: Hazard identification outputs, risk estimation records, FMEA or other analysis tool outputs
  • Risk Evaluation records: Comparison of estimated risks against acceptability criteria
  • Risk Control records: Selected control measures, implementation records, verification that controls achieved their intended risk reduction, evaluation of introduced risks
  • Overall Residual Risk evaluation: Documentation of the overall residual risk assessment and benefit-risk analysis if required
  • Risk Management Review: Pre-release review record with identified reviewers
  • Post-Production information records: Systematic records of production and post-market information reviewed against the risk management file

A common audit finding is a Risk Management File that functions as a static document compiled at device release — rather than a living record updated throughout the device’s commercial life as post-production information is gathered. Under the QMSR, FDA investigators start inspections with the risk management file. A static RMF that hasn’t been updated since initial device release is a significant inspection vulnerability.

Feature image promoting an ISO 13485 Gap Assessment Checklist for medical device manufacturers, contract manufacturers, and component suppliers preparing for certification and FDA QMSR compliance.
ISO 13485 Gap Assessment Checklist designed to help medical device manufacturers identify compliance gaps, prioritize actions, and prepare for certification and FDA QMSR requirements.

📋 How does your risk management program measure up? Section 6 of the free ISO 13485 Gap Assessment Checklist covers ISO 14971 integration specifically — risk management plan requirements, RMF structure, post-production feedback, and the QMSR inspection implications. Download Free Checklist


ISO 14971 and ISO 13485 — How They Integrate

ISO 14971 and ISO 13485 are companion standards — not alternatives. ISO 13485 is the quality management system framework. ISO 14971 is the risk management framework that ISO 13485 requires to be implemented throughout that QMS.

ISO 13485 references ISO 14971 in multiple clauses:

  • Clause 7.1 — Planning of product realization: Risk management activities must be planned as part of product realization
  • Clause 7.3 — Design and development: Risk management must be integrated throughout design and development activities
  • Clause 7.4 — Purchasing: Supplier controls must reflect risk — suppliers of higher-risk components require more rigorous qualification
  • Clause 8.2.1 — Feedback: Post-market feedback must be evaluated in the context of risk management
  • Clause 8.5 — Improvement: CAPA and continual improvement activities must consider risk management outputs

ISO 14971 is not optional supplementary guidance for ISO 13485. Organizations implementing ISO 13485 must purchase and implement ISO 14971. It is an external document that must be controlled under ISO 13485 Clause 4.2.4 — registered, version-controlled, and accessible to relevant personnel.

For a complete comparison of how ISO 13485 and risk management requirements interact, see ISO 9001 vs ISO 13485 — Key Differences.

📋 Buy ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

Infographic mapping ISO 13485 clauses to corresponding ISO 14971 risk management requirements, showing how quality management processes trigger risk management activities across the medical device lifecycle.
ISO 13485 establishes quality system requirements, while ISO 14971 provides the risk management framework that connects planning, design, purchasing, feedback, and improvement activities throughout the medical device lifecycle.

ISO 14971 Under the FDA QMSR

The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, incorporated ISO 13485:2016 by reference into 21 CFR Part 820 — and with it, ISO 13485’s explicit requirement for risk management per ISO 14971.

Under QMSR, several specific changes elevate the practical importance of ISO 14971:

Risk management now extends across the entire QMS. Under the old QSR, risk management was concentrated primarily in design controls. Under QMSR, risk-based thinking is required throughout the entire quality system — supplier controls, production processes, CAPA, complaint handling, and post-market surveillance. ISO 14971 is the expected framework for implementing this expanded risk management scope.

FDA investigators start inspections with the risk management file. Under Compliance Program 7382.850 — the new inspection program that replaced QSIT on February 2, 2026 — FDA investigators are expected to begin inspections by reviewing the risk management file and following risk documentation into other quality system areas. A well-maintained, current risk management file is inspection preparation. An incomplete or static risk management file is an inspection liability.

Post-market surveillance feeds the risk management file. The QMSR’s requirements for production and post-production information — complaint handling, MDR, field corrections — are expected to feed systematically into the risk management file. Organizations that maintain complaint handling and risk management as separate, unconnected systems have a QMSR gap.

For the complete QMSR transition guide, see FDA QSR vs ISO 13485: The Complete QMSR Transition Guide.


ISO/TR 24971 — The Companion Guidance Document

ISO/TR 24971:2020 is the technical report published as a companion to ISO 14971:2019. Unlike ISO 14971, which is a normative standard (its requirements are mandatory for certification purposes), ISO/TR 24971 is guidance — it does not add requirements but provides practical methodology for implementing ISO 14971’s requirements.

ISO/TR 24971:2020 covers:

  • Guidance on risk management planning
  • Practical methods for hazard identification and risk estimation
  • Guidance on benefit-risk analysis
  • Application of risk management to software
  • Application of risk management to usability and human factors
  • Guidance on production and post-production information processes

For organizations building or rebuilding their risk management program, ISO/TR 24971 is the practical implementation companion to ISO 14971’s requirements. Many experienced quality and regulatory professionals recommend reading both together.

📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off


How to Buy ISO 14971

ISO 14971 is a copyrighted document and must be purchased from an authorized source. It cannot be legally downloaded for free.

The ANSI Webstore is the authorized U.S. distributor for ISO standards. ISO 14971:2019 is available in PDF format with immediate download after purchase.

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

Bundle with ISO 13485 — Save Up to 50%

Organizations implementing ISO 13485 need both standards. Purchasing as a bundle through the ANSI Webstore saves significantly compared to individual purchases.

📋 ISO Standards Bundles — Save up to 50%

For the complete guide to purchasing ISO 13485, see Buy ISO 13485 — Complete Purchasing Guide.


Frequently Asked Questions

What is ISO 14971 used for?

ISO 14971 is the international standard for applying risk management to medical devices. It provides the structured process — hazard identification, risk estimation, risk evaluation, risk control, overall residual risk evaluation, and post-production monitoring — that manufacturers must use to demonstrate that their devices are safe for their intended use.

Is ISO 14971 required for ISO 13485 certification?

Yes. ISO 13485 explicitly requires risk management per ISO 14971 throughout the medical device quality management system. Organizations cannot achieve ISO 13485 certification without demonstrating that their risk management program is built on the ISO 14971 framework. ISO 14971 must be controlled as an external document within the ISO 13485 QMS.

Is ISO 14971 required by the FDA?

ISO 14971 is not listed as a statutory FDA requirement. However, the FDA recognizes ISO 14971 as the state of the art for medical device risk management. Under the QMSR, effective February 2, 2026, ISO 13485 is incorporated by reference into 21 CFR Part 820 — and ISO 13485 explicitly requires ISO 14971. FDA investigators under CP 7382.850 use the risk management file as their inspection starting point. For practical purposes, ISO 14971 is effectively mandatory for any FDA-regulated medical device manufacturer.

What is the difference between ISO 14971:2007 and ISO 14971:2019?

The 2019 edition introduced several substantive changes: benefit-risk analysis is now a formal requirement when overall residual risk is not acceptable; both normal use and fault conditions must be analyzed during hazard identification; post-production requirements are more prescriptive; and the Risk Management Report was renamed Risk Management Review to signal an active review activity rather than a passive document.

What is the Risk Management File?

The Risk Management File (RMF) is the organized collection of records that demonstrates a manufacturer has systematically implemented the ISO 14971 risk management process. It includes the Risk Management Plan, hazard analysis records, risk evaluation records, risk control records, overall residual risk evaluation, risk management review, and post-production information records. The RMF is a living document — it must be updated throughout the device’s commercial life as post-production information is gathered.

What is ISO/TR 24971?

ISO/TR 24971:2020 is the technical report companion to ISO 14971:2019. It provides practical guidance on implementing ISO 14971’s requirements — methods for hazard identification, risk estimation, benefit-risk analysis, software risk management, and post-production information processes. It does not add normative requirements but is an essential practical companion for organizations building or rebuilding their risk management programs.

What is the difference between ISO 14971 and ISO 31000?

ISO 14971 is specific to medical device risk management and defines risk purely in terms of harm to people — the combination of probability of harm and severity of that harm. ISO 31000 is a broader enterprise risk management standard with a wider definition of risk that includes any effect on objectives, including positive risks (opportunities). The two standards serve different purposes and are not interchangeable in the medical device context.

Does ISO 14971 apply to software as a medical device?

Yes. ISO 14971:2019 explicitly applies to Software as a Medical Device (SaMD). ISO/TR 24971 provides specific guidance on applying ISO 14971 to software. The companion standard IEC 62304 — Medical Device Software Lifecycle Processes — also references ISO 14971 risk management requirements throughout its software development lifecycle requirements.


📥 Free Resources


Not Sure What to Do Next?

✅ You need the official ISO 14971:2019 standard 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

✅ You also need ISO 13485:2016 — the required companion QMS standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You need the ISO/TR 24971 implementation guidance companion 📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying multiple standards together 📋 ISO Standards Bundles — Save up to 50% — ANSI Webstore

✅ You need ISO 13485 training that covers ISO 14971 integration 📋 BSI Group ISO 13485 Training

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? — Complete Guide

✅ You want to understand the FDA QMSR and how ISO 14971 fits 📋 FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide

✅ You want to compare ISO 9001 and ISO 13485 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Purchasing Guide 📋 How Much Does ISO 13485 Cost?


Risk Management Is Not a Deliverable. It’s an Operating Model.

ISO 14971 is not a checkbox on a certification audit list. It is the framework that determines whether the medical devices your organization produces — or supplies components for — are demonstrably safe for their intended use.

Under the FDA’s QMSR, effective February 2, 2026, that framework now carries federal regulatory weight. Risk management under QMSR extends across the entire quality system, and FDA investigators under CP 7382.850 are using the risk management file as their inspection roadmap.

The organizations that navigate this environment successfully are the ones that treat risk management as an operating discipline — not a documentation exercise. The Risk Management File is updated because post-market data is being systematically reviewed, not because an audit is scheduled. CAPA is connected to the risk management file because the quality system is integrated, not because an investigator asked to see the connection.

That is what ISO 14971, properly implemented, actually produces.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required