Buying Guides - The Standards Navigator

Buy ISO 14971:2019 — Official PDF & Print Sources (2026 Guide)

Where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and why purchasing from an authorized source is non-negotiable for medical device risk management — including why the superseded 2007 edition still circulating online creates real certification and regulatory risk.

Where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and why purchasing from an authorized source is non-negotiable for medical device risk management.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

📥 Free ISO 13485 & ISO 14971 Implementation Checklist — Confirm you have every required risk management document before your first certification audit. → [Download Free Checklist]

ISO 14971 Is No Longer Optional for Medical Device Manufacturers

ISO 14971:2019 was already the international standard for medical device risk management. Since February 2, 2026, it carries additional weight: the FDA’s Quality Management System Regulation (QMSR) incorporated ISO 13485:2016 by reference — and ISO 13485 explicitly requires risk management per ISO 14971. That means ISO 14971 is now embedded in U.S. regulatory expectations for every manufacturer subject to 21 CFR Part 820.

FDA investigators operating under Compliance Program 7382.850 are expected to use the risk management file as their inspection roadmap — following risk documentation into design controls, CAPA, supplier qualification, and post-market surveillance. If your risk management program is not built on ISO 14971, that gap will surface under QMSR inspection.

This guide covers exactly where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and what to watch out for when purchasing.

⚠️ The QMSR compliance date has passed (February 2, 2026). Organizations that have not yet integrated ISO 14971 across their quality system are operating with a gap that FDA inspectors are actively evaluating.

In This Guide

What ISO 14971:2019 is and what changed from the 2007 edition
Which edition you need — 2019 vs 2007
Where to buy the official standard from authorized sources
Available formats — PDF, print, multi-user, and bundles
How much ISO 14971:2019 costs
Who needs to purchase the standard
What ISO 14971 does NOT include
Common purchasing mistakes to avoid
Related standards you will also need

👉 Start Here (Top Resources)

👉 Purchase the official ISO 14971:2019 standard — the current edition for all medical device risk management programs → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026. ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits.

👉 Purchase the required companion — ISO 13485:2016 → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off. ISO 14971 cannot be implemented in isolation — it is a required companion to ISO 13485 and must be purchased and controlled as an external document within your QMS.

👉 Save up to 50% buying both standards together → ISO Standards Packages — ANSI Webstore — the most cost-effective option for organizations purchasing ISO 14971 alongside ISO 13485 and related standards.

👉 Get ISO 13485 training covering risk management requirements → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.

👉 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification — ISOQAR is a UKAS-accredited certification body, one of the most recognized in the industry for ISO 13485 certification.

What Is ISO 14971:2019?

Feature image for an ISO 14971 guide showing medical device risk management concepts, lifecycle risk controls, and the relationship between ISO 14971, ISO 13485, and FDA QMSR requirements. — ISO 14971 is the required risk management framework for medical devices, embedding risk analysis and control throughout the product lifecycle and supporting ISO 13485 and FDA QMSR compliance.

ISO 14971:2019 — Medical Devices: Application of Risk Management to Medical Devices — is the international standard defining the process for identifying hazards associated with medical devices, estimating and evaluating associated risks, controlling those risks, and monitoring the effectiveness of those controls throughout the device lifecycle.

The standard is published by the International Organization for Standardization and is recognized globally as the baseline risk management framework for medical device manufacturers. It applies to all device classes — from Class I low-risk devices through Class III implantables — and to every organization involved in the device lifecycle: manufacturers, component suppliers, contract manufacturers, and service providers.

ISO 14971 does one thing with precision: it defines a formal, documented, lifecycle-integrated process for managing risk in medical device development and manufacturing. Nothing else in the ISO 13485 framework tells you how to manage risk — that is ISO 14971’s job.

Key updates in the 2019 edition include clarified terminology aligned with ISO/IEC Guide 63, updated requirements for risk management plan documentation, strengthened requirements for production and post-production information, and enhanced guidance on benefit-risk analysis. The 2019 edition also removed references to ALARP (As Low As Reasonably Practicable) — replacing it with a more precise framework for determining risk acceptability. For the complete breakdown of what the standard requires, see What Is ISO 14971? — Complete Guide.

ISO 14971:2019 vs ISO 14971:2007 — Which Do You Need?

Situation	Edition to Purchase
New risk management program — first implementation	ISO 14971:2019
Currently using ISO 14971:2007 — planning update	ISO 14971:2019
Pursuing ISO 13485 certification	ISO 14971:2019
Subject to FDA QMSR (21 CFR Part 820)	ISO 14971:2019
EU MDR technical documentation	ISO 14971:2019
Researching risk management before committing	ISO 14971:2019

The answer in every case is ISO 14971:2019. The 2007 edition has been superseded. ISO 13485:2016 references ISO 14971 — and certification bodies audit against the current edition. The QMSR regulatory expectation is built on ISO 13485:2016, which requires current-edition conformance.

If your organization is still operating a risk management program built on ISO 14971:2007, purchasing the 2019 edition and conducting a gap assessment is your first step. The changes are substantive enough that a documented gap assessment is expected before your next certification audit.

→ ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

Where to Buy ISO 14971:2019 — Official Sources Only

ISO standards are copyrighted intellectual property. They are not available as free downloads and must be purchased from authorized distributors. Every “free ISO 14971 PDF” circulating online is an unauthorized copy — typically an outdated 2007 edition, an incomplete document, or an altered version. Using an unauthorized copy for risk management program development introduces certification risk and potential regulatory exposure simultaneously.

Certification bodies audit against the precise wording of the current official standard. A risk management file built from an outdated or incomplete copy will generate nonconformances — costing far more in audit findings and corrective action cycles than the official document.

Provider	What You Get	Price Range	Best For	Link
ANSI Webstore	Official current edition, immediate PDF delivery, audit-accepted	$150–$200	U.S.-based organizations — official distributor, CC2026 coupon available	Buy Here
ISO.org Store	Official current edition directly from publisher	$158–$198	International buyers outside the U.S.	iso.org/store
ANSI Bundle Package	ISO 14971 + ISO 13485 + related standards	$300–$500	Organizations purchasing multiple medical device standards — significant savings	Bundle Here

Where to buy ISO standards comparison showing ANSI Webstore, ISO Store, and other resellers with pros and risks — Compare ANSI, ISO, and other sources to safely buy ISO standards for certification and compliance

ANSI Webstore is the recommended source for U.S.-based organizations. ANSI is the official U.S. distributor of ISO standards — purchasing through ANSI guarantees the current edition, complete document, licensed PDF with immediate delivery, and a recognized distributor credential accepted by all certification bodies and regulatory authorities.

→ Use coupon code CC2026 for 5% off ISO and IEC standards at the ANSI Webstore through December 31, 2026

At this point, most organizations purchasing ISO 14971 for the first time should: → Purchase the bundle including ISO 13485:2016 and ISO 14971:2019 together from ANSI Standard Packages — the savings over individual purchases typically cover the cost of training materials, and you need both documents on hand before implementation begins.

ISO 14971 Formats Available

Format	Price Range	Best For	Notes
Single-user PDF	$150–$200	Individual quality managers and risk managers	Immediate delivery, searchable — cannot be shared simultaneously
Printed copy	$170–$220	Risk management teams, controlled document environments	Useful for annotating during implementation — slightly higher cost
Multi-user license	Contact ANSI	Organizations with multiple simultaneous users	Required if multiple team members need access at the same time
Bundle with ISO 13485	$300–$500	Any organization implementing ISO 13485	Best value — you need both; bundle saves 30–50% vs individual

Single-user PDF is the most common choice for quality managers implementing risk management programs. It is immediately accessible after purchase, searchable by clause number, and sufficient for a single implementer building the risk management framework.

Important licensing rule: A single-user PDF license cannot legally be shared across your organization. If your risk management team, design engineers, and regulatory affairs personnel all need simultaneous access, a multi-user license is required. Sharing a single-user PDF via email or shared drive violates the license terms — a detail that is often overlooked during implementation and can create legal exposure.

If you are implementing both ISO 14971 and ISO 13485, purchase them as a bundle. You will need both on hand from day one of your gap assessment — and the bundle consistently saves more than the coupon alone.

→ ISO Standards Packages — Save up to 50%

How Much Does ISO 14971:2019 Cost?

Item	Typical Price	Notes
Single-user PDF	$150–$200	Standard purchase from ANSI Webstore
Printed copy	$170–$220	Physical copy for reference
Multi-user license	Varies	Contact ANSI for pricing
Bundle: ISO 14971 + ISO 13485	$300–$500	Saves 30–50% vs individual purchase
Bundle: ISO 14971 + ISO 13485 + ISO 13485 collection	$350–$600	Full medical device standards set

Use coupon CC2026 for 5% off at ANSI through December 31, 2026 → Apply at ANSI

In the context of total ISO 13485 certification costs — which range from $15,000 to $100,000+ for most organizations — the ISO 14971 standard purchase is the lowest-cost line item in your entire budget. It is also the one with the highest leverage on audit outcomes. A risk management file built from the correct current edition is foundational. Everything else in your QMS depends on it.

For the complete ISO 13485 certification cost breakdown, see How Much Does ISO 13485 Cost?

Who Needs to Purchase ISO 14971?

ISO 14971:2019 must be purchased by anyone responsible for building, implementing, auditing, or maintaining a medical device risk management program. Specifically:

Risk managers and quality managers building a risk management program from scratch or updating from ISO 14971:2007 — the standard is the only authoritative source for what the process requires. Implementing from a summary or training slide deck rather than the official document is one of the most common reasons risk management files fail certification audits.

Design engineers and product development teams at organizations with design responsibility — risk management under ISO 14971 begins at design input and runs through every design stage. Engineers performing hazard analysis, risk estimation, and risk control selection need the standard directly.

Internal auditors conducting ISO 13485 internal audits — you cannot audit risk management effectiveness against a standard you have not read. Clause 7.1, 7.3, and the full risk management integration requirements across ISO 13485 require familiarity with ISO 14971 clause requirements.

Regulatory affairs professionals preparing FDA QMSR compliance documentation or EU MDR technical files — both regulatory frameworks expect ISO 14971 conformance, and regulatory submissions are evaluated against the standard’s exact requirements.

Organizations currently certified to ISO 14971:2007 planning their 2019 edition gap assessment — purchasing the 2019 edition is step one. The gap assessment cannot be conducted without it.

If you are at this stage:

If you are a quality manager building your first ISO 14971-based risk management program → purchase ISO 14971:2019 and ISO 13485:2016 together from ANSI Standard Packages, then enroll your team in BSI Group ISO 13485 Training before documentation development begins.

If you are currently ISO 14971:2007 compliant and planning your 2019 transition → purchase the 2019 edition, conduct a documented gap assessment focused on the ALARP removal, updated risk acceptability criteria, and post-production information requirements, and update your risk management plan before your next surveillance audit.

If you are a component supplier entering the medical device supply chain → your OEM customer will require ISO 14971-aligned risk management as part of supplier qualification. Purchase the standard before your first supplier audit.

What ISO 14971 Does NOT Include

Understanding what you are not buying is as important as understanding what you are.

ISO 14971 does not provide device-specific risk acceptability criteria. The standard defines the process for determining risk acceptability — it does not tell you what the acceptable residual risk level is for your specific device. That determination is your organization’s responsibility, informed by applicable regulations, clinical data, and the state of the art.

ISO 14971 does not replace clinical evaluation. Risk management and clinical evaluation are complementary but distinct requirements under ISO 13485 and EU MDR. ISO 14971 covers the risk management process — clinical evaluation has its own standards and guidance documents.

ISO 14971 does not provide implementation templates. The standard defines requirements — your organization must build the risk management plan, hazard identification tools, risk estimation worksheets, and risk control documentation. For ready-to-use ISO 13485 QMS documentation including risk management templates, see 9001Simplified Documentation Kits. 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.

ISO 14971 does not satisfy IEC 62304. Organizations developing medical device software need IEC 62304 — software lifecycle processes for medical devices — in addition to ISO 14971. The two standards work together but address different scopes.

Common Purchasing Mistakes to Avoid

Buying ISO 14971:2007 instead of ISO 14971:2019. The 2007 edition is superseded. Third-party sellers frequently carry outdated editions without clear disclosure. Always verify the edition year before completing a purchase. If a price seems unusually low, check the edition.

Downloading unauthorized copies. Every “free ISO 14971 PDF” found through a search engine is an unauthorized copy — typically the 2007 edition, an incomplete document, or an altered version. Using it for risk management program development introduces certification risk. The standard costs $150–$200. A major nonconformance at Stage 2 costs multiples of that in re-audit fees and timeline delays.

Purchasing without checking the edition date. Even on legitimate platforms, searching “ISO 14971” can surface the 2007 edition alongside the 2019 edition. Always confirm “ISO 14971:2019” before adding to cart.

Treating ISO 14971 as a design-only requirement. The most common QMSR and ISO 13485 gap is a risk management program that lives only in design files. Under QMSR, risk-based thinking extends across supplier qualification, production processes, CAPA, complaint handling, and post-market surveillance. Purchasing the standard is step one — reading Clauses 3, 8, and 9 in their entirety is what reveals the full scope of implementation required.

Sharing a single-user PDF with your team. A single-user license covers one user. Sharing via email or shared drive violates the license terms. If multiple team members need simultaneous access, purchase a multi-user license.

Purchasing ISO 14971 without ISO 13485. ISO 14971 does not stand alone in a medical device QMS context. It is a required companion to ISO 13485 — and you need both documents to implement either correctly. Purchase them together.

At this point, most organizations who have identified they need ISO 14971 should: → Purchase the ISO Standards Bundle including ISO 14971:2019 and ISO 13485:2016 together — this is the lowest-cost, most operationally complete starting point for any medical device risk management implementation.

Why Organizations Delay This — And What It Costs Them

The most common reason manufacturers delay purchasing ISO 14971 and building a compliant risk management program is the belief that it can be addressed “during the certification project.”

Here is what consistently happens instead:

Organizations that arrive at Stage 1 of their ISO 13485 certification audit without a documented, ISO 14971-based risk management program receive a major nonconformance — delaying Stage 2 by 3–6 months and adding $5,000–$15,000 in re-audit fees and consultant costs. The risk management file is one of the first things a certification body auditor reviews.

Under QMSR, the stakes are higher. FDA investigators under CP 7382.850 use the risk management file as their inspection roadmap. An absent or inadequate risk management program does not just generate a finding — it gives the inspector a thread to pull through design controls, CAPA, and supplier qualification simultaneously.

The organizations that move first — purchasing the standard, conducting the gap assessment, and building ISO 14971 integration across the QMS before the certification audit — consistently report shorter audit cycles, fewer findings, and lower total certification costs. The ones that treat risk management as a later step discover that it is actually the foundation everything else is audited against.

📥 Free ISO 13485 & ISO 14971 Implementation Checklist — Identify your top 5 risk management gaps before your certification audit. → [Download Free Checklist]

ISO 14971 does not operate in isolation. Organizations building a medical device QMS will need these companion standards:

Standard	Purpose	Relationship to ISO 14971	Where to Buy
ISO 13485:2016	Medical device QMS requirements	Requires ISO 14971 throughout — cannot be implemented without it	ANSI Webstore
ISO/TR 24971:2020	Guidance on ISO 14971 application	Non-mandatory companion — practical guidance on applying ISO 14971 requirements	ANSI Webstore
IEC 62304	Software lifecycle for medical devices	Complements ISO 14971 for software risk management	ANSI Webstore
ISO 9001:2015	General QMS foundation	Useful reference for organizations building ISO 13485 on an existing ISO 9001 foundation	ANSI Webstore

Organizations implementing ISO 13485 for the first time should prioritize: ISO 14971:2019 + ISO 13485:2016. These two documents together define what your QMS must do and how risk must be managed within it.

→ Save up to 50% on ISO Standards Packages — ANSI Webstore

Frequently Asked Questions

What is ISO 14971:2019?

ISO 14971:2019 is the current edition of the international standard for risk management for medical devices. It defines the process for identifying hazards associated with medical devices, estimating and evaluating risks, implementing risk controls, and monitoring effectiveness throughout the device lifecycle. It is a required companion standard to ISO 13485:2016.

Is ISO 14971 required for ISO 13485 certification?

Yes — ISO 13485 explicitly requires risk management per ISO 14971 throughout the QMS. Certification bodies audit risk management processes against ISO 14971 requirements. Under the FDA’s QMSR, ISO 14971 conformance is embedded in U.S. regulatory expectations for all manufacturers subject to 21 CFR Part 820.

What is the difference between ISO 14971:2019 and ISO 14971:2007?

The 2019 edition clarified terminology, updated the risk acceptability framework by removing ALARP references, strengthened post-production information requirements, and enhanced benefit-risk analysis guidance. Any organization currently using the 2007 edition should conduct a gap assessment and transition to the 2019 edition before their next certification audit.

Where is the best place to buy ISO 14971:2019?

The ANSI Webstore is the recommended source for U.S. organizations — it is the authorized U.S. distributor for ISO standards and guarantees the current edition. Use coupon CC2026 for 5% off through December 31, 2026. → ISO 14971:2019 — ANSI Webstore

Can I share my ISO 14971 PDF with my design team?

No — a single-user PDF license cannot be shared simultaneously. If multiple team members need access at the same time, purchase a multi-user license or individual copies. Physically sharing a printed copy sequentially is permitted.

Do I need both ISO 14971 and ISO 13485?

Yes. ISO 14971 and ISO 13485 are required companions — neither can be fully implemented without the other. ISO 13485 defines your QMS framework; ISO 14971 defines how risk must be managed within it. Purchase them together for the best value. → ISO Standards Packages — Save up to 50%

Does ISO 14971 apply to software?

ISO 14971 applies to risk management for medical devices including software as a medical device (SaMD). For the software development lifecycle specifically, IEC 62304 is the companion standard. Risk management under ISO 14971 and software lifecycle management under IEC 62304 are intended to be implemented together.

What is ISO/TR 24971?

ISO/TR 24971:2020 is a technical report providing guidance on the application of ISO 14971. It is not a requirement — it is a non-mandatory companion document offering practical interpretation and application examples. Organizations new to ISO 14971 often find it valuable alongside the standard itself.

How much does ISO 14971:2019 cost?

A single-user PDF typically costs $150–$200 from the ANSI Webstore. Use coupon CC2026 for 5% off through December 31, 2026. Bundles including ISO 14971 with ISO 13485 offer savings of 30–50% compared to individual purchases.

📥 Free Resources

👉 Free ISO 13485 & ISO 14971 Implementation Checklist — Verify every required risk management document is in place before your certification audit 👉 Manufacturing Compliance Checklist — Assess your current compliance status across quality, environmental, and safety requirements 👉 Supplier Quality Checklist — Supplier qualification requirements applicable to medical device supply chains

Not Sure What to Do Next?

◆ You need the official ISO 14971:2019 standard → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

◆ You need the required companion standard ISO 13485:2016 → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

◆ You want to save buying both standards together → Save up to 50% on ISO Standards Packages — ANSI Webstore

◆ You need ISO 13485 training covering risk management requirements → BSI Group ISO 13485 Training

◆ You are ready to pursue ISO 13485 certification → ISOQAR ISO 13485 Certification

◆ You want to understand what ISO 14971 requires → What Is ISO 14971? — Complete Guide

◆ You want to understand the full FDA QMSR transition → FDA QSR vs ISO 13485: The Complete QMSR Transition Guide

◆ You want to understand how ISO 9001 and ISO 13485 differ → ISO 9001 vs ISO 13485 — Key Differences

◆ You want to understand what ISO 13485 requires → What Is ISO 13485? — Complete Guide

◆ You want to understand certification costs → How Much Does ISO 13485 Cost? → ISO Certification Cost Calculator

◆ You want to choose the right certification body → Best ISO Certification Bodies — Ranked & Reviewed

Still figuring out where to start?

If you are not ready to purchase yet — that is normal. ISO 14971 implementation decisions typically take 2–4 weeks from first research to commitment as organizations assess their current risk management program against what certification auditors expect.

The best next step for most organizations at this stage: → Download the free ISO 13485 & ISO 14971 Implementation Checklist — it takes 20 minutes and tells you exactly where your gaps are before you spend anything.

📥 [Download Free Checklist]

The Standard That Makes Everything Else Auditable

ISO 14971 is not a box to check. It is the document that makes every other part of your medical device QMS auditable — design controls, CAPA, supplier qualification, complaint handling, and post-market surveillance all connect back to the risk management file when a certification auditor or FDA investigator starts pulling threads.

Organizations that purchase the official standard, read it completely, and build their risk management program against its actual requirements consistently report fewer findings, shorter audit cycles, and lower total certification costs. The ones that work from summaries, training slides, or outdated editions discover those shortcuts at the worst possible moment.

The standard costs $150–$200. A failed Stage 2 audit costs multiples of that. Buy the official edition.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

ISO 14971 vs ISO 13485: What’s the Difference and How Do They Work Together? (2026 Guide)

ISO 13485 requires risk management throughout the quality management system. ISO 14971 defines exactly how that risk management must be conducted. This guide covers the precise differences between the two standards, where they integrate clause by clause, and what the FDA’s QMSR means for both.

Last Updated: May 2026

ISO 13485 requires risk management. ISO 14971 defines how to do it. Understanding the precise relationship between these two standards — and what it means under the FDA’s QMSR — is the difference between a QMS that holds up under inspection and one that doesn’t.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

📋 Free Download: ISO 13485 Gap Assessment Checklist Identify your compliance gaps before your first audit — 64 items across 7 sections including ISO 14971 risk management integration and all four FDA QMSR bridge requirements. Download Free Checklist

ISO 13485 Tells You to Manage Risk. ISO 14971 Tells You How.

That single sentence is the most important thing to understand about the relationship between these two standards — and it’s the part most manufacturers either misread or oversimplify.

ISO 13485:2016 is a quality management system standard. It requires risk-based thinking throughout the QMS — in design and development planning, production controls, supplier controls, complaint handling, and post-market surveillance. It references ISO 14971 in a note to Clause 7.1. But it does not specify how risk management must be conducted. It tells you risk management is required. ISO 14971 tells you how to do it.

ISO 14971:2019 is a risk management standard. It provides the structured framework — hazard identification, risk estimation, risk evaluation, risk control, overall residual risk evaluation, risk management review, and post-production monitoring — that gives ISO 13485’s risk management requirements their practical content.

Together they form the twin pillars of medical device quality and safety assurance. Neither is complete without the other for a manufacturer operating in any major regulated market. And under the FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, the relationship between the two standards now carries federal regulatory weight.

In This Guide

What ISO 13485 covers and what it requires on risk
What ISO 14971 covers and what it adds
The key differences between the two standards
The precise points where ISO 13485 references ISO 14971
The important nuance about whether ISO 14971 is truly mandatory
How the FDA QMSR changes the practical answer to that question
How to implement both standards together
Which standard to buy first and why
Frequently asked questions

✅ Start Here (Top Resources)

📋 Buy ISO 13485:2016 (official standard) → ANSI Webstore — ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.

📋 Buy ISO 14971:2019 (required companion) → ANSI Webstore — Purchase both standards together for maximum savings. Use coupon CC2026 for 5% off.

📋 Save buying both standards → ISO Standards Bundles — Up to 50% Off — Purchasing ISO 13485 and ISO 14971 as a bundle through the ANSI Webstore saves significantly compared to individual purchases.

📋 Get ISO 13485 trained before implementation → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.

📋 Get ISO 13485 certified → ISOQAR ISO 13485 Certification — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.

What Is ISO 13485?

Medical device quality management infographic showing ISO 13485 certification concept with medical equipment and headline “What Is ISO 13485? Complete Guide (2026)”. — ISO 13485 defines the quality management system requirements for medical device manufacturers, focusing on regulatory compliance, risk management, and consistent product quality.

ISO 13485:2016 is the international standard for quality management systems specific to the medical device industry. It specifies requirements for a QMS that enables an organization to consistently design, develop, produce, and deliver safe and effective medical devices and related services.

ISO 13485 is used as the baseline QMS framework by regulatory authorities and certification bodies in most major medical device markets — including Health Canada, the EU MDR, MDSAP, and since February 2, 2026, the FDA’s QMSR under 21 CFR Part 820.

ISO 13485 covers the full scope of quality management system requirements:

Context of the organization and QMS scope
Management responsibility, quality policy, and management review
Resource management — personnel, infrastructure, and work environment
Product realization — design and development, purchasing, production, and service provision
Measurement, analysis, and improvement — internal audits, complaint handling, CAPA, and corrective action

What ISO 13485 requires on risk: ISO 13485 requires risk-based thinking throughout the quality management system. Risk management must be planned as part of product realization (Clause 7.1), integrated into design and development (Clause 7.3), applied to supplier controls (Clause 7.4), and fed by post-market surveillance feedback (Clause 8.2). The standard references ISO 14971 explicitly in its Clause 7.1 note and implicitly throughout its design and development requirements.

What ISO 13485 does not do is specify the methodology for risk management. It does not define how to identify hazards, estimate risks, evaluate acceptability, or control residual risk. That is what ISO 14971 does.

For a complete overview of ISO 13485 requirements, see What Is ISO 13485? Complete Guide.

What Is ISO 14971?

ISO 14971:2019 is the international standard for the application of risk management to medical devices. It provides the structured methodology — terminology, principles, and process — for identifying hazards, estimating and evaluating risks, implementing risk controls, and monitoring risk throughout the entire device lifecycle.

ISO 14971 covers:

Risk management planning — scope, lifecycle phases, risk acceptability criteria
Hazard identification — under both normal use and fault conditions
Risk estimation — probability of harm and severity of harm
Risk evaluation — comparison against acceptability criteria
Risk control — priority order: design, protective measures, information for safety
Evaluation of overall residual risk — including benefit-risk analysis where required
Risk management review — pre-release review with identified reviewers
Production and post-production information — systematic feedback into the risk management file

What ISO 14971 adds beyond ISO 13485: While ISO 13485 says risk management is required throughout the QMS, ISO 14971 specifies exactly how that risk management must be structured, documented, and maintained. The Risk Management File (RMF) — the central documentation output of the ISO 14971 process — is the evidence base that demonstrates a manufacturer has systematically identified hazards, evaluated risks, implemented controls, and monitored effectiveness.

For a complete overview of ISO 14971 requirements, see What Is ISO 14971? Risk Management for Medical Devices Explained.

ISO 14971 vs ISO 13485 — Key Differences

Element	ISO 13485:2016	ISO 14971:2019
Standard type	Quality management system standard	Risk management standard
Purpose	Define QMS requirements for medical device manufacturers	Define the risk management process for medical devices
Scope	Entire quality management system	Risk management specifically
Risk coverage	Requires risk-based thinking throughout QMS	Specifies how risk management must be conducted
Key output	Certified, compliant QMS	Risk Management File (RMF)
Certification	Certifiable — third-party certification available	Not certifiable on its own
Published by	ISO Technical Committee 210 (ISO/TC 210)	ISO Technical Committee 210 (ISO/TC 210)
Current edition	ISO 13485:2016	ISO 14971:2019
Applies to	Manufacturers, suppliers, contract manufacturers	All organizations involved in device lifecycle
Risk methodology	Not specified	Six-step structured process
Hazard analysis	Referenced but not detailed	Defined in detail
Risk Management File	Not specified	Required
Benefit-risk analysis	Not addressed	Required when overall residual risk is unacceptable
Post-production monitoring	Addressed through complaint handling and feedback	Explicitly required as ongoing RMF input
QMSR status	Incorporated by reference into 21 CFR Part 820	Expected framework; referenced through ISO 13485

Best for:

ISO 13485: Any organization that designs, manufactures, or supplies medical devices and needs a certified quality management system
ISO 14971: The same organizations — it provides the risk management methodology that ISO 13485’s requirements assume is in place

Where ISO 13485 References ISO 14971

Infographic mapping ISO 13485 clauses to corresponding ISO 14971 risk management requirements, showing how quality management processes trigger risk management activities across the medical device lifecycle. — ISO 13485 establishes quality system requirements, while ISO 14971 provides the risk management framework that connects planning, design, purchasing, feedback, and improvement activities throughout the medical device lifecycle.

ISO 13485 references ISO 14971 at specific points throughout its clause structure. Understanding exactly where these references occur is critical for building a compliant integrated system.

Clause 7.1 — Planning of Product Realization

Clause 7.1 requires that risk management activities be planned as part of product realization. The note to this clause states: “Further information can be found in ISO 14971.” This is the most direct reference to ISO 14971 in the standard.

Clause 7.3 — Design and Development

The design and development requirements of ISO 13485 are where ISO 14971 integration is most intensive. Design inputs must include risk management outputs. Design verification and validation activities must address risks. The Design and Development File (DDF) must reference risk management records.

Clause 7.4 — Purchasing

ISO 13485 Clause 7.4 requires that purchasing controls be proportionate to the risk the external provider poses to the finished device. The extent of supplier qualification, incoming inspection, and monitoring is determined by risk — which requires a risk framework to apply.

Clause 8.2 — Monitoring and Measurement

Post-market surveillance and complaint handling data collected under Clause 8.2 must feed back into the risk management process. ISO 14971 Clause 11 (Production and Post-Production Information) specifies how this information must be systematically reviewed and how it triggers updates to the Risk Management File.

Clause 8.5 — Improvement

CAPA activities under Clause 8.5 must consider risk. Significant quality failures identified through corrective action must evaluate whether the risk management file needs to be updated — connecting the two standards at the improvement level of the QMS.

At this point, most organizations beginning ISO 13485 implementation should:

📋 Purchase both ISO 13485:2016 and ISO 14971:2019 together as a bundle — the clause-by-clause integration means implementing one without the other creates immediate documentation gaps that auditors will identify.

→ ISO Standards Bundle — ANSI Webstore — Save up to 50% purchasing both standards together

Is ISO 14971 Actually Mandatory Under ISO 13485?

This is one of the most debated questions in the medical device quality community, and the honest answer is more nuanced than most articles present.

The technical answer: ISO 14971 is not formally mandated by ISO 13485. The reference in Clause 7.1 is a note — informative guidance, not a normative requirement. A manufacturer could theoretically implement a risk management process using a different methodology and still demonstrate conformance to ISO 13485’s risk-based requirements.

The practical answer: In the real world, ISO 14971 is effectively mandatory for any organization pursuing ISO 13485 certification or operating in regulated markets. Here’s why:

Certification bodies expect it. When a UKAS-accredited certification body audits your ISO 13485 QMS, the auditors evaluating your risk management program will be assessing it against the ISO 14971 framework — because that is the internationally recognized methodology for medical device risk management. A risk management program that doesn’t follow ISO 14971’s structure will face significant findings regardless of the technical argument about normative versus informative references.

Regulatory bodies reference it. The EU MDR, Health Canada, TGA, and MDSAP all reference ISO 14971 as the expected risk management framework. Operating without it creates regulatory exposure in every major market.

FDA QMSR changes the equation significantly — which brings us to the most important development of 2026.

The QMSR Changes the Practical Answer

The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, incorporated ISO 13485:2016 by reference into 21 CFR Part 820. Since ISO 13485 explicitly references ISO 14971, that reference now carries federal regulatory weight.

Under the FDA’s new inspection program — Compliance Program 7382.850 — FDA investigators are expected to start inspections by reviewing the risk management file and following risk documentation into other quality system areas. The risk management file is the inspection roadmap. If your risk management program is not structured against ISO 14971, your risk management file will not hold up under that inspection approach.

Additionally, the QMSR extended risk management expectations beyond design controls — where the old QSR concentrated them — to the entire quality system. This is precisely what ISO 14971 requires: risk management planning, hazard identification, risk control, and post-production monitoring integrated across the device lifecycle, not just in the design phase.

The bottom line under QMSR: Whether or not ISO 14971 is technically mandatory in the normative sense of ISO 13485, it is the framework FDA investigators will use to evaluate your risk management program. Operating without it under the current inspection regime is an inspection liability.

⚠️ QMSR effective February 2, 2026: If your risk management program is not built on the ISO 14971 framework, this is your highest-priority gap for QMSR compliance.

For the complete QMSR transition guide, see FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide.

How the Two Standards Work Together in Practice

The integration of ISO 13485 and ISO 14971 is not a separate parallel process — it is woven into how the QMS functions. Here is how the two standards interact at each stage of the device lifecycle:

Concept and Planning Stage

ISO 13485 Clause 7.1 requires risk management to be planned as part of product realization. ISO 14971 provides the Risk Management Plan — the document that defines scope, lifecycle phases, risk acceptability criteria, and the methods that will be used throughout the device’s life.

Design and Development

ISO 13485 Clause 7.3 requires design inputs to include risk management outputs and design outputs to be reviewed against inputs. ISO 14971 provides hazard identification and risk analysis — the outputs of which flow directly into design input requirements, design verification criteria, and design validation protocols.

Purchasing and Supplier Controls

ISO 13485 Clause 7.4 requires supplier controls proportionate to supplier risk. ISO 14971’s risk framework defines what “risk” means in this context — the severity and probability of harm that could result from supplier failures. Risk level drives supplier classification, incoming inspection intensity, and qualification requirements.

Production

ISO 13485 Clause 7.5 requires controlled production conditions and validation of special processes. Risk management under ISO 14971 determines which processes require validation (those where outputs cannot be fully verified) and what monitoring is required during production.

Post-Market Surveillance and CAPA

ISO 13485 Clause 8.2 requires systematic collection of post-market information. ISO 14971 Clause 11 requires that production and post-production information be systematically reviewed and fed back into the risk management file. When complaint data or CAPA findings reveal new hazards or indicate that risk estimates were incorrect, the Risk Management File must be updated.

This is where the most common gap exists in practice: organizations that treat risk management as a design-phase deliverable and do not maintain the connection between post-market data and the risk management file. Under QMSR, this gap is visible to FDA investigators within the first day of an inspection.

📋 Free Download: ISO 13485 Gap Assessment Checklist Section 6 covers ISO 14971 risk management integration specifically — risk management plan requirements, RMF structure and completeness, post-production feedback, and QMSR inspection implications. Download Free Checklist

The Risk Management File — Where They Intersect Most Clearly

Infographic comparing ISO 9001 risk-based thinking with ISO 13485 and ISO 14971 medical device risk management requirements using an integrated Venn diagram layout. — Both standards require risk management — but the depth and formality differ significantly. ISO 9001 uses general risk-based thinking, while ISO 13485 requires formal medical device risk management aligned with ISO 14971 throughout the product lifecycle.

The Risk Management File (RMF) is the single most important integration point between ISO 13485 and ISO 14971. It is the documentation output of the ISO 14971 process, and it is the record that connects risk management to every other element of the ISO 13485 QMS.

The RMF is not a single document. It is an organized collection of records that includes:

Risk Management Plan — scope, lifecycle phases, acceptability criteria, methodology
Risk analysis records — hazard identification, risk estimation
Risk evaluation records — comparison against acceptability criteria
Risk control records — selected measures, implementation records, verification
Overall residual risk evaluation — benefit-risk analysis where required
Risk Management Review — pre-release review with identified reviewers
Post-production information records — systematic review of real-world performance data

Under ISO 13485, the DDF (Design and Development File) must contain or reference risk management records. Under the QMSR and CP 7382.850, the RMF is where FDA investigators begin their inspection — tracing risk documentation into design controls, CAPA, complaint handling, and post-market surveillance.

A Risk Management File that was completed at device release and has not been updated since is one of the most common and most significant findings under the current inspection approach. The RMF is a living document. It must be updated throughout the device’s commercial life as post-production information is gathered and evaluated.

If your organization is already ISO 13485 certified and is assessing QMSR readiness, the current state of your Risk Management File is the single most important thing to evaluate first.

At this point, most organizations preparing for QMSR inspection should:

📋 Conduct a formal review of whether your Risk Management File has been updated since device release — and whether post-market complaint and CAPA data is systematically feeding into it. This is the highest-frequency inspection gap under CP 7382.850.

From the Shop Floor

After 25 years in heavy industrial manufacturing and quality systems, the most consistent pattern I see when organizations implement both ISO 13485 and ISO 14971 is this: they implement risk management well during design and development, and then they stop.

The Risk Management File is completed before device release. The risk management review is signed off. The certification audit passes. And then for the next three years, every complaint, every CAPA, every production nonconformance is handled in its own system — with no connection back to the risk management file that is supposed to be the living record of everything known about how the device can cause harm.

Three years later, an FDA investigator arrives under CP 7382.850 with the risk management file as their starting point. They trace a complaint about device malfunction into the CAPA system. They find a corrective action that was opened and closed. They look for the connection back to the risk management file — the evaluation of whether this complaint revealed a new hazard or indicated that an existing risk estimate was incorrect. The connection doesn’t exist.

That is not an ISO 13485 finding. It is not an ISO 14971 finding. It is a QMSR finding, because under the QMSR that connection is an expected element of a functioning integrated quality and risk management system.

The organizations that handle this well are the ones that treat the RMF update as a standing agenda item in management review — not a corrective action triggered by an audit finding. Post-market data goes into the RMF review process because the system requires it, not because an investigator asked for it.

That is what the integration of ISO 13485 and ISO 14971 is supposed to produce. It is also what separates manufacturers who pass inspections from those who merely survive them.

Which Standard Do You Buy First?

Both ISO 13485 and ISO 14971 are required for any serious medical device quality management implementation. The practical question is which to acquire and read first.

Buy ISO 13485 first if your organization is beginning the certification journey. ISO 13485 defines the overall QMS framework — understanding its requirements first gives you the context for understanding where and why ISO 14971 integrates.

Buy ISO 14971 immediately after — or together as a bundle. You cannot build a compliant risk management program from summaries or paraphrases. Both standards must be purchased, controlled as external documents within your QMS (as required under QMSR), and read by the people building your system.

For a complete overview of available medical device standards, see the Standards Library — Medical Devices Section.

The bundle option saves significantly. The ANSI Webstore offers the ISO 13485 and ISO/TR 14969 Quality Management Systems Medical Devices Package which includes both documents together at a meaningful discount versus individual purchases.

📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

📋 ISO Standards Bundle — Save up to 50%

Frequently Asked Questions

What is the main difference between ISO 14971 and ISO 13485?

ISO 13485 is a quality management system standard that defines what a medical device manufacturer’s QMS must cover — including the requirement that risk management be applied throughout the system. ISO 14971 is a risk management standard that defines how risk management must be conducted — the six-step process, the required documentation, and the Risk Management File structure. ISO 13485 requires risk management. ISO 14971 specifies how to do it.

Is ISO 14971 required if you have ISO 13485?

ISO 14971 is not formally mandated by ISO 13485’s normative requirements — the reference in Clause 7.1 is a note, not a normative requirement. However, certification bodies evaluate risk management programs against the ISO 14971 framework, and under the FDA’s QMSR (effective February 2, 2026), risk management expectations now carry federal regulatory weight. For practical purposes, ISO 14971 is effectively required for any organization pursuing ISO 13485 certification or operating in regulated markets.

Can you be certified to ISO 14971?

No. ISO 14971 is not a certifiable standard — there is no third-party certification to ISO 14971 itself. ISO 13485 is the certifiable standard. However, ISO 13485 certification implicitly requires that risk management is conducted in a way consistent with ISO 14971, since that is the framework certification bodies evaluate against.

Which came first — ISO 13485 or ISO 14971?

Both standards have long histories. ISO 14971 was first published in 2000, with major revisions in 2007 and 2019. ISO 13485 was first published in 1996, revised in 2003, and again in 2016. The 2016 edition of ISO 13485 was developed with the intent of aligning more closely with the 2012 draft of ISO 14971, ensuring stronger integration between the two standards.

Does ISO 14971 apply to software as a medical device?

Yes. ISO 14971:2019 explicitly applies to Software as a Medical Device (SaMD). The companion document ISO/TR 24971 provides specific guidance on applying ISO 14971 to software, including cybersecurity risk considerations.

How does the QMSR affect the relationship between ISO 13485 and ISO 14971?

The QMSR (effective February 2, 2026) incorporated ISO 13485 by reference into 21 CFR Part 820. Since ISO 13485 references ISO 14971, that reference now carries federal regulatory weight. FDA investigators under the new Compliance Program 7382.850 start inspections with the risk management file — which is the primary output of the ISO 14971 process. The QMSR also extended risk management expectations across the entire QMS rather than concentrating them in design controls as the old QSR did.

What is the Risk Management File and which standard requires it?

The Risk Management File (RMF) is the organized collection of records that documents all risk management activities for a specific medical device — risk management plan, hazard analysis records, risk evaluation records, risk control records, overall residual risk evaluation, risk management review, and post-production information records. It is required by ISO 14971, not ISO 13485 directly. However, under ISO 13485, the Design and Development File must contain or reference risk management records — and under the QMSR, the RMF is what FDA investigators use as their inspection roadmap.

Do I need ISO/TR 24971 as well?

ISO/TR 24971:2020 is the technical report companion to ISO 14971:2019. It provides practical guidance on implementing ISO 14971’s requirements — methods for hazard identification, risk estimation, benefit-risk analysis, and software risk management. Unlike ISO 14971, it is guidance rather than a standard with requirements. For organizations building or rebuilding their risk management program, ISO/TR 24971 is a valuable implementation companion. It is not required, but it is practically useful.

How does ISO 14971 differ from ISO 31000?

ISO 14971 is specific to medical device risk management and defines risk in terms of patient harm — the combination of probability and severity of harm to people. ISO 31000 is a broader enterprise risk management standard with a wider definition of risk that includes any effect on objectives. The two are not interchangeable in the medical device context. ISO 14971 is the expected framework for medical device risk management. ISO 31000 is not.

✅ Free Resources

📋 ISO 13485 Gap Assessment Checklist — 64 items across 7 sections including ISO 14971 risk management integration requirements and all four FDA QMSR bridge requirements. Identify your gaps before your first audit.

📋 Manufacturing Compliance Checklist — ISO 9001, 14001, 45001 & OSHA — 50 items with gap scoring across all compliance systems.

📋 Supplier Quality Checklist — ISO 9001 Clause 8.4 — all supplier controls auditors evaluate, 45 items with scoring.

📋 ISO 9001 Implementation Roadmap — The exact 5-phase process from gap assessment to Stage 2 audit clearance.

Not Sure What to Do Next?

✅ You need the official ISO 13485:2016 standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You need the official ISO 14971:2019 standard 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying both standards together 📋 ISO Standards Bundle — ANSI Webstore — Save up to 50%

✅ You want to identify your ISO 13485 and QMSR compliance gaps before spending anything 📋 Download the Free ISO 13485 Gap Assessment Checklist

✅ You need ISO 13485 training before implementation 📋 ISO 13485 Training — BSI Group

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? Complete Guide

✅ You want to understand what ISO 14971 requires 📋 What Is ISO 14971? Risk Management for Medical Devices

✅ You want to understand the FDA QMSR and its impact 📋 FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide

✅ You want to compare ISO 9001 and ISO 13485 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Guide 📋 How Much Does ISO 13485 Cost?

✅ You want to browse all available medical device standards 📋 Standards Library — Medical Devices & Regulated Manufacturing 📋 Popular Standards — Most Frequently Purchased

Still Figuring Out Where to Start?

If you’re not ready to purchase or certify yet — that’s normal. ISO 13485 and ISO 14971 implementation decisions typically take three to six months from first research to commitment.

The best next step for most organizations at this stage:

📋 Download the free ISO 13485 Gap Assessment Checklist — it covers all 64 clause requirements including the ISO 14971 integration section and the four QMSR bridge requirements. It takes 30 minutes and tells you exactly where your gaps are before you spend anything.

Download Free Checklist — No Cost

ISO 13485 and ISO 14971 Are Not Optional to Each Other

ISO 13485 tells you risk management is required across your quality management system. ISO 14971 tells you how to conduct it. One without the other produces either a QMS with undefined risk methodology or a risk management program without a quality system framework to integrate it.

Under the FDA’s QMSR, effective February 2, 2026, that integration is no longer just a best practice — it is what federal regulatory inspection expects. FDA investigators start with the risk management file. They follow it into design controls, CAPA, complaint handling, and post-market surveillance. A quality management system that treats risk management as a design-phase deliverable rather than a lifecycle discipline will not hold up under that inspection approach.

The organizations that get this right are the ones that treat the Risk Management File as a living operational document — not a certification artifact. They update it because post-market data flows into it systematically. They connect CAPA to it because the system requires the connection. They identify new hazards from real-world performance data because that is what ISO 14971 Clause 11 requires and what QMSR now enforces.

That is what implementing both standards properly actually produces.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

What Is ISO 14971? Risk Management for Medical Devices Explained (2026 Guide)

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. This guide covers what ISO 14971:2019 requires clause by clause, how its six-step process works across the device lifecycle, what changed in the 2019 edition, and why the FDA’s QMSR makes a well-maintained Risk Management File more critical than ever.

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. Here’s what it requires, how it works, and why the FDA’s QMSR makes understanding it more important than ever.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

From the Shop Floor

Risk management in manufacturing is not a new concept. Every process engineer who has ever run a failure modes and effects analysis on a production line understands the core logic: identify what can go wrong, estimate how likely it is and how bad it would be, put controls in place, and verify those controls work.

What ISO 14971 adds to that foundation is structure, lifecycle scope, and documentation discipline.

After 25 years in heavy industrial manufacturing — including quality systems, process control, and operational risk — the single most consistent gap I see in medical device risk management is the treatment of the Risk Management File as a design-phase deliverable rather than a living operational document. Teams build an impressive RMF during product development, get through their certification audit, and then let the file sit static while the real world generates new information about how the device actually performs.

That approach worked well enough under the old QSR. It does not work under the QMSR.

FDA investigators under CP 7382.850 are not looking at your RMF to confirm it was done — they are using it as a roadmap to evaluate whether your entire quality system is functioning as an integrated risk management framework. A risk management file that hasn’t been updated since device release is not a minor documentation gap. It is evidence that your risk management process is not integrated with complaint handling, CAPA, and post-market surveillance the way the QMSR requires.

The organizations I have seen handle this well treat the RMF update as a standing agenda item in management review — not a corrective action triggered by an audit finding. If post-market data is generating complaints, those complaints are being evaluated in the context of the risk management file every quarter. That is the operating model QMSR expects.

ISO 14971 Is the Standard Your QMS Is Already Required to Implement

If you are pursuing ISO 13485 certification, operating under the FDA’s QMSR, or manufacturing medical devices for any major regulated market, ISO 14971 is not a standard you get to choose whether to implement.

ISO 13485:2016 explicitly requires risk management per ISO 14971 throughout the medical device lifecycle — in design controls, production processes, supplier controls, complaint handling, and post-market surveillance. Under the FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, that requirement now carries federal regulatory weight. FDA investigators under Compliance Program 7382.850 are expected to use the risk management file as their inspection roadmap.

Yet despite being one of the most referenced standards in medical device regulation, ISO 14971 remains one of the least understood. Most manufacturers know it exists. Far fewer understand what it actually requires, how its six-step process works across the device lifecycle, or why the 2019 edition introduced changes that many organizations still haven’t fully implemented.

This guide covers all of it — what ISO 14971 is, what it requires clause by clause, how it integrates with ISO 13485 and the QMSR, and what your risk management program needs to look like in practice.

In This Guide

What ISO 14971 is and why it exists
Who needs ISO 14971
The six-step ISO 14971 risk management process
Key clause-by-clause breakdown
What changed in the 2019 edition
The Risk Management File — what it contains and how it’s structured
ISO 14971 and ISO 13485 — how they integrate
ISO 14971 under the FDA QMSR
ISO/TR 24971 — the companion guidance document
How to buy the official standard
Frequently asked questions

✅ Start Here (Top Resources)

📋 Purchase the official ISO 14971:2019 standard → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

📋 Purchase the official ISO 13485:2016 standard — required companion → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

📋 Save up to 50% buying both standards as a bundle → ISO Standards Packages — ANSI Webstore

📋 Get ISO 13485 training that covers ISO 14971 integration → BSI Group ISO 13485 Training

📋 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification

What Is ISO 14971?

ISO 14971 is the international standard for the application of risk management to medical devices. The current version — ISO 14971:2019 — is the third edition, published in December 2019. It specifies the terminology, principles, and a structured process for identifying hazards associated with medical devices, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of controls throughout the entire device lifecycle.

The standard applies to:

Physical medical devices of all classifications
Software as a Medical Device (SaMD)
In vitro diagnostic (IVD) medical devices
Combination products where the device constituent part requires risk management

Before ISO 14971, there was no universally accepted methodology for risk management in the medical device industry. Different manufacturers used different approaches, different terminology, and different standards for what constituted acceptable risk. ISO 14971 introduced a standardized process that could be consistently applied across the industry globally — giving regulators, certification bodies, and trading partners a shared framework for evaluating whether a manufacturer’s risk management is adequate.

Risk, as defined by ISO 14971, is the combination of two components:

The probability that harm will occur
The severity of that harm

This definition is important because it shapes the entire risk management process. A high-severity potential harm that is extremely unlikely to occur produces a different risk level than a moderate-severity harm that occurs frequently. ISO 14971 requires manufacturers to evaluate both dimensions systematically — not rely on intuition or experience alone.

Who Needs ISO 14971?

ISO 14971 is effectively required for any organization involved in the medical device supply chain. Specifically:

Organizations that must implement ISO 14971:

Medical device manufacturers — it is explicitly required by ISO 13485 and referenced throughout FDA QMSR, EU MDR, Health Canada, TGA (Australia), and most other major regulatory frameworks
Design-responsible organizations developing medical devices or device software
Contract manufacturers producing devices under a design owner’s technical file

Organizations that should implement ISO 14971:

Component suppliers whose products are incorporated into medical devices — risk management requirements are increasingly flowed down through quality agreements
Software developers producing SaMD or software incorporated into medical devices
Sterilization service providers — sterilization process risk must be managed within the device’s overall risk management framework

A critical distinction: ISO 14971 is not legally mandated in the same way a regulation is — regulators like the FDA do not list it as a statutory requirement. However, regulators worldwide recognize ISO 14971 as the state of the art for medical device risk management. Non-conformance with ISO 14971 — or the absence of a risk management program built on its framework — creates significant regulatory exposure. For practical purposes, ISO 14971 is mandatory for any organization intending to demonstrate that their device is safe and effective.

The ISO 14971 Risk Management Process — Six Steps

Infographic illustrating the six-step ISO 14971 medical device risk management process: Risk Analysis, Risk Evaluation, Risk Control, Overall Residual Risk, Risk Management Review, and Post-Production Information. — The six-step ISO 14971 risk management process creates a structured lifecycle approach for identifying hazards, controlling risks, evaluating residual risk, and continuously improving medical device safety.

ISO 14971 defines a six-step risk management process that applies across the entire device lifecycle — from initial concept through design, production, and post-market activities.

Step 1 — Risk Analysis

Risk analysis is the systematic use of available information to identify hazards and estimate the risks associated with a medical device. It consists of two activities:

Hazard identification: Identifying all reasonably foreseeable hazards associated with the device under both normal use conditions and fault conditions. The 2019 edition specifically requires both normal and fault conditions to be considered — a change from the 2007 edition which emphasized fault conditions primarily.

Sources of hazards include:

Device energy sources (electrical, thermal, mechanical, radiation)
Device materials and their biological interactions
Use environment and user characteristics
Reasonably foreseeable misuse
Software failures and cybersecurity vulnerabilities
Interactions with other devices

Risk estimation: For each hazardous situation identified, estimating the risk by determining the probability of occurrence of harm and the severity of that harm. ISO 14971 does not specify acceptable risk levels — manufacturers must establish their own objective criteria based on regulatory requirements, industry standards, and clinical context.

Step 2 — Risk Evaluation

Risk evaluation is the process of comparing estimated risks against the manufacturer’s defined risk acceptability criteria to determine whether risk reduction is required. If the estimated risk exceeds acceptable levels, the process moves to risk control. If the risk is within acceptable limits, it is documented as acceptable residual risk and monitored.

Step 3 — Risk Control

Risk control is the process of implementing and verifying measures to reduce risks that exceed acceptable levels. ISO 14971 requires risk control measures to be implemented in a defined priority order:

Inherent safety by design — eliminate or reduce hazards through design decisions (preferred)
Protective measures — guards, alarms, interlocks in the device or manufacturing process
Information for safety — warnings, instructions for use, training requirements (last resort)

After implementing risk control measures, the residual risk — the risk remaining after controls — must be estimated and evaluated again. The process is iterative: if residual risk is still unacceptable, additional risk control measures must be implemented.

Risk control measures must also be evaluated for introduced risks — a control measure that eliminates one hazard may introduce a new one.

Step 4 — Evaluation of Overall Residual Risk

After all individual risks have been addressed, the overall residual risk of the device must be evaluated — not just each individual risk in isolation. If the overall residual risk is not acceptable using the manufacturer’s risk acceptability criteria, a benefit-risk analysis must be performed.

Benefit-risk analysis (introduced as a formal requirement in the 2019 edition) evaluates whether the clinical benefits of the device outweigh the overall residual risk in the context of the device’s intended use. If the benefits outweigh the risks, and appropriate information is provided to users, the device may be released. If the benefits do not outweigh the risks, the device cannot be released — additional risk control measures are required.

Step 5 — Risk Management Review

Before a device is released for distribution, a formal risk management review must be completed. The 2019 edition changed the title of this clause from “Risk Management Report” to “Risk Management Review” — a deliberate signal that this is an active review activity, not simply a summary document.

The review must confirm:

The risk management plan has been fully implemented
The overall residual risk is acceptable
Appropriate methods are in place to collect and review production and post-production information

Reviewers must be identified in the risk management plan in advance — they cannot be appointed after the fact.

Step 6 — Production and Post-Production Information

Risk management does not end when the device is released. ISO 14971 requires a systematic process for collecting and reviewing information from production and post-market activities throughout the device’s commercial life. This includes:

Complaint data and adverse event reports
Post-market surveillance information
Production nonconformances and CAPA trends
New scientific and technical information relevant to device safety

When this information indicates that the risk management process needs to be updated — that a new hazard has been identified, or that an existing risk estimate was incorrect — the risk management file must be revised and risk control measures re-evaluated.

ISO 14971 Clause-by-Clause Breakdown

Clause	Title	Key Content
1	Scope	Applicability to all medical devices, SaMD, IVDs, combination products
2	Normative references	ISO 9000:2015 for defined terms
3	Terms and definitions	31 defined terms including risk, hazard, harm, hazardous situation, benefit
4	General requirements	Risk management system requirements, management responsibilities, competence requirements
5	Risk management planning	Risk management plan requirements — device scope, lifecycle phases, risk acceptability criteria
6	Risk analysis	Intended use, hazard identification, risk estimation
7	Risk evaluation	Comparison to acceptability criteria, benefit-risk analysis (Clause 7.4)
8	Risk control	Control option analysis, measure implementation, residual risk evaluation, introduced risks
9	Evaluation of overall residual risk	Overall residual risk acceptability, benefit-risk if needed
10	Risk management review	Pre-release review requirements, reviewer identification
11	Production and post-production activities	Information collection, new hazard identification, risk file updates

What Changed in ISO 14971:2019

The 2019 edition is the third edition of ISO 14971, replacing the 2007 version. Several changes have practical implementation implications:

Benefit-risk analysis is now a formal requirement. The 2019 edition formally introduced benefit-risk analysis as a defined process step (Clause 7.4) when overall residual risk is not acceptable under the manufacturer’s criteria alone. The 2007 edition referenced this concept but did not treat it as a structured requirement. The FDA’s influence here is direct — the FDA revised its language to place “benefit” before “risk” for novel device submissions, and the ISO 14971 committee adopted this framing in the 2019 revision.

Both normal and fault conditions must be analyzed. Clause 5.4 of the 2019 edition explicitly requires identification of anticipated hazards under both normal use and fault conditions. The 2007 edition emphasized fault conditions — the 2019 edition closes that gap. This has direct implications for FMEA and hazard analysis documentation.

Post-production requirements are more prescriptive. The requirements for production and post-production information collection (Clause 11) are more detailed in the 2019 edition, with stronger emphasis on systematic feedback of real-world performance data into the risk management file.

Risk Management Review replaces Risk Management Report. The title change in Clause 9 (from “report” to “review”) reflects a substantive intent: the activity must be an active review with identified reviewers, not a passive summary document compiled at device release.

EN ISO 14971:2019 + A11:2021 for EU MDR. The European version of the standard includes Amendment A11:2021, which maps ISO 14971 requirements to the General Safety and Performance Requirements (GSPR) of the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). Organizations selling into the EU need the A11 annex — organizations selling only in the U.S. do not, but the normative requirements are identical in both versions.

The Risk Management File

The Risk Management File (RMF) is the central documentation output of the ISO 14971 process. It is the organized collection of records that demonstrates a manufacturer has systematically identified hazards, evaluated risks, implemented controls, and monitored the effectiveness of those controls throughout the device lifecycle.

The RMF is not a single document. It is a defined collection of records that includes:

Risk Management Plan (RMP): Defines the scope of risk management activities, the lifecycle phases covered, the risk acceptability criteria, the risk estimation methodology, and the verification activities planned
Risk Analysis records: Hazard identification outputs, risk estimation records, FMEA or other analysis tool outputs
Risk Evaluation records: Comparison of estimated risks against acceptability criteria
Risk Control records: Selected control measures, implementation records, verification that controls achieved their intended risk reduction, evaluation of introduced risks
Overall Residual Risk evaluation: Documentation of the overall residual risk assessment and benefit-risk analysis if required
Risk Management Review: Pre-release review record with identified reviewers
Post-Production information records: Systematic records of production and post-market information reviewed against the risk management file

A common audit finding is a Risk Management File that functions as a static document compiled at device release — rather than a living record updated throughout the device’s commercial life as post-production information is gathered. Under the QMSR, FDA investigators start inspections with the risk management file. A static RMF that hasn’t been updated since initial device release is a significant inspection vulnerability.

Feature image promoting an ISO 13485 Gap Assessment Checklist for medical device manufacturers, contract manufacturers, and component suppliers preparing for certification and FDA QMSR compliance. — ISO 13485 Gap Assessment Checklist designed to help medical device manufacturers identify compliance gaps, prioritize actions, and prepare for certification and FDA QMSR requirements.

📋 How does your risk management program measure up? Section 6 of the free ISO 13485 Gap Assessment Checklist covers ISO 14971 integration specifically — risk management plan requirements, RMF structure, post-production feedback, and the QMSR inspection implications. Download Free Checklist

ISO 14971 and ISO 13485 — How They Integrate

ISO 14971 and ISO 13485 are companion standards — not alternatives. ISO 13485 is the quality management system framework. ISO 14971 is the risk management framework that ISO 13485 requires to be implemented throughout that QMS.

ISO 13485 references ISO 14971 in multiple clauses:

Clause 7.1 — Planning of product realization: Risk management activities must be planned as part of product realization
Clause 7.3 — Design and development: Risk management must be integrated throughout design and development activities
Clause 7.4 — Purchasing: Supplier controls must reflect risk — suppliers of higher-risk components require more rigorous qualification
Clause 8.2.1 — Feedback: Post-market feedback must be evaluated in the context of risk management
Clause 8.5 — Improvement: CAPA and continual improvement activities must consider risk management outputs

ISO 14971 is not optional supplementary guidance for ISO 13485. Organizations implementing ISO 13485 must purchase and implement ISO 14971. It is an external document that must be controlled under ISO 13485 Clause 4.2.4 — registered, version-controlled, and accessible to relevant personnel.

For a complete comparison of how ISO 13485 and risk management requirements interact, see ISO 9001 vs ISO 13485 — Key Differences.

📋 Buy ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

ISO 14971 Under the FDA QMSR

The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, incorporated ISO 13485:2016 by reference into 21 CFR Part 820 — and with it, ISO 13485’s explicit requirement for risk management per ISO 14971.

Under QMSR, several specific changes elevate the practical importance of ISO 14971:

Risk management now extends across the entire QMS. Under the old QSR, risk management was concentrated primarily in design controls. Under QMSR, risk-based thinking is required throughout the entire quality system — supplier controls, production processes, CAPA, complaint handling, and post-market surveillance. ISO 14971 is the expected framework for implementing this expanded risk management scope.

FDA investigators start inspections with the risk management file. Under Compliance Program 7382.850 — the new inspection program that replaced QSIT on February 2, 2026 — FDA investigators are expected to begin inspections by reviewing the risk management file and following risk documentation into other quality system areas. A well-maintained, current risk management file is inspection preparation. An incomplete or static risk management file is an inspection liability.

Post-market surveillance feeds the risk management file. The QMSR’s requirements for production and post-production information — complaint handling, MDR, field corrections — are expected to feed systematically into the risk management file. Organizations that maintain complaint handling and risk management as separate, unconnected systems have a QMSR gap.

For the complete QMSR transition guide, see FDA QSR vs ISO 13485: The Complete QMSR Transition Guide.

ISO/TR 24971 — The Companion Guidance Document

ISO/TR 24971:2020 is the technical report published as a companion to ISO 14971:2019. Unlike ISO 14971, which is a normative standard (its requirements are mandatory for certification purposes), ISO/TR 24971 is guidance — it does not add requirements but provides practical methodology for implementing ISO 14971’s requirements.

ISO/TR 24971:2020 covers:

Guidance on risk management planning
Practical methods for hazard identification and risk estimation
Guidance on benefit-risk analysis
Application of risk management to software
Application of risk management to usability and human factors
Guidance on production and post-production information processes

For organizations building or rebuilding their risk management program, ISO/TR 24971 is the practical implementation companion to ISO 14971’s requirements. Many experienced quality and regulatory professionals recommend reading both together.

📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off

How to Buy ISO 14971

ISO 14971 is a copyrighted document and must be purchased from an authorized source. It cannot be legally downloaded for free.

ANSI Webstore — Recommended U.S. Source

The ANSI Webstore is the authorized U.S. distributor for ISO standards. ISO 14971:2019 is available in PDF format with immediate download after purchase.

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

Bundle with ISO 13485 — Save Up to 50%

Organizations implementing ISO 13485 need both standards. Purchasing as a bundle through the ANSI Webstore saves significantly compared to individual purchases.

📋 ISO Standards Bundles — Save up to 50%

For the complete guide to purchasing ISO 13485, see Buy ISO 13485 — Complete Purchasing Guide.

Frequently Asked Questions

What is ISO 14971 used for?

ISO 14971 is the international standard for applying risk management to medical devices. It provides the structured process — hazard identification, risk estimation, risk evaluation, risk control, overall residual risk evaluation, and post-production monitoring — that manufacturers must use to demonstrate that their devices are safe for their intended use.

Is ISO 14971 required for ISO 13485 certification?

Yes. ISO 13485 explicitly requires risk management per ISO 14971 throughout the medical device quality management system. Organizations cannot achieve ISO 13485 certification without demonstrating that their risk management program is built on the ISO 14971 framework. ISO 14971 must be controlled as an external document within the ISO 13485 QMS.

Is ISO 14971 required by the FDA?

ISO 14971 is not listed as a statutory FDA requirement. However, the FDA recognizes ISO 14971 as the state of the art for medical device risk management. Under the QMSR, effective February 2, 2026, ISO 13485 is incorporated by reference into 21 CFR Part 820 — and ISO 13485 explicitly requires ISO 14971. FDA investigators under CP 7382.850 use the risk management file as their inspection starting point. For practical purposes, ISO 14971 is effectively mandatory for any FDA-regulated medical device manufacturer.

What is the difference between ISO 14971:2007 and ISO 14971:2019?

The 2019 edition introduced several substantive changes: benefit-risk analysis is now a formal requirement when overall residual risk is not acceptable; both normal use and fault conditions must be analyzed during hazard identification; post-production requirements are more prescriptive; and the Risk Management Report was renamed Risk Management Review to signal an active review activity rather than a passive document.

What is the Risk Management File?

The Risk Management File (RMF) is the organized collection of records that demonstrates a manufacturer has systematically implemented the ISO 14971 risk management process. It includes the Risk Management Plan, hazard analysis records, risk evaluation records, risk control records, overall residual risk evaluation, risk management review, and post-production information records. The RMF is a living document — it must be updated throughout the device’s commercial life as post-production information is gathered.

What is ISO/TR 24971?

ISO/TR 24971:2020 is the technical report companion to ISO 14971:2019. It provides practical guidance on implementing ISO 14971’s requirements — methods for hazard identification, risk estimation, benefit-risk analysis, software risk management, and post-production information processes. It does not add normative requirements but is an essential practical companion for organizations building or rebuilding their risk management programs.

What is the difference between ISO 14971 and ISO 31000?

ISO 14971 is specific to medical device risk management and defines risk purely in terms of harm to people — the combination of probability of harm and severity of that harm. ISO 31000 is a broader enterprise risk management standard with a wider definition of risk that includes any effect on objectives, including positive risks (opportunities). The two standards serve different purposes and are not interchangeable in the medical device context.

Does ISO 14971 apply to software as a medical device?

Yes. ISO 14971:2019 explicitly applies to Software as a Medical Device (SaMD). ISO/TR 24971 provides specific guidance on applying ISO 14971 to software. The companion standard IEC 62304 — Medical Device Software Lifecycle Processes — also references ISO 14971 risk management requirements throughout its software development lifecycle requirements.

📥 Free Resources

👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide
👉 Manufacturing Compliance Checklist — verify all compliance areas before your certification audit
👉 Supplier Quality Checklist — material supplier and tooling supplier qualification requirements

Not Sure What to Do Next?

✅ You need the official ISO 14971:2019 standard 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

✅ You also need ISO 13485:2016 — the required companion QMS standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You need the ISO/TR 24971 implementation guidance companion 📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying multiple standards together 📋 ISO Standards Bundles — Save up to 50% — ANSI Webstore

✅ You need ISO 13485 training that covers ISO 14971 integration 📋 BSI Group ISO 13485 Training

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? — Complete Guide

✅ You want to understand the FDA QMSR and how ISO 14971 fits 📋 FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide

✅ You want to compare ISO 9001 and ISO 13485 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Purchasing Guide 📋 How Much Does ISO 13485 Cost?

Risk Management Is Not a Deliverable. It’s an Operating Model.

ISO 14971 is not a checkbox on a certification audit list. It is the framework that determines whether the medical devices your organization produces — or supplies components for — are demonstrably safe for their intended use.

Under the FDA’s QMSR, effective February 2, 2026, that framework now carries federal regulatory weight. Risk management under QMSR extends across the entire quality system, and FDA investigators under CP 7382.850 are using the risk management file as their inspection roadmap.

The organizations that navigate this environment successfully are the ones that treat risk management as an operating discipline — not a documentation exercise. The Risk Management File is updated because post-market data is being systematically reviewed, not because an audit is scheduled. CAPA is connected to the risk management file because the quality system is integrated, not because an investigator asked to see the connection.

That is what ISO 14971, properly implemented, actually produces.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

FDA QSR vs ISO 13485: The Complete QMSR Transition Guide (2026)

The FDA replaced the legacy Quality System Regulation on February 2, 2026. The new QMSR incorporates ISO 13485:2016 by reference — making the international medical device quality standard the structural backbone of U.S. federal regulation. This guide covers exactly what changed, what FDA-specific requirements remain in force beyond ISO 13485, and what your quality system needs to address now that the QMSR is in full effect.

What changed on February 2, 2026, what stayed, and exactly what your quality system needs to address now that the FDA’s QMSR is in full force.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

The FDA Replaced the QSR. Here’s What That Actually Means.

On February 2, 2026, the FDA’s legacy Quality System Regulation — the QSR under 21 CFR Part 820 — was replaced.

Not updated. Not revised. Replaced.

The new Quality Management System Regulation (QMSR) restructured 21 CFR Part 820 around a single foundational document: ISO 13485:2016. The FDA incorporated the international medical device quality standard by reference — meaning ISO 13485 is now the structural backbone of U.S. medical device quality regulation. It is no longer a voluntary international standard that sophisticated manufacturers pursue for global market access. It is what the FDA expects your quality system to be built on.

If your quality system was built against the old QSR framework — DMRs, DHFs, QSIT audit language — you are now operating against a framework that has been retired. The FDA’s inspectors are using a new compliance program. The terminology has changed. The inspection scope has changed. The risk management expectations have changed.

This guide covers exactly what the QSR was, what the QMSR replaced it with, where ISO 13485 fits into the new regulatory structure, what FDA-specific requirements remain in force beyond ISO 13485, and what your quality system needs to address right now.

In This Guide

What the FDA QSR was and why it was replaced
What the QMSR actually is — and what it is not
How FDA QSR, ISO 13485, and QMSR relate to each other
The four FDA-specific requirements that ISO 13485 does not cover
Key changes under the QMSR manufacturers need to act on
Does ISO 13485 certification satisfy QMSR?
The role of ISO 14971 in QMSR compliance
QMSR gap assessment — where to start
From the Shop Floor — what this transition actually looks like
Getting ISO 13485 certified under the QMSR framework

✅ Start Here (Top Resources)

📋 Start with a structured gap assessment before engaging a certification body. The free ISO 13485 Gap Assessment Checklist covers every clause area plus all four QMSR bridge requirements — so you know exactly where you stand before you spend money on implementation. Download Free Checklist

📋 Purchase the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

📋 Purchase the required companion standard → ISO 14971:2019 Risk Management — ANSI Webstore — use coupon CC2026 for 5% off

📋 Get ISO 13485 training for your team → BSI Group ISO 13485 Training

📋 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification

📋 Save up to 50% buying ISO standards as a bundle → ISO Standards Packages — ANSI Webstore

What Was the FDA QSR?

Professional infographic explaining the FDA Quality System Regulation under 21 CFR Part 820, featuring medical device manufacturing, CGMP requirements, and regulatory compliance history. — The FDA Quality System Regulation under 21 CFR Part 820 established the foundational CGMP requirements governing medical device manufacturing quality systems in the United States.

The FDA’s Quality System Regulation was codified under 21 CFR Part 820. First authorized in July 1978 and significantly revised in 1996, the QSR established the current good manufacturing practice (CGMP) requirements for finished medical device manufacturers distributing products in the United States.

The QSR covered the core pillars of a medical device quality management system: management responsibility, design controls, document and record controls, purchasing controls, production and process controls, corrective and preventive action (CAPA), labeling, and complaint handling. It was written in FDA-specific language and structured around FDA-specific documentation concepts:

Device Master Record (DMR) — the compiled documentation defining how a device is manufactured
Design History File (DHF) — records demonstrating the device was designed in accordance with an approved plan
Device History Record (DHR) — production records for each manufactured unit or lot
Quality System Inspection Technique (QSIT) — the FDA’s subsystem-by-subsystem inspection approach

For decades, the FDA QSR and ISO 13485 ran in parallel. They covered similar ground but used different terminology, different structural frameworks, and different documentation concepts. Manufacturers selling devices in both the U.S. and international markets often maintained two parallel compliance frameworks — one for the FDA, one for ISO 13485 or MDSAP. That dual-track approach created overhead, redundancy, and audit complexity that manufacturers had been managing for years.

That parallel structure is over.

What Is the QMSR?

The Quality Management System Regulation (QMSR) is the amended version of 21 CFR Part 820, effective February 2, 2026. The FDA issued the final rule in February 2024, providing a two-year implementation window before the regulation took effect.

The core structural change: instead of writing QMS requirements directly into the regulation, the FDA incorporated ISO 13485:2016 by reference. Part 820 now points to ISO 13485 as the source document for quality system requirements. The regulation itself became significantly shorter — most of its text now simply directs manufacturers to the relevant ISO 13485 clause.

What this means in practice: ISO 13485:2016 compliance is now a regulatory expectation under 21 CFR Part 820 — not a voluntary international best practice. Manufacturers who have never engaged with ISO 13485 are now operating under a framework built on it.

The QMSR also updated the FDA’s inspection program. As of February 2, 2026, the FDA retired the Quality System Inspection Technique (QSIT) and implemented Compliance Program 7382.850 — a revised inspection approach built around the ISO 13485 process-based structure rather than the subsystem-by-subsystem approach of the old QSR.

FDA QSR vs ISO 13485 vs QMSR — How They Relate

This is where manufacturers get confused, so it is worth being precise.

The old QSR was a standalone FDA regulation with its own requirements, its own terminology, and its own documentation structure. It has been retired.

ISO 13485:2016 is the international standard for medical device quality management systems, published by the International Organization for Standardization. It has always been used by regulatory authorities globally — including Health Canada, the EU MDR framework, and MDSAP participating countries — as the baseline for QMS requirements.

The QMSR is the new version of 21 CFR Part 820. It uses ISO 13485:2016 as its foundation by incorporating it by reference, while layering on U.S.-specific regulatory requirements that ISO 13485 does not fully address on its own.

Think of it this way: the QMSR is ISO 13485 plus the FDA-specific additions the agency determined were necessary to cover U.S. statutory obligations that go beyond what the international standard requires.

ISO 13485 does most of the heavy lifting. But QMSR is not simply “ISO 13485 with a new name.” Several FDA-specific obligations remain fully in force and cannot be satisfied by ISO 13485 conformance alone.

What the QMSR Kept — The Four FDA Bridge Requirements

The QMSR retained four categories of U.S.-specific requirements that remain unchanged and fully enforceable. These are sometimes called the QMSR “bridge requirements” — the FDA-specific obligations that ISO 13485 does not cover:

1. Medical Device Reporting (MDR)

Manufacturers must continue to report adverse events, malfunctions, and deaths or serious injuries involving their devices to the FDA under 21 CFR Part 803. ISO 13485 addresses post-market surveillance at a high level but does not specify MDR reporting timelines or mechanisms. The QMSR cross-references MDR explicitly in §820.10.

2. Unique Device Identification (UDI)

The UDI system — requiring device labeling to carry a unique identifier traceable in the FDA’s Global Unique Device Identification Database (GUDID) — continues unchanged under QMSR. ISO 13485 does not address UDI requirements. §820.10 explicitly cross-references UDI compliance.

3. Corrections and Removals

Reporting obligations for corrections and removals under 21 CFR Part 806 remain in force. Manufacturers must report corrections or removals initiated to reduce a risk to health or remedy a violation.

4. Device Tracking

Tracking requirements for certain high-risk device categories under 21 CFR Part 821 continue to apply.

A manufacturer whose QMS is fully ISO 13485 compliant but has not addressed these four areas is not QMSR compliant. This is the most important distinction in the entire QMSR framework.

What Changed Under the QMSR

Beyond the structural shift to ISO 13485, several specific changes affect how manufacturers need to operate:

Terminology Alignment

The QMSR adopts ISO 13485 and ISO 9000 vocabulary, replacing legacy QSR-specific terms:

Old QSR Term	QMSR / ISO 13485 Term
Device Master Record (DMR)	Medical Device File (MDF)
Design History File (DHF)	Design and Development File (DDF)
Device History Record (DHR)	Manufacturing Records
Quality System Record	Distributed across QMS documentation

Manufacturers are not required to rename every document immediately — but QMS documentation, training materials, and internal audit programs should be progressively aligned to ISO 13485 terminology to avoid confusion during inspections.

Risk Management Extends Across the Entire QMS

Under the old QSR, risk management was concentrated primarily in design controls. Under QMSR — consistent with ISO 13485 and its companion standard ISO 14971 — risk-based thinking now extends across the entire quality system, including supplier controls, manufacturing processes, CAPA, complaint handling, and post-market activities. This is a substantive operational shift, not a documentation update.

Internal Audits and Management Reviews Are Now Inspection Territory

Under QSR, internal audits were required but the FDA’s QSIT inspection process did not focus on them directly. Under QMSR and Compliance Program 7382.850, internal audits and management reviews are within the FDA’s inspection scope. Investigators will evaluate whether your internal audit program functions as a process-based system consistent with ISO 13485 Clause 8.2.4 requirements.

Inspection Structure Changed

The FDA’s inspection approach under CP 7382.850 evaluates how quality subsystems function as an interconnected framework rather than auditing them in isolation. Inspectors follow issues across processes — a finding in complaint handling may lead directly into CAPA, risk management, and design controls in the same inspection.

ISO 13485 Must Be Controlled as an External Document

Because QMSR incorporates ISO 13485 by reference, manufacturers are required to control the standard as an external document within their QMS under ISO 13485 Clause 4.2.4. This means purchasing the official standard and maintaining version control — a detail many manufacturers miss entirely.

📋 Buy the Official ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

Does ISO 13485 Certification Satisfy QMSR?

Corporate infographic explaining whether ISO 13485 certification satisfies FDA QMSR requirements, including compliance gaps, FDA bridge requirements, inspection readiness, and the path to full QMSR compliance. — ISO 13485 certification provides the foundation for QMSR compliance — but manufacturers must still address FDA-specific bridge requirements, inspection readiness, and process-based audit expectations.

This is the most common question manufacturers ask after the QMSR took effect, and the answer requires precision.

ISO 13485 certification helps significantly — but does not automatically guarantee QMSR compliance.

ISO 13485 certification from an accredited certification body demonstrates that your QMS meets the international standard’s requirements. Under QMSR, that foundation now aligns with what the FDA expects at the structural level. If your organization is already ISO 13485 certified, the gap between your current QMS and QMSR compliance is substantially smaller than it was under the old QSR.

However, ISO 13485 certification does not cover the four FDA bridge requirements — MDR, UDI, corrections and removals, and device tracking. It also does not replace FDA inspections. The FDA retains full enforcement authority under U.S. law regardless of third-party certification status. An ISO 13485 certificate is not a substitute for FDA inspection readiness.

The practical position: ISO 13485 certification gets you approximately 80–85% of the way to QMSR compliance. The remaining work is ensuring the FDA bridge requirements are explicitly addressed in QMS documentation, records and labeling controls map to both ISO 13485 and FDA expectations, and your internal audit program is prepared for the process-based inspection approach under CP 7382.850.

If you are not yet ISO 13485 certified and are subject to QMSR, pursuing certification is the most efficient path to demonstrating compliance with the regulation’s foundation.

📋 Buy ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

The Role of ISO 14971 Under QMSR

ISO 14971 — Risk Management for Medical Devices — plays a critical role in QMSR compliance that is consistently underestimated.

Under the old QSR, risk management was primarily concentrated in design controls. Under QMSR, risk-based thinking is expected throughout the entire quality system. ISO 14971 provides the formal risk management framework — hazard identification, risk estimation, risk evaluation, risk control, and residual risk evaluation — that ISO 13485 requires manufacturers to implement but does not itself specify in detail.

ISO 13485 explicitly requires compliance with ISO 14971. Under QMSR, that requirement carries federal regulatory weight. FDA investigators under CP 7382.850 are expected to start inspections with the risk management file as their roadmap — following risk documentation into design controls, production controls, CAPA, and post-market surveillance.

If your QMS does not have a well-documented, lifecycle-integrated risk management program built on ISO 14971, this is your highest-priority gap under QMSR.

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

For the complete relationship between ISO 13485 and ISO 14971, see ISO 9001 vs ISO 13485 — Key Differences.

QMSR Gap Assessment — Where to Start

Manufacturing compliance gap assessment scale showing audit readiness levels with 0–2 gaps as audit ready, 3–5 gaps as moderate risk, and 6+ gaps as high risk — A simple gap assessment can quickly show whether your operation is audit-ready — or at risk of failure.

For manufacturers currently operating under the old QSR framework, a structured gap assessment is the most efficient starting point. Key areas to evaluate:

Documentation and terminology. Map your existing QMS documents to ISO 13485 clause requirements. Identify where legacy QSR terminology (DMR, DHF, DHR) appears and plan progressive alignment to ISO 13485 vocabulary. Your team and your auditors need to understand the mapping.

Risk management integration. Assess whether your risk management program is limited to design controls or extends across supplier qualification, production processes, CAPA, complaint handling, and post-market surveillance as ISO 14971 and QMSR require.

FDA bridge requirements. Confirm that MDR, UDI, corrections and removals, and device tracking obligations are explicitly addressed in QMS procedures and cross-referenced in §820.10 documentation.

Internal audit program. Update your internal audit program to reflect process-based auditing across interconnected QMS elements rather than subsystem-by-subsystem evaluation. Ensure auditors understand the QMSR inspection approach under CP 7382.850.

Supplier controls. ISO 13485 Clause 7.4 has more prescriptive supplier control requirements than the old QSR. Review supplier qualification procedures, quality agreements, and monitoring programs against ISO 13485 requirements.

External document control. Confirm that ISO 13485:2016 and ISO 14971 are registered as external documents in your QMS with version control — this is now a regulatory requirement, not optional housekeeping.

From the Shop Floor

Professional manufacturing team conducting a QMS transition planning meeting focused on gap assessments, operational involvement, and ISO 13485 documentation remediation. — Successful QMSR transitions are driven by honest gap assessments, operational team involvement, and proactive cleanup of long-standing documentation and compliance weaknesses.

After 25 years managing quality systems in heavy industrial manufacturing, I have watched more regulatory transitions than I care to count. Most follow the same pattern: the announcement creates anxiety, the implementation period creates confusion, and the actual change — once you get to it — turns out to be more manageable than the noise suggested.

The QMSR transition is no different, with one important caveat.

The manufacturers who are struggling right now are the ones who treated the QSR as a compliance exercise rather than an operational system. If your QMS was built as a documentation binder rather than a living process framework, QMSR is going to expose that gap — not because the regulation is fundamentally harder, but because the ISO 13485 process-based approach assumes your quality system actually runs your operations, not the other way around.

The manufacturers I have seen navigate transitions like this most effectively do three things. They conduct an honest gap assessment before anyone from the outside asks them to. They involve their operations team — not just regulatory affairs — in the remediation. And they treat the transition as an opportunity to clean up years of accumulated documentation debt rather than a compliance burden to minimize.

QMSR gives you a cleaner, more internationally aligned framework. The manufacturers who approach it that way will come out of this transition with stronger systems and less audit friction. The ones who treat it as a box-checking exercise will find the new inspection approach under CP 7382.850 less forgiving than the old QSIT was.

Getting ISO 13485 Certified Under the QMSR Framework

If your organization is not yet ISO 13485 certified, QMSR provides a clear incentive to pursue it. An accredited ISO 13485 certificate demonstrates to customers, regulators, and trading partners that your QMS meets the international standard that now forms the foundation of U.S. medical device regulation.

For certification: ISOQAR is a UKAS-accredited certification body with experience in medical device quality management system assessments.

📋 ISO 13485 Certification — ISOQAR

For training: BSI Group offers ISO 13485 training covering requirements interpretation, internal auditing, and implementation — suitable for quality managers, regulatory affairs professionals, and internal auditors preparing for the QMSR inspection environment.

📋 ISO 13485 Training — BSI Group

Quick Reference Comparison Table

Element	Old FDA QSR	ISO 13485:2016	QMSR (Current)
Effective date	1996 (revised)	2016	February 2, 2026
Regulatory basis	U.S. federal regulation	International standard	U.S. federal regulation
Structure	FDA-specific requirements	ISO Harmonized Structure	ISO 13485 by reference + FDA additions
Terminology	DMR, DHF, DHR	MDF, DDF, manufacturing records	ISO 13485 terms (progressive alignment)
Risk management scope	Primarily design controls	Full lifecycle (ISO 14971)	Full QMS — ISO 14971 expected
MDR requirements	Yes	No	Yes (§820.10 cross-reference)
UDI requirements	Yes	No	Yes (§820.10 cross-reference)
Inspection program	QSIT	Third-party certification audit	CP 7382.850 (process-based)
ISO 13485 certification	Not required	Third-party certification	Strongly recommended, not sufficient alone

Frequently Asked Questions

What is the QMSR and when did it take effect?

The Quality Management System Regulation (QMSR) is the amended version of 21 CFR Part 820, effective February 2, 2026. It replaced the legacy FDA Quality System Regulation (QSR) by incorporating ISO 13485:2016 by reference as the foundational quality system framework for U.S. medical device manufacturers.

What is the difference between the FDA QSR and the QMSR?

The old QSR was a standalone FDA regulation with its own requirements and terminology — DMRs, DHFs, DHRs, and the QSIT inspection approach. The QMSR replaced it with a framework built on ISO 13485:2016, adopted by reference, while retaining four U.S.-specific bridge requirements: Medical Device Reporting, UDI, corrections and removals, and device tracking.

Does ISO 13485 certification satisfy QMSR requirements?

ISO 13485 certification provides approximately 80–85% of the foundation for QMSR compliance. However, it does not cover the four FDA-specific bridge requirements and does not replace FDA inspections. A targeted QMSR gap assessment is necessary even for fully ISO 13485 certified organizations.

Is ISO 14971 required under QMSR?

Yes. ISO 13485 explicitly requires risk management per ISO 14971, and under QMSR that requirement carries federal regulatory weight. Risk-based thinking under QMSR extends across the entire quality system — not just design controls as under the old QSR. ISO 14971 is the expected framework.

What are the four QMSR bridge requirements that ISO 13485 does not cover?

Medical Device Reporting (MDR) under 21 CFR Part 803, Unique Device Identification (UDI), Corrections and Removals under 21 CFR Part 806, and Device Tracking under 21 CFR Part 821. These remain fully enforceable under QMSR regardless of ISO 13485 certification status.

What happened to the old QSR terminology — DMR, DHF, DHR?

The QMSR adopts ISO 13485 terminology. Device Master Record (DMR) becomes Medical Device File (MDF), Design History File (DHF) becomes Design and Development File (DDF), and Device History Record (DHR) maps to Manufacturing Records. Manufacturers are not required to rename documents immediately but should plan progressive alignment to ISO 13485 terminology.

What is FDA Compliance Program 7382.850?

CP 7382.850 is the FDA’s new inspection program implemented February 2, 2026, replacing the retired Quality System Inspection Technique (QSIT). It uses a process-based inspection approach aligned with ISO 13485 structure, evaluating how quality subsystems function as an interconnected framework rather than auditing them in isolation.

Does ISO 9001 certification satisfy QMSR?

No. ISO 9001 and ISO 13485 share a structural framework but serve different regulatory purposes. ISO 9001 certification does not satisfy ISO 13485 requirements and is not accepted by the FDA under QMSR. See ISO 9001 vs ISO 13485 for the complete comparison.

📥 Free Resources

👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide — build your ISO 9001 foundation before adding ISO 13485
👉 Manufacturing Compliance Checklist — assess your current compliance status across quality, environmental, and safety
👉 Supplier Quality Checklist — supplier qualification requirements applicable to medical device supply chains

Not Sure What to Do Next?

✅ Start with a structured gap assessment before engaging a certification body. The free ISO 13485 Gap Assessment Checklist covers every clause area plus all four QMSR bridge requirements — so you know exactly where you stand before you spend money on implementation. Download Free Checklist

✅ You need the official ISO 13485:2016 standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

✅ You need the required ISO 14971 risk management companion 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying both standards together 📋 ISO Standards Packages — Save up to 50% — ANSI Webstore

✅ You need ISO 13485 training before your gap assessment or implementation 📋 BSI Group ISO 13485 Training

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? — Complete Guide

✅ You want to understand how ISO 9001 and ISO 13485 differ 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Purchasing Guide 📋 How Much Does ISO 13485 Cost?

✅ You want to understand certification costs and timelines 📋 ISO Certification Cost Calculator 📋 How Long Does ISO Certification Take? 📋 Best ISO Certification Bodies

The QSR Is Gone. The QMSR Is What the FDA Expects Now.

The FDA replaced 21 CFR Part 820 on February 2, 2026. ISO 13485:2016 is now the structural backbone of U.S. medical device quality regulation. That is not an update to a voluntary standard — it is a fundamental shift in what federal regulation requires from every manufacturer in the U.S. medical device supply chain.

For manufacturers previously operating only under the QSR framework: your system needs to be restructured around ISO 13485. For ISO 13485 certified organizations: your certification provides a strong foundation, but the four FDA bridge requirements and the updated inspection approach under CP 7382.850 require targeted attention. For ISO 9001 certified manufacturers in the medical device supply chain: the supply chain pressure is coming. The pattern that played out in automotive and aerospace — sector-specific quality standards flowing down the supply chain — is now playing out in medical devices.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

ISO 9001 vs ISO 13485: Key Differences Every Manufacturer Needs to Know (2026)

ISO 9001 is the universal quality standard. ISO 13485 is the medical device standard — and since the FDA’s 2024 QMSR final rule, it’s now embedded in U.S. federal regulation. Here’s exactly how the two standards differ and what that means for manufacturers.

How ISO 9001 and ISO 13485 differ in focus, requirements, and regulatory weight — and why the FDA’s 2024 QMSR final rule makes understanding that difference more important than ever.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

The FDA Just Changed the Relationship Between These Two Standards

For decades, manufacturers made a relatively simple distinction between ISO 9001 and ISO 13485. ISO 9001 was for everyone — the universal quality management standard applicable across every industry. ISO 13485 was for medical device manufacturers — a specialized voluntary standard for a regulated industry.

That distinction no longer holds.

In 2024, the FDA published the Quality Management System Regulation (QMSR) final rule — which did not simply update or elevate ISO 13485. It replaced 21 CFR Part 820, the legacy Quality System Regulation, with a new regulatory framework that uses ISO 13485:2016 as its structural backbone. The compliance date was February 2, 2026. That date has passed.

This means ISO 13485 is no longer a voluntary international standard that sophisticated U.S. manufacturers pursue for global market access. It is now the regulatory expectation — the framework FDA inspectors use, the structure FDA-regulated quality systems must reflect, and the language the medical device supply chain is increasingly required to speak.

Organizations that still treat ISO 13485 as “the medical version of ISO 9001” — a slight variation on a familiar theme — are misreading both what the standard requires and what the FDA now expects from it.

This guide covers the real differences between ISO 9001 vs ISO 13485 — structurally, operationally, and regulatorily — so manufacturers can make informed decisions about which standard their organization needs, and what implementing either one actually requires in a post-QMSR world.

In This Guide

What ISO 9001 and ISO 13485 share — the Harmonized Structure foundation
The key operational differences — focus, traceability, design controls, CAPA
How the FDA’s 2024 QMSR final rule changes the ISO 13485 landscape
The three QMSR gaps that ISO 13485 certified organizations must address
Who needs ISO 9001, who needs ISO 13485, and who needs both
Can ISO 9001 substitute for ISO 13485?
Cost and timeline comparison
How to transition from ISO 9001 to ISO 13485

👉 Start Here (Top Resources)

👉 Purchase the official ISO 9001:2015 standard → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

👉 Purchase the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

👉 Get ISO 13485 training → BSI Group ISO 13485 Training

👉 Get ISO 9001 certified → ISOQAR ISO 9001 Certification

👉 Get ISO 13485 certified → ISOQAR ISO 13485 Certification

👉 Save up to 50% buying both standards as a bundle → ISO Standards Packages — ANSI Webstore

Infographic showing the shared structure and common foundations of ISO 9001 and ISO 13485 quality management systems, including the harmonized ISO clause framework. — ISO 9001 and ISO 13485 share the same harmonized management system structure, making the transition to medical device quality management more efficient for organizations with existing ISO 9001 experience.

Before examining the differences, understanding what ISO 9001 and ISO 13485 share explains why organizations with ISO 9001 experience can transition to ISO 13485 more efficiently than starting from scratch.

Both standards follow the Harmonized Structure — the common clause framework used across all major ISO management system standards. This means both are organized around the same ten-clause framework:

Clause	Topic
1–3	Scope, normative references, terms
4	Context of the organization
5	Leadership
6	Planning
7	Support
8	Operations
9	Performance evaluation
10	Improvement

Shared management system elements include:

Document and record control
Internal audit program
Corrective and preventive action
Management review
Competence and training requirements
Communication processes
Continual improvement orientation

Organizations implementing ISO 13485 on an existing ISO 9001 foundation build the medical device-specific layer on top of shared infrastructure — rather than building everything from scratch. This is the most significant practical advantage of prior ISO 9001 certification when transitioning to ISO 13485.

For the full ISO 9001 requirements guide, see ISO 9001 Clauses Explained.

ISO 9001 vs ISO 13485 — Full Comparison

Factor	ISO 9001:2015	ISO 13485:2016
Primary objective	Customer satisfaction and continual improvement	Regulatory compliance and patient safety
Industry scope	Universal — any organization, any industry	Medical device manufacturers and supply chain
Regulatory connection	No specific regulatory mandate	FDA QMSR, EU MDR, Health Canada, TGA, global markets
Continual improvement	Central, required throughout	Required but secondary to regulatory compliance
Risk management	Risk-based thinking throughout	Explicit — ISO 14971 required throughout lifecycle
Design controls	Required — relatively flexible	Prescriptive — Design History File required
Traceability	Required where specified by contract	Required for all devices — implantables to patient level
Validation	Special processes	Broader — includes software validation, installation
CAPA	Required	More prescriptive — specific investigation structure
Complaint handling	Required	Stricter — mandatory adverse event reporting connection
Document retention	Defined by organization	Longer — device lifetime plus regulatory requirements
Sterile devices	Not addressed	Specific requirements
Supplier controls	Clause 8.4 — risk-based	More demanding — quality agreements required
Software	Not specifically addressed	IEC 62304 connection — software lifecycle required
Certification body	Any accredited body (ANAB/UKAS)	Accredited body — Notified Body for EU MDR
Typical first-year cost	$8,000–$35,000	$15,000–$100,000+
Typical timeline	4–8 months	8–18 months

Key Operational Differences in Detail

1. Primary Objective — Customer Satisfaction vs Patient Safety

This is the most fundamental difference between the two standards — and it shapes everything else.

ISO 9001 is built around the concept of customer satisfaction. The standard requires that organizations understand customer requirements, meet them consistently, and seek to improve customer satisfaction over time. Continual improvement is a core principle — organizations are expected to get better over time, not just maintain compliance.

ISO 13485 is built around regulatory compliance and patient safety. Where ISO 9001 asks “are customers satisfied?”, ISO 13485 asks “is the device safe and does it conform to regulatory requirements?” Continual improvement is required — but it is explicitly secondary to maintaining regulatory compliance. An organization cannot compromise regulatory compliance in pursuit of improvement.

This difference in objective drives differences in emphasis throughout both standards. ISO 9001 is flexible by design — it accommodates diverse industries and business models. ISO 13485 is prescriptive by necessity — because the consequences of quality failures affect patient safety.

2. Risk Management — Risk-Based Thinking vs ISO 14971

Both standards require risk management — but the approach differs significantly.

ISO 9001 incorporates “risk-based thinking” throughout — identifying risks to process conformity and customer satisfaction and taking appropriate action. The standard doesn’t prescribe a specific risk management methodology.

ISO 13485 requires risk management per ISO 14971 — the international standard for risk management for medical devices. ISO 14971 defines a formal risk management process covering hazard identification, risk estimation, risk evaluation, risk control, residual risk evaluation, and risk management review throughout the device lifecycle.

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is a required companion standard woven throughout ISO 13485’s requirements. Organizations implementing ISO 13485 must purchase and implement ISO 14971.

→ ISO 14971:2019 — ANSI Webstore

3. Design and Development Controls

ISO 9001 requires design and development planning, inputs, outputs, review, verification, and validation — but the standard is relatively flexible in how organizations structure these activities.

ISO 13485 requires all of the above with significantly more prescription:

Design History File (DHF): A comprehensive record of the design history of each device type — design plans, inputs, outputs, review records, verification and validation records, and all design changes. The DHF must demonstrate the device was developed in accordance with the approved design plan.
Design transfer: A formal process for transferring device designs into production — confirming the production processes are capable of consistently producing devices that conform to design specifications.
Design changes: Each design change must be evaluated for its effect on function, performance, safety, and regulatory compliance before implementation. This is more rigorous than ISO 9001’s general change management requirements.

4. Traceability — Contractual vs Regulatory

ISO 9001 requires traceability where it is a stated requirement — typically driven by customer contracts or industry standards.

ISO 13485 requires traceability of medical devices as a baseline regulatory requirement — not contingent on customer specification. The extent of traceability must be consistent with applicable regulatory requirements:

All medical devices: Traceable to manufacturing lot, raw materials, and key production records
Active implantable devices and implantable devices: Traceable to the patient who received the device — requiring distribution records that track the device through the supply chain to the healthcare provider and patient record
Sterile devices: Additional traceability requirements for sterilization

This difference is operationally significant — ISO 13485 traceability systems are substantially more complex than typical ISO 9001 traceability implementations.

5. CAPA — General Corrective Action vs Structured Investigation

ISO 9001 requires corrective action — identifying nonconformances, determining root causes, and implementing actions to prevent recurrence. The standard is relatively flexible in how this is structured.

ISO 13485 requires a more structured CAPA system with specific elements:

Defined trigger criteria for when a CAPA must be initiated
Documented root cause investigation using systematic analysis methods
Action plans with defined effectiveness criteria — established before implementation
Effectiveness verification — documented evidence that the corrective action eliminated the root cause
Trend analysis — reviewing CAPA data to identify patterns requiring systemic action

The ISO 13485 CAPA system is one of the most closely scrutinized areas in FDA inspections — inadequate CAPA systems are among the most common FDA 483 observations. This scrutiny will intensify under QMSR.

6. Supplier Controls — Risk-Based vs Quality Agreements

ISO 9001 Clause 8.4 requires risk-based supplier controls — qualifying suppliers, communicating requirements, and monitoring performance. The depth of control is proportionate to risk.

ISO 13485 goes significantly further:

Written quality agreements with critical suppliers — formal contracts specifying quality requirements, change notification obligations, audit rights, and regulatory compliance responsibilities
Supplier qualification criteria must include assessment of regulatory compliance capability — not just quality system certification
Ongoing supplier monitoring — performance tracking, requalification at defined intervals
Regulatory requirement flow-down — applicable regulatory requirements must be communicated to and confirmed by suppliers

The FDA QMSR Factor — Why ISO 13485 Carries More Weight in 2026

The FDA’s 2024 Quality Management System Regulation (QMSR) final rule, effective February 2, 2026, directly incorporated ISO 13485:2016 by reference as the foundational quality system framework for U.S. medical device manufacturers.

This is the first time in history that ISO 13485 has been embedded in U.S. federal regulation.

What this means practically:

For manufacturers previously operating only under 21 CFR Part 820: Your quality system must now be structured around ISO 13485 requirements and terminology. The old QSR framework has been retired. FDA inspectors are now using ISO 13485 structure as their inspection framework under the new lifecycle-focused model.

For ISO 13485 certified organizations: Your certification provides a strong foundation for QMSR compliance — but it is not automatically QMSR compliant. Three specific gaps exist between ISO 13485 and QMSR that must be addressed.

For ISO 9001 certified manufacturers in the medical device supply chain: Your customers — medical device OEMs — must now demonstrate QMSR compliance. They will increasingly require ISO 13485 certification from their component suppliers, contract manufacturers, and sub-tier suppliers. The same pattern that happened in automotive (IATF 16949 flowing down the supply chain) is now happening in medical devices.

The Three QMSR Gaps ISO 13485 Certified Organizations Must Address

Infographic illustrating the three major QMSR gaps ISO 13485 certified organizations must address, including risk-based thinking, organizational knowledge, and management review requirements. — Even mature ISO 13485 systems may contain critical gaps relative to FDA QMSR requirements, particularly in enterprise-wide risk integration, knowledge management, and management review processes.

Even organizations with mature ISO 13485 systems have gaps relative to the new QMSR requirements. The three most significant:

Gap 1 — Risk Management Integration ISO 13485 requires risk management primarily in design and development. QMSR requires risk-based thinking embedded throughout the entire QMS — purchasing controls, production processes, complaint handling, and CAPA. If your risk management process lives only in your design files, you have a QMSR gap.

Gap 2 — Organizational Knowledge QMSR explicitly requires organizations to maintain and make available the knowledge necessary for QMS operation and product conformity. This is a new requirement with no direct ISO 13485 equivalent — it has real documentation implications for knowledge management processes.

Gap 3 — Management Review QMSR’s management review requirements are more prescriptive than ISO 13485 — requiring specific inputs related to post-market surveillance data, customer feedback trends, and risk management outputs beyond what ISO 13485 Clause 5.6 alone requires.

FDA Inspection Protocol CP 7382.850 is specifically designed to test QMSR compliance. Any FDA inspection going forward will be assessed against this protocol — not the retired QSIT framework.

For the complete QMSR transition guide, see our dedicated FDA QSR vs ISO 13485 article — coming soon.

📋 Not sure where your gaps are? Download the free ISO 13485 Gap Assessment Checklist — covers all 10 clause areas plus the four FDA QMSR bridge requirements ISO 13485 certification alone doesn’t address. Download Free Checklist

Who Needs ISO 9001?

ISO 9001 is the right standard for:

Manufacturing organizations supplying to industrial OEMs, government contractors, or general supply chains where no industry-specific standard applies
Organizations in any industry seeking a universal quality management credential
Organizations building the QMS foundation before adding IATF 16949, AS9100, or ISO 13485
Any organization whose customer contracts specify ISO 9001 certification

ISO 9001 is the most widely required quality management standard in the world — applicable across every industry and recognized by virtually every supply chain.

For the complete ISO 9001 certification guide, see How to Get ISO 9001 Certified.

→ ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off

Who Needs ISO 13485?

ISO 13485 is required for:

Medical device manufacturers placing products in any regulated market — U.S., EU, Canada, Australia, Japan, Brazil, and most other major markets
Component suppliers whose products are incorporated into medical devices
Contract manufacturers producing devices or device components
Sterilization service providers for medical devices
Organizations in the medical device supply chain whose OEM customers require ISO 13485 certification

The QMSR has effectively made ISO 13485 required for any organization participating in the U.S. medical device market — either directly as a manufacturer or indirectly as a supply chain participant whose OEM customers must demonstrate QMSR compliance.

For the complete ISO 13485 guide, see What Is ISO 13485?

→ ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

Can ISO 9001 Substitute for ISO 13485?

No — and this is one of the most important distinctions in the entire medical device quality landscape.

ISO 9001 certification does not satisfy ISO 13485 requirements. The standards share a structural framework but serve different regulatory purposes with different specific requirements. An ISO 9001 certificate presented to an FDA inspector or EU Notified Body as evidence of medical device QMS compliance will not be accepted.

Where this confusion causes the most damage:

Component suppliers to medical device OEMs who hold ISO 9001 certification and assume it satisfies their customer’s supplier qualification requirements. As OEMs align to QMSR — which requires ISO 13485 structure — they will increasingly require ISO 13485 certification from suppliers rather than accepting ISO 9001 as equivalent.

The practical path: Organizations in the medical device supply chain that currently hold ISO 9001 should begin planning an ISO 13485 gap assessment. The ISO 9001 foundation significantly reduces the cost and timeline of ISO 13485 implementation — but the transition requires deliberate planning.

Implementing Both Standards Together

Many organizations need both ISO 9001 and ISO 13485 — either because they serve both medical device and non-medical device customers, or because they want to build their QMS on the universal ISO 9001 foundation before adding the ISO 13485 layer.

The integrated approach works well because:

The Harmonized Structure shared by both standards means document control, corrective action, internal audit, management review, and training records are built once and serve both standards simultaneously.

What you build once:

Document control system
Corrective action and CAPA process
Internal audit program and schedule
Management review agenda and records
Training records system
Communication processes

What you build for ISO 13485 specifically on top of the shared foundation:

ISO 14971 risk management integration throughout the QMS
Design History File structure (for design-responsible organizations)
Device master record and device history record system
Traceability system to device level (and patient level for implantables)
Written quality agreements with critical suppliers
Complaint handling connected to adverse event reporting
Post-market surveillance procedures
Software validation processes (where applicable)
Regulatory compliance obligations register for all applicable markets

Cost and Timeline Comparison

Factor	ISO 9001	ISO 13485	ISO 13485 with ISO 9001 Foundation
Standard purchase	$150–$200	$325–$425 (incl. ISO 14971)	Same
Training	$2,500–$9,000	$5,000–$15,000	$3,000–$10,000
Documentation	$2,000–$12,000	$5,000–$20,000	$3,000–$12,000
Certification audit	$4,000–$15,000	$6,000–$24,000	$6,000–$24,000
Internal labor	$5,000–$15,000	$10,000–$20,000	$6,000–$14,000
Total first year	$8,000–$35,000	$15,000–$100,000+	$12,000–$65,000
Typical timeline	4–8 months	8–18 months	6–12 months

Organizations with existing ISO 9001 certification typically reduce ISO 13485 first-year costs by 35–50% and timeline by 30–40% — because the QMS infrastructure is already built.

For the complete ISO 13485 cost breakdown, see How Much Does ISO 13485 Cost?

For the complete ISO 9001 cost breakdown, see How Much Does ISO 9001 Cost?

How to Transition from ISO 9001 to ISO 13485

Professional buy ISO 13485 feature image showing medical devices, regulatory compliance checklist, and quality management system concepts for medical device manufacturing. — ISO 13485 provides the quality management framework medical device manufacturers use to meet regulatory requirements, improve traceability, and support patient safety.

Step 1 — Purchase ISO 13485:2016 and ISO 14971:2019 Read both completely before conducting your gap assessment.

→ ISO 13485:2016 — ANSI Webstore → ISO 14971:2019 — ANSI Webstore

Step 2 — Download and read the FDA QMSR Final Rule Available free at FDA.gov. Read the preamble — it explains the three QMSR gaps and the FDA’s intent for each addition to ISO 13485 requirements.

Step 3 — Complete ISO 13485 lead implementer training ISO 13485 training must address both standard requirements and applicable regulatory frameworks. This is more specialized than ISO 9001 training.

→ BSI Group ISO 13485 Training

Step 4 — Conduct an ISO 13485 gap assessment against your existing ISO 9001 QMS Focus on the ISO 13485-specific elements rather than the shared elements you’ve already built. Key gap areas: traceability system, design controls (if applicable), ISO 14971 integration, CAPA structure, supplier quality agreements, complaint handling.

Step 5 — Conduct a QMSR gap assessment Separately assess the three QMSR gaps beyond ISO 13485 — risk management integration, organizational knowledge, management review inputs.

Step 6 — Build ISO 13485-specific documentation on your ISO 9001 foundation Add medical device-specific procedures, forms, and records without duplicating what you’ve already built.

Step 7 — Operate the integrated system and generate records

Step 8 — Conduct combined internal audit Your internal audit must cover all ISO 13485 clauses — including the medical device-specific additions.

Step 9 — Pursue ISO 13485 certification → ISOQAR ISO 13485 Certification

Frequently Asked Questions

What is the main difference between ISO 9001 and ISO 13485?

ISO 9001 is a universal quality management standard focused on customer satisfaction and continual improvement — applicable to any industry. ISO 13485 is a medical device-specific quality management standard focused on regulatory compliance and patient safety. ISO 13485 has more prescriptive requirements for traceability, design controls, risk management, CAPA, and document retention.

Can ISO 9001 replace ISO 13485 for medical device manufacturers?

No. ISO 9001 certification does not satisfy ISO 13485 requirements. The standards share a structural framework but serve different regulatory purposes. Medical device manufacturers and their supply chains require ISO 13485 — ISO 9001 alone is not accepted by FDA, EU Notified Bodies, or medical device OEM supplier qualification programs.

Does ISO 13485 include ISO 9001?

ISO 13485 is not a superset of ISO 9001 — it is a separate standard with different objectives and requirements. The two standards share the Harmonized Structure but are not interchangeable. An ISO 13485 certificate does not imply ISO 9001 certification.

Is ISO 13485 required by the FDA?

Effectively yes, since February 2, 2026. The FDA’s QMSR final rule incorporated ISO 13485:2016 by reference as the foundational QMS framework for U.S. medical device manufacturers. ISO 13485 certification from an accredited body is the most efficient path to demonstrating QMSR compliance.

How much more does ISO 13485 cost than ISO 9001?

ISO 13485 typically costs 40–80% more than ISO 9001 for equivalent organization sizes without prior QMS experience. Organizations with existing ISO 9001 certification reduce that gap significantly — typically spending 35–50% less on ISO 13485 implementation than starting from scratch. See How Much Does ISO 13485 Cost?

How long does it take to transition from ISO 9001 to ISO 13485?

Organizations with existing ISO 9001 certification typically complete ISO 13485 certification in 6–12 months — compared to 8–18 months starting from scratch. The ISO 9001 QMS foundation significantly compresses the gap assessment, documentation development, and implementation phases.

What is ISO 14971 and is it required for ISO 13485?

ISO 14971 is the international standard for risk management for medical devices. It is a required companion to ISO 13485 — not optional guidance. ISO 14971 defines the formal risk management process that must be applied throughout the medical device lifecycle and integrated throughout ISO 13485 requirements.

What are the three QMSR gaps that ISO 13485 certified organizations must address?

Risk management integration throughout the QMS (not just design), organizational knowledge documentation, and more prescriptive management review inputs including post-market surveillance data and risk management outputs. These are additions to ISO 13485 requirements that the QMSR specifically mandates.

📥 Free Resources

👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide — build your ISO 9001 foundation before adding ISO 13485
👉 Manufacturing Compliance Checklist — assess your current compliance status across quality, environmental, and safety
👉 Supplier Quality Checklist — supplier qualification requirements applicable to medical device supply chains

Not Sure What to Do Next?

🔹 You need the official ISO 9001:2015 standard → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

🔹 You need the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

🔹 You need ISO 14971 — required risk management companion → ISO 14971:2019 — ANSI Webstore

🔹 You want to save buying multiple standards together → Save up to 50% on ISO Standards Packages — ANSI Webstore

🔹 You need ISO 13485 training before implementation → BSI Group ISO 13485 Training

🔹 You need ISO 9001 training → BSI Group ISO 9001 Training

🔹 You’re ready to pursue ISO 9001 certification → ISOQAR ISO 9001 Certification

🔹 You’re ready to pursue ISO 13485 certification → ISOQAR ISO 13485 Certification

🔹 You want to understand what ISO 13485 requires → What Is ISO 13485? → Buy ISO 13485 — Complete Purchasing Guide → How Much Does ISO 13485 Cost?

🔹 You want to understand ISO 9001 requirements → ISO 9001 Clauses Explained → ISO 9001 Certification Guide → How Much Does ISO 9001 Cost?

🔹 You want to understand the FDA QMSR transition → Coming soon — FDA QSR vs ISO 13485: The Complete QMSR Transition Guide

🔹 You want to understand certification costs and timelines → ISO Certification Cost Calculator → How Long Does ISO Certification Take? → Best ISO Certification Bodies

ISO 9001 Opens Doors. ISO 13485 Opens Medical Device Markets.

ISO 9001 is the universal quality management credential — recognized in every industry, required in most supply chains, and the right starting point for almost every manufacturer.

ISO 13485 is the medical device quality credential — and since February 2026, the structural foundation of FDA quality system regulation in the United States. It serves a different purpose, addresses a different risk profile, and carries regulatory weight that ISO 9001 alone cannot provide.

For manufacturers in or entering the medical device supply chain, the question is no longer whether ISO 13485 is relevant. The FDA’s QMSR has answered that. The question is how efficiently your organization can transition from wherever it is now to where the medical device market requires it to be.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

How Much Does ISO 13485 Cost? (2026 Complete Breakdown)

ISO 13485 certification costs $15,000–$100,000 for most organizations — but the largest cost is the internal labor nobody budgets for. Complete breakdown of audit fees, training, documentation, and staff time by organization size.

How much does ISO 13485 cost — audit fees, training, documentation, and the largest cost category most organizations never budget for: internal labor.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

From the Shop Floor: The Cost Nobody Puts in the Budget

Here’s what most ISO cost guides get wrong: they list the external costs — the audit fees, the consultant rates, the standard purchase price — and stop there. What they consistently miss is the largest single cost category in any ISO certification project: the time your own people spend.

Think about what ISO 13485 certification actually requires from your organization. Every procedure must be reviewed and understood by the people executing it. Training records must be verified — not just created, but confirmed accurate and current for every affected employee. Documentation requirements must be communicated across departments. And through all of it, production doesn’t stop. Customers still expect deliveries. Orders still need to be fulfilled.

It’s not one person carrying that load — it’s the quality manager, the production supervisors, the department leads, and in many cases, every operator on the floor who needs to demonstrate they understand the procedures governing their work. That indirect time — the hours spent in procedure reviews, training sessions, document verification, pre-audit preparation — rarely appears on any external invoice. But at even a conservative internal labor rate, it represents thousands of dollars of real organizational cost that most certification budgets never account for.

For ISO 13485 specifically, the internal labor burden is higher than ISO 9001 — because the documentation requirements are more extensive, the training requirements are more specific to regulatory context, and the QMSR alignment work adds a layer of complexity that pure quality management system implementations don’t carry.

When someone tells you ISO 13485 certification “only” cost $X — ask them what they valued the internal time at. The answer usually reveals the real cost of certification.

In This Guide

What drives ISO 13485 certification costs
Complete cost breakdown by category — external and internal
Cost ranges by organization size and complexity
The hidden costs most budgets miss
Three-year total ownership cost
How to reduce ISO 13485 certification cost without cutting corners
Cost comparison — ISO 13485 vs ISO 9001

👉 Start Here (Top Resources)

👉 Purchase the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

👉 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification

👉 Get ISO 13485 training for your team → BSI Group ISO 13485 Training

👉 Purchase ISO 14971:2019 — required risk management companion → ISO 14971:2019 — ANSI Webstore

👉 Save up to 50% buying ISO standards as a bundle → ISO Standards Packages — ANSI Webstore

How Much Does ISO 13485 Cost?

ISO 13485 certification costs more than ISO 9001 certification for equivalent organization sizes — and understanding why helps you build a realistic budget before you commit.

Five factors drive ISO 13485 costs higher than ISO 9001:

1. More extensive documentation requirements ISO 13485 requires more documented information than ISO 9001 — longer record retention periods, stricter document control, Design History Files for device developers, and device master records. Building this documentation system takes more time and more expertise than a standard ISO 9001 QMS.

2. Regulatory alignment work ISO 13485 must align with applicable regulatory frameworks — FDA QMSR, EU MDR, Health Canada, TGA, or others depending on your markets. Identifying all applicable regulatory requirements and building them into your QMS is a layer of work that doesn’t exist in ISO 9001 implementation.

3. More specialized training requirements ISO 13485 training must address both the standard requirements and the regulatory context. Lead implementer training for ISO 13485 is more specialized — and more expensive — than for ISO 9001.

4. Longer certification audit ISO 13485 certification audits take more audit days than ISO 9001 audits for equivalent organization sizes — because the scope of documentation review, traceability verification, and regulatory alignment assessment is broader.

5. Internal labor — the largest and most underestimated cost This is the cost nobody puts in the budget. See the dedicated section below.

Complete Cost Breakdown by Category

1. Standard Purchase

Standard	Cost	Notes
ISO 13485:2016	$175–$225	Required — the certification baseline
ISO 14971:2019	$150–$200	Required companion — risk management
ISO 9001:2015	$150–$200	Useful reference for QMS foundation elements
Total standards	$475–$625	Use coupon CC2026 for 5% off at ANSI

→ ISO 13485:2016 — ANSI Webstore → ISO 14971:2019 — ANSI Webstore → ISO Standards Packages — save up to 50%

2. Training

Training is the most important external investment in the ISO 13485 certification project — and the one most likely to pay for itself many times over by preventing documentation rework and audit failures.

Training Type	Cost Per Person	Who Needs It
ISO 13485 awareness	$200–$500	All affected employees
ISO 13485 foundation	$800–$1,500	Quality team members
Lead implementer	$2,000–$4,000	Quality manager / QMS owner
Internal auditor	$1,500–$3,000	Internal audit team
Regulatory affairs (FDA/MDR)	$1,000–$3,000	Regulatory compliance lead

Realistic training budget for a small to mid-size organization: $5,000–$15,000 depending on team size and training levels required.

→ BSI Group ISO 13485 Training

3. Documentation Development

Documentation for ISO 13485 is more extensive than ISO 9001 — more procedures, more forms, more records, and medical device-specific documentation that has no ISO 9001 equivalent.

Approach	Cost	Timeline Impact
DIY from scratch	$0 external / very high internal labor	Longest — highest rework risk
Purpose-built documentation kit	$1,000–$5,000	Significantly faster — lower rework risk
Full consulting	$15,000–$75,000+	Fastest — highest external cost

What ISO 13485-specific documentation adds beyond ISO 9001:

Device master record (DMR) structure
Design history file (DHF) framework — for design-responsible organizations
Complaint handling and adverse event reporting procedures
Post-market surveillance procedures
Supplier quality agreements template
Traceability system documentation
CAPA procedure with more detailed investigation requirements

4. Certification Audit Fees

ISO 13485 certification requires a Stage 1 (documentation review) and Stage 2 (on-site assessment) audit by an accredited certification body. Audit fees are based on organization size, complexity, and audit days required.

Organization Size	Stage 1	Stage 2	Total Audit Cost
Small (1–25 employees)	$2,000–$4,000	$4,000–$10,000	$6,000–$14,000
Mid-size (26–200 employees)	$3,000–$6,000	$8,000–$18,000	$11,000–$24,000
Large (200+ employees)	$6,000–$12,000	$15,000–$35,000	$21,000–$47,000

Important: ISO 13485 audit fees are higher than ISO 9001 audit fees for equivalent organization sizes — because the audit scope is broader and typically requires more audit days.

→ ISOQAR ISO 13485 Certification

5. Internal Labor — The Largest Cost Nobody Budgets

Infographic illustrating the hidden internal labor costs of ISO 13485 certification, including training, document review, gap assessments, audit preparation, and employee involvement. — Internal labor is often the largest hidden cost of ISO 13485 implementation, requiring significant time from quality teams, production personnel, and management.

This is the cost that most ISO 13485 cost guides don’t cover — and consistently the largest single cost category in most certification projects.

ISO 13485 certification requires significant time from your existing personnel — not just your quality manager, but department leads, production supervisors, regulatory affairs personnel, and in many cases, every employee who needs to demonstrate competence in the procedures governing their work.

What internal labor covers:

Gap assessment — evaluating current QMS against ISO 13485 requirements
Procedure review and validation — quality manager and department leads reviewing every procedure for accuracy and regulatory alignment
Training delivery and attendance — every affected employee attending required training sessions
Document review and sign-off — personnel reviewing and acknowledging procedures
Pre-audit preparation — internal audit, management review, corrective action completion
Certification audit support — production personnel interviewed, records retrieved, auditor questions answered

The challenge: During all of this, your production facility is still running. Orders still ship. Customers still call. The indirect time spent on certification doesn’t pause your operational responsibilities — it layers on top of them.

Realistic internal labor estimates:

Task	Hours (Small–Mid Org)
Gap assessment	30–60 hours
Regulatory requirements identification	20–40 hours
Documentation development	80–160 hours
Training delivery and attendance	40–80 hours
Personnel procedure review and sign-off	30–60 hours
Internal audit	20–40 hours
Management review preparation	8–16 hours
Certification audit support	16–32 hours
Total	244–488 hours

At a conservative $40/hour internal labor rate, that’s $9,760–$19,520 in staff time — before a single external fee is paid. For organizations with higher average wages or more complex operations, this number climbs significantly.

This is why the “cheapest” path to ISO 13485 certification — skipping training, using free templates, minimizing consulting — often ends up being the most expensive. Every hour of external expertise you don’t purchase gets replaced by multiple hours of internal labor — usually from people who are simultaneously trying to maintain production output.

👉 Download the Free Manufacturing Compliance Checklist — use it to assess your current compliance gaps before starting your ISO 13485 cost planning.

Cost Ranges by Organization Size

Organization Size	Readiness Level	Estimated First-Year Cost
Small (1–25 employees)	High — prior ISO 9001 experience	$15,000–$35,000
Small (1–25 employees)	Low — no prior QMS	$25,000–$55,000
Mid-size (26–200 employees)	High — prior ISO 9001 experience	$30,000–$60,000
Mid-size (26–200 employees)	Low — no prior QMS	$50,000–$100,000
Large (200+ employees)	High readiness	$60,000–$150,000
Large (200+ employees)	Low readiness	$100,000–$250,000+

Organizations already ISO 9001 certified typically spend 35–50% less on ISO 13485 implementation — because the QMS infrastructure is already built. The incremental cost covers the medical device-specific elements, regulatory alignment, and the expanded documentation and training requirements.

The Hidden Costs Most Budgets Miss

Beyond the five main cost categories, ISO 13485 implementation carries several costs that consistently surprise organizations:

Regulatory gap assessment — separate from QMS gap assessment Identifying all applicable regulatory requirements — FDA QMSR, EU MDR, Health Canada, TGA, regional requirements for each market you sell into — requires specialized regulatory affairs knowledge. This work is often underestimated or omitted entirely from initial cost planning.

Software and systems updates Many organizations discover during ISO 13485 implementation that their current document management systems, complaint handling systems, or ERP configurations don’t support the traceability and record control requirements. Software upgrades or new system implementations add cost that rarely appears in initial budgets.

Supplier qualification program development ISO 13485 supplier controls are significantly more demanding than ISO 9001. Building a supplier qualification program — including written quality agreements with critical suppliers — requires time and sometimes external expertise beyond what most organizations budget.

Lost production during audit A Stage 2 certification audit of 2–5 days requires significant operational disruption — key personnel pulled from production for auditor interviews, records retrieval, and process demonstrations. The cost of this disruption in lost production capacity is real and rarely budgeted.

Failed audit re-costs A Stage 2 audit that generates major nonconformances requiring corrective action and re-audit adds $3,000–$15,000 in re-audit fees and 4–16 weeks to the certification timeline. Investing in preparation — training, internal audit, corrective action — is almost always cheaper than a failed Stage 2.

Three-Year Total Ownership Cost

ISO 13485 certification is not a one-time cost. Annual surveillance audits are required in Years 2 and 3, and a full recertification audit is required in Year 4.

Organization Size	Year 1	Year 2	Year 3	3-Year Total
Small	$15,000–$55,000	$5,000–$10,000	$5,000–$10,000	$25,000–$75,000
Mid-size	$30,000–$100,000	$8,000–$18,000	$8,000–$18,000	$46,000–$136,000
Large	$60,000–$250,000+	$15,000–$35,000	$15,000–$35,000	$90,000–$320,000+

Annual ongoing costs include:

Annual surveillance audit fees
Continuing training for new personnel and updated requirements
Internal audit program maintenance
Document maintenance and updates
CAPA system management

How to Reduce ISO 13485 Certification Cost

Invest in lead implementer training before documentation begins The most expensive mistake in ISO 13485 implementation is building documentation before understanding what ISO 13485 and your applicable regulatory frameworks actually require. Training before documentation prevents the interpretation errors that generate rework — and rework in ISO 13485 implementations is expensive because the documentation requirements are so specific.

→ BSI Group ISO 13485 Training

Build on existing ISO 9001 infrastructure If your organization is already ISO 9001 certified, the QMS foundation — document control, corrective action, internal audit, management review — is already built. ISO 13485 implementation adds the medical device-specific layer on top of that foundation rather than building from scratch. This is the single most effective cost reduction strategy available.

Conduct a thorough gap assessment before starting A thorough gap assessment identifies exactly what needs to be built versus what already exists. Organizations that skip or rush the gap assessment consistently waste time and money building documentation for requirements they already meet or missing requirements they don’t.

Contact your certification body early Certification body scheduling lead times for ISO 13485 audits can run 3–6 months. Contacting your certification body early — during Phase 1, not after documentation is complete — allows you to align your implementation timeline with audit scheduling and avoid adding weeks of delay at the back end of your project.

Plan internal labor into your project budget from day one Organizations that plan for internal labor costs — and allocate realistic time budgets for procedure review, training attendance, and pre-audit preparation — make better implementation decisions. They invest appropriately in external expertise because they understand the true cost of doing everything internally.

ISO 13485 vs ISO 9001 — Cost Comparison

Comparison infographic showing ISO 9001 vs ISO 13485 certification costs, including training, documentation, audits, implementation, and total first-year compliance expenses. — ISO 13485 certification typically costs more than ISO 9001 due to stricter regulatory requirements, expanded documentation, medical device risk controls, and increased audit scope.

Cost Category	ISO 9001	ISO 13485	Why ISO 13485 Costs More
Standard purchase	$150–$200	$175–$225 + ISO 14971	Additional companion standard required
Lead implementer training	$1,500–$3,000	$2,000–$4,000	More specialized — regulatory context required
Documentation development	$2,000–$12,000	$5,000–$20,000	More documents, stricter requirements
Certification audit	$4,000–$15,000	$6,000–$24,000	More audit days, broader scope
Internal labor	$5,000–$15,000	$10,000–$20,000	More extensive requirements = more staff time
Total first year (small org)	$8,000–$35,000	$15,000–$55,000

For the complete ISO 9001 cost breakdown, see How Much Does ISO 9001 Cost?

📋 Before you budget for certification — know your gap. The free ISO 13485 Gap Assessment Checklist helps you identify how much remediation work your system actually needs before Stage 1. That one number changes your entire cost estimate. Download Free Checklist

Frequently Asked Questions

How much does ISO 13485 certification cost?

Most small to mid-size organizations spend $15,000–$100,000 in the first year depending on organization size, prior ISO 9001 experience, implementation approach, and how thoroughly internal labor costs are accounted for. See the cost table above for ranges by organization size and readiness level.

What is the biggest hidden cost in ISO 13485 certification?

Internal labor — the time your own personnel invest in procedure review, training attendance, document verification, and pre-audit preparation. This cost rarely appears on an external invoice but consistently represents the largest single cost category in ISO 13485 certification projects, often $10,000–$20,000 for small to mid-size organizations.

Is ISO 13485 more expensive than ISO 9001?

Yes — typically 40–80% more expensive for equivalent organization sizes. The higher cost reflects more extensive documentation requirements, more specialized training, broader certification audit scope, regulatory alignment work, and higher internal labor demands.

Does ISO 9001 certification reduce ISO 13485 costs?

Significantly — typically 35–50% less than implementing from scratch. Organizations with existing ISO 9001 certification have the QMS foundation already built. ISO 13485 implementation focuses on the medical device-specific layer rather than building the entire system.

How long does ISO 13485 certification take?

Organizations with no prior QMS typically need 12–18 months. Organizations with existing ISO 9001 certification typically need 8–14 months. See How Long Does ISO Certification Take?

What is the annual cost of maintaining ISO 13485 certification?

Annual surveillance audit fees plus ongoing training and internal audit program costs typically range from $5,000–$18,000 per year depending on organization size — roughly 20–30% of the initial certification cost.

Can I reduce ISO 13485 costs by doing it myself without a consultant?

Yes — but with an important caveat. Lead implementer training is non-negotiable regardless of whether you use a consultant. The DIY approach with proper training and a purpose-built documentation kit saves significant consulting costs. The DIY approach without training almost always produces documentation that fails Stage 1 or Stage 2 — costing more in rework than consulting would have.

What certification body should I use for ISO 13485?

For EU MDR compliance, you must use an EU Notified Body. For other markets, any ANAB or UKAS accredited certification body with ISO 13485 scope. For the full certification body guide, see Best ISO Certification Bodies.

📥 Free Resources

👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide — the quality management foundation that supports ISO 13485 implementation
👉 Manufacturing Compliance Checklist — assess your compliance gaps before starting cost planning
👉 Supplier Quality Checklist — supplier qualification requirements applicable to medical device supply chains

Not Sure What to Do Next?

🔹 You need the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

🔹 You need ISO 14971 — required risk management companion → ISO 14971:2019 — ANSI Webstore

🔹 You want to save buying multiple standards together → Save up to 50% on ISO Standards Packages — ANSI Webstore

🔹 You need ISO 13485 training before implementation → BSI Group ISO 13485 Training

🔹 You’re ready to pursue ISO 13485 certification → ISOQAR ISO 13485 Certification

🔹 You want to understand what ISO 13485 requires → What Is ISO 13485? → Buy ISO 13485 — Complete Purchasing Guide

🔹 You want to understand the FDA QMSR transition → Coming soon — FDA QSR vs ISO 13485: The Complete QMSR Transition Guide

🔹 You want to compare ISO 13485 with ISO 9001 → Coming soon — ISO 9001 vs ISO 13485: Key Differences

🔹 You want to understand the full certification cost picture → How Much Does ISO 9001 Cost? → ISO Certification Cost Calculator → How Long Does ISO Certification Take?

🔹 You want to choose the right certification body → Best ISO Certification Bodies — Ranked & Reviewed

Budget for the Real Cost — Including the Time Your People Will Spend

The organizations that budget accurately for ISO 13485 certification — accounting for all five cost categories, and especially for the internal labor that never appears on an external invoice — make better implementation decisions.

They invest appropriately in training because they understand that untrained internal labor costs more than trained external expertise. They allocate realistic time budgets for their quality managers because they understand that certification doesn’t pause while production runs. They plan for internal audit and corrective action because they understand that failed Stage 2 audits cost more than the preparation that prevents them.

The standard costs $175. The internal time costs far more than that. Budget for both.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Buy ISO 13485:2016 — Official Sources, Cost, and Why It Matters More Than Ever (2026 Guide)

The FDA’s 2024 QMSR final rule incorporated ISO 13485:2016 directly into U.S. federal regulation — making it the foundation of modern medical device quality compliance. Here’s where to buy the official standard, what’s included, and why purchasing it is no longer optional for anyone in the medical device supply chain.

Where to buy ISO 13485, what format to choose, how much it costs — and why the FDA’s 2024 QMSR final rule makes purchasing the official standard more important now than at any point in the standard’s history.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

ISO 13485 Is No Longer Just a Voluntary International Standard

For decades, U.S. medical device manufacturers operated under a relatively simple mental model: FDA compliance meant 21 CFR Part 820. ISO 13485 was something you pursued for international market access — a useful credential, but separate from what FDA actually required.

The FDA’s 2024 Quality Management System Regulation (QMSR) final rule ended that mental model permanently.

The QMSR, which became effective February 2, 2026, directly incorporates ISO 13485:2016 by reference as the foundational quality system framework for U.S. medical device manufacturers. This is the first time in history that ISO 13485 has been formally embedded into U.S. federal regulation. It is no longer a parallel system running alongside FDA requirements. It is the structural foundation of FDA quality system expectations.

The practical consequence: organizations that still maintain separate mental models for “FDA compliance” and “ISO certification” are already operating with a gap in their understanding of what QMSR requires. And organizations that haven’t obtained the official ISO 13485 standard are building — or attempting to build — a regulatory quality system without reading the regulation.

This guide covers where to buy ISO 13485, what formats are available, what’s actually in the document, and why purchasing the official standard is no longer optional for anyone participating in the medical device supply chain.

📋 Before you buy — know what you’re implementing it against. Download the free ISO 13485 Gap Assessment Checklist to identify your current compliance gaps first. It tells you exactly what your system needs to address before you start building documentation. Download Free Checklist

In This Guide

Why ISO 13485 Is More Important After the 2024 FDA QMSR Update
Where to buy ISO 13485 — authorized sources only
Available formats and which to choose
How much ISO 13485 costs
What’s included in the official document
How to verify you’re buying the current edition
Licensing rules — what you can and cannot do
What to do after purchasing
Related standards you may also need

👉 Start Here (Top Resources)

👉 Purchase the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

👉 Get ISO 13485 training for your team → BSI Group ISO 13485 Training

👉 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification

👉 Purchase the official ISO 9001:2015 standard — the quality management foundation → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off

👉 Save up to 50% buying ISO standards as a bundle → ISO Standards Packages — ANSI Webstore

Why ISO 13485 Matters More Than Ever — The 2024 FDA QMSR Update

Infographic showing the FDA 2024 QMSR update aligning U.S. medical device regulations with ISO 13485 and illustrating the transition to a harmonized global quality management system. — The FDA’s QMSR update transformed ISO 13485 from an international standard into the operational foundation of modern medical device compliance.

The Tectonic Shift in Medical Device Compliance

For decades, the medical device quality landscape ran on two parallel tracks. U.S. manufacturers focused on FDA’s 21 CFR Part 820 Quality System Regulation. International manufacturers focused on ISO 13485. Both tracks led to compliant quality systems — but they were distinct systems with distinct language, distinct structures, and distinct audit protocols.

The FDA’s 2024 QMSR final rule collapsed those two tracks into one.

By directly incorporating ISO 13485:2016 by reference, the FDA has effectively declared that ISO 13485 is no longer a foreign standard that happens to be compatible with U.S. requirements. It is the U.S. requirement. The regulatory world is moving from parallel compliance systems to harmonized compliance systems — and that shift changes everything about how medical device organizations should think about ISO 13485.

Five Reasons This Changes the Calculation for Buying ISO 13485

1. The transition is already active The QMSR became effective February 2, 2026. This is not a future deadline — it has passed. Organizations that haven’t aligned their quality systems to ISO 13485 structure and terminology are already operating with a compliance gap. The time to purchase the standard and begin the alignment process was before February 2026. The second best time is now.

2. FDA inspections are now ISO-aligned FDA has retired the legacy Quality System Inspection Technique (QSIT) and replaced it with a new lifecycle-focused inspection model aligned with ISO 13485 structure and terminology. ISO 13485 processes — internal audits, management reviews, design controls, CAPA — are now the inspection framework. Documentation must map to ISO clauses and FDA-specific additions simultaneously.

3. Three specific gaps must be addressed Even organizations with mature ISO 13485 systems have gaps relative to QMSR requirements. The three most significant:

Risk management integration: QMSR requires risk-based thinking throughout the entire QMS — not just in design and development as ISO 13485 primarily addresses
Organizational knowledge: QMSR requires documented maintenance of knowledge necessary for QMS operation — a requirement with no direct ISO 13485 equivalent
Management review: QMSR requires more prescriptive management review inputs including post-market surveillance data, customer feedback trends, and risk management outputs

4. OEMs are pushing requirements down the supply chain Because OEMs must demonstrate QMSR compliance — which is built on ISO 13485 — they are increasingly requiring ISO 13485 certification from component suppliers, contract manufacturers, and sub-tier suppliers. This is the same pattern that happened with IATF 16949 in automotive and AS9100 in aerospace. If you supply to medical device OEMs, expect your customers to begin requiring ISO 13485 certification if they haven’t already.

5. ISO 13485 is becoming the global market access baseline The FDA explicitly states that harmonizing with ISO 13485 reduces global compliance burden and improves international market access. For manufacturers selling into the U.S., EU, Canada, Japan, Australia, or Brazil — ISO 13485 is the single unifying QMS framework. It is rapidly becoming the lowest common denominator for global device market access.

The bottom line: ISO 13485 is no longer a voluntary international standard that sophisticated U.S. manufacturers pursue for competitive advantage. It is the operating language of modern medical device quality compliance. Purchasing the official standard is the first step in speaking that language correctly.

Who Needs to Buy ISO 13485?

The short answer: anyone involved in the medical device supply chain who hasn’t already purchased the current edition.

Organizations that should purchase ISO 13485 immediately:

Medical device manufacturers that previously operated only under 21 CFR Part 820 — you now need to read the standard your quality system is being measured against
Component and sub-assembly suppliers whose OEM customers are beginning to require ISO 13485 certification
Contract manufacturers producing devices or components under contract
Organizations conducting ISO 13485 gap assessments against QMSR requirements
Quality managers, regulatory affairs professionals, and internal auditors responsible for QMS compliance

Organizations that should purchase ISO 13485 if they haven’t recently:

ISO 13485 certified organizations whose certification was built from summaries, consultant guidance, or older edition documents rather than the current 2016 text
Organizations planning to expand into medical device markets

For the complete guide to who needs ISO 13485 and what it requires, see What Is ISO 13485?

Where to Buy ISO 13485 — Authorized Sources Only

ISO 13485 is a copyrighted document. It cannot be legally downloaded for free. It must be purchased from authorized sources — organizations officially recognized to distribute the standard.

ANSI Webstore — Recommended Source

The ANSI Webstore is the authorized U.S. distributor for ISO standards — including ISO 13485:2016. ANSI serves both U.S. and international buyers with standards available in multiple languages, making it the practical choice for global organizations purchasing for teams across multiple markets.

Why ANSI is the recommended source:

Official authorized distributor — you receive the current edition with all published amendments
Multiple language options for international organizations
Immediate PDF download available after purchase
CC2026 coupon available for 5% off through December 31, 2026

→ ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

BSI Group — Training and Standard Combined

BSI Group is an accredited certification and training body offering ISO 13485 standard access alongside training courses and certification services. For organizations that need both the standard and lead implementer training, BSI is the most practical single-source option.

→ BSI Group ISO 13485 Training & Standard

For a complete guide to authorized sources for all ISO standards, see Where to Buy ISO Standards.

Available Formats — Which One Is Right for You?

Digital PDF — Most Practical for Implementation Teams

A digital PDF provides immediate access after purchase, is fully searchable by clause number and keyword, and integrates naturally into digital document management systems. For quality managers and regulatory affairs professionals working through QMSR gap assessments and QMS documentation development, searchability is essential — cross-referencing the standard constantly while building procedures, design controls, and CAPA systems.

Important: A single-user PDF license cannot be shared simultaneously with multiple users. Each team member requiring simultaneous access needs their own license.

Printed Copy

A physical copy is useful for training rooms, audit preparation environments, and for quality managers who prefer annotating a physical document during initial gap assessment and implementation planning.

Which Format for ISO 13485?

For implementation teams working through QMSR alignment, gap assessments, and QMS documentation development — PDF is the practical choice. The ability to search for a specific clause reference while building your documented procedures saves significant time compared to manually navigating a printed document.

For a full comparison of format options, see Digital vs Printed ISO Standards.

Digital vs printed ISO standards comparison showing PDF access on a tablet and printed ISO documents for field use and document control — Digital ISO standards offer speed and flexibility, while printed copies provide stronger document control and field usability.

How Much Does ISO 13485 Cost?

Item	Typical Cost
ISO 13485:2016 standard (PDF)	$175–$225
ISO 14971:2019 — Risk management for medical devices	$150–$200
ISO 9001:2015 — QMS foundation	$150–$200
ISO 13485 lead implementer training	$2,000–$4,000 per person
ISO 13485 internal auditor training	$1,500–$3,000 per person

Note on ISO 13485 pricing: ISO 13485 pricing is consistent across authorized distributors with limited discounting options — reflecting its status as a tightly controlled regulatory reference document.

The bundle opportunity: ISO 13485 implementation typically requires ISO 14971 for risk management and ISO 9001 as a reference for the QMS foundation elements. Buying multiple ISO standards together saves up to 50% compared to individual purchases.

→ Use coupon CC2026 for 5% off → Apply at ANSI

→ Save buying multiple standards together → ISO Standards Packages — ANSI Webstore

In the context of total ISO 13485 certification costs — which range from $15,000 to $100,000+ for most organizations — the standard purchase represents the lowest-cost, highest-leverage investment in the entire project.

What’s Included in the Official ISO 13485 Document

Clean infographic illustrating the core requirements of ISO 13485 for medical device quality management systems, including leadership, resource management, product realization, and patient safety compliance. — ISO 13485 integrates regulatory compliance, risk management, traceability, and patient safety into a structured medical device quality management system.

Understanding what you receive when you purchase the official standard helps you use it more effectively during gap assessment and implementation.

The QMS Framework Text — Clauses 4 Through 8

ISO 13485 is organized around five auditable clause groups covering the complete quality management system:

Clause 4 — Quality Management System: QMS scope, documentation requirements, record control, and the overall system framework. More prescriptive than ISO 9001 on documentation — longer retention periods, stricter obsolescence controls.

Clause 5 — Management Responsibility: Leadership accountability, quality policy, management review requirements, and organizational responsibility structure. QMSR adds more prescriptive management review inputs beyond what Clause 5 alone requires.

Clause 6 — Resource Management: Competence requirements, training documentation, work environment controls including contamination prevention for sterile and clean device manufacturing.

Clause 7 — Product Realization: The most distinctive ISO 13485 content — customer requirements, design and development with Design History File requirements, purchasing and supplier controls, production controls, device identification and traceability, product preservation, and monitoring and measurement.

Clause 8 — Measurement, Analysis, and Improvement: Internal audit, monitoring of processes and product, control of nonconforming product, data analysis, and the CAPA system. More prescriptive than ISO 9001 in CAPA structure and complaint handling requirements.

Medical Device-Specific Requirements

Throughout Clauses 4–8, ISO 13485 includes medical device-specific requirements that have no direct ISO 9001 equivalent:

Sterile device requirements
Implantable device traceability to patient level
Complaint handling connected to adverse event reporting obligations
Post-market surveillance integration
Device-specific validation requirements

Annexes and Regulatory Guidance

ISO 13485 includes informative annexes providing correspondence tables between ISO 13485 requirements and the quality system regulations of major markets — including FDA, EU MDR, Health Canada, and TGA. These correspondence tables are practically valuable during gap assessment and when demonstrating regulatory compliance to multiple authorities simultaneously.

How to Verify You’re Buying the Current Edition

ISO 13485:2016 is the current active edition. There are no major revisions in process as of 2026 — the 2016 edition remains current and applicable.

How to verify:

Purchase from ANSI or another authorized distributor — they maintain current editions
Verify the edition year — ISO 13485:2016 is current
The QMSR incorporates ISO 13485:2016 specifically by reference — ensure you have the 2016 edition, not the 2003 edition

What to avoid:

Unofficial free PDFs — almost always outdated, missing amendments, or the superseded 2003 edition
Third-party resellers who may not stock the current edition

Can You Download ISO 13485 for Free?

No. ISO 13485 is a copyrighted document. It cannot be legally downloaded for free. Free copies found online are unauthorized — typically the superseded 2003 edition, missing amendments, or incomplete documents.

In the context of QMSR compliance, using an outdated or unofficial copy creates a specific risk: the QMSR incorporates ISO 13485:2016 specifically. A quality system built from the 2003 edition or an unofficial copy may not reflect the current requirements the FDA is now inspecting against.

For guidance on legal access to standards, see How to Legally Download ANSI Standards.

Do You Need to Buy ISO 13485 to Get Certified?

Yes — and in the QMSR context, the answer is more emphatic than it is for any other ISO standard.

FDA inspectors are now using ISO 13485 structure and terminology as their inspection framework. Quality managers being interviewed during FDA inspections are expected to demonstrate understanding of ISO 13485 requirements — not just familiarity with their own procedures. Auditors evaluating ISO 13485 certification specifically evaluate whether your quality system reflects the actual requirements of the standard’s text.

Organizations that implemented their quality systems from consultant checklists, training slides, or summaries — without reading the actual standard — consistently produce documentation with interpretation gaps. Those gaps generate audit findings in certification audits and, under QMSR, potentially in FDA inspections as well.

The standard costs $175–$225. A single major nonconformance finding requiring corrective action and re-audit costs more than that. The standard is the lowest-cost, highest-leverage investment in your entire compliance program.

Licensing Rules

With a single-user license, you can:

Read and reference the standard personally
Use it to develop your organization’s QMS documentation
Print a personal copy for your own reference

With a single-user license, you cannot:

Share the PDF simultaneously with multiple team members
Post it to a network drive for team access
Email it to external parties — consultants, customers, or suppliers

For team access: Purchase a multi-user license or individual copies for each person requiring simultaneous access. Implementation teams working through gap assessments and documentation development typically need multiple copies accessible simultaneously.

ISO 13485 implementation typically requires several companion standards:

Standard	Purpose	Where to Get It
ISO 14971:2019	Risk management for medical devices — required throughout the device lifecycle	ANSI Webstore
ISO 9001:2015	QMS foundation reference — useful alongside ISO 13485	ANSI Webstore — use coupon CC2026
IEC 62304	Software lifecycle requirements for medical device software	ANSI Webstore
ISO 15223-1	Symbols for medical devices — labeling requirements	ANSI Webstore
EU MDR (2017/745)	EU regulatory framework — free from EUR-Lex	EUR-Lex
FDA QMSR Final Rule	U.S. regulatory framework incorporating ISO 13485	FDA.gov — free download

→ Save buying multiple ISO standards together → ISO Standards Packages — ANSI Webstore

What to Do After Purchasing ISO 13485

Step 1 — Read the standard completely before building anything Start with Clause 4 and read through Clause 8. Read every requirement. Read the medical device-specific additions. Read the annexes — the regulatory correspondence tables are practically valuable. Organizations that begin documentation before reading the complete standard consistently produce QMS systems with interpretation gaps.

Step 2 — Download the FDA QMSR Final Rule Available free at FDA.gov. Read it alongside ISO 13485 — specifically the preamble, which explains the FDA’s intent and the specific additions to ISO 13485 requirements that QMSR imposes. The three gaps — risk management integration, organizational knowledge, management review — are explained in the preamble.

Step 3 — Conduct a gap assessment Compare your current quality system against ISO 13485 requirements clause by clause. If you’re currently operating under 21 CFR Part 820, the gap assessment should specifically address the QMSR additions beyond ISO 13485. If you have no prior QMS, the gap assessment establishes your baseline.

Step 4 — Purchase ISO 14971 Risk management per ISO 14971 is woven throughout ISO 13485 requirements — it is not optional or separable. ISO 14971 should be purchased and read as a companion to ISO 13485 before documentation development begins.

Step 5 — Get your team trained ISO 13485 lead implementer training is more specialized than ISO 9001 training — it must address both the standard requirements and the regulatory frameworks your QMS will support.

→ BSI Group ISO 13485 Training

Step 6 — Build your QMS documentation With the standard read, the QMSR requirements understood, and your team trained — documentation development can begin systematically rather than reactively.

Step 7 — Pursue certification → ISOQAR ISO 13485 Certification

Frequently Asked Questions

Where can I buy ISO 13485?

The ANSI Webstore is the recommended authorized U.S. distributor for ISO 13485:2016 — serving U.S. and international buyers in multiple languages. Use coupon CC2026 for 5% off through December 31, 2026. → ISO 13485:2016 — ANSI Webstore

How much does ISO 13485 cost?

The official ISO 13485:2016 standard typically costs $175–$225 for a single-user PDF from authorized distributors.

Is ISO 13485 required for FDA compliance?

Yes — effectively. The FDA’s 2024 QMSR final rule directly incorporates ISO 13485:2016 by reference as the foundational quality system framework. The QMSR became effective February 2, 2026. Organizations must align their quality systems to ISO 13485 structure and requirements to meet QMSR obligations.

What is the difference between ISO 13485 and 21 CFR Part 820?

21 CFR Part 820 was the legacy FDA Quality System Regulation. The FDA replaced it with the QMSR in 2024, which incorporates ISO 13485:2016 directly. The QMSR adds three specific requirements beyond ISO 13485 — risk management integration throughout the QMS, organizational knowledge documentation, and more prescriptive management review inputs.

Is ISO 13485 available as a free download?

No. ISO 13485 is a copyrighted document. Free downloads are unauthorized — typically the superseded 2003 edition or incomplete documents. Using an outdated edition for QMSR compliance creates specific regulatory risk since the QMSR incorporates the 2016 edition specifically.

Do I need ISO 14971 as well?

Yes — for any medical device manufacturer. ISO 14971 defines the risk management process for medical devices and is referenced throughout ISO 13485 requirements. It is a required companion standard, not optional supplementary reading.

What is the current edition of ISO 13485?

ISO 13485:2016 is the current active edition and the specific edition incorporated by reference in the FDA’s QMSR.

Can I share my ISO 13485 PDF with my quality team?

A single-user PDF license cannot be shared simultaneously. Each person requiring simultaneous access needs their own license. Contact your distributor for multi-user licensing options.

📥 Free Resources

👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide — the quality management foundation that supports ISO 13485 implementation
👉 Manufacturing Compliance Checklist — quality and regulatory compliance requirements
👉 Supplier Quality Checklist — supplier qualification requirements applicable to medical device supply chains

Not Sure What to Do Next?

🔹 You’re ready to purchase ISO 13485:2016 → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

🔹 You need ISO 14971 — required risk management companion → ISO Standards — ANSI Webstore — use coupon CC2026 for 5% off

🔹 You need ISO 9001:2015 — the QMS foundation reference → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off

🔹 You want to save buying multiple standards together → Save up to 50% on ISO Standards Packages — ANSI Webstore

🔹 You need ISO 13485 training before implementation → BSI Group ISO 13485 Training

🔹 You’re ready to pursue ISO 13485 certification → ISOQAR ISO 13485 Certification

🔹 You want to understand what ISO 13485 requires → What Is ISO 13485?

🔹 You want to understand the FDA QMSR transition → Coming soon — FDA QSR vs ISO 13485: The Complete QMSR Transition Guide

🔹 You want to understand certification costs → Coming soon — How Much Does ISO 13485 Cost? → ISO Certification Cost Calculator

🔹 You want to choose the right certification body → Best ISO Certification Bodies — Ranked & Reviewed

🔹 You want to understand supplier quality requirements → Supplier Quality Requirements for Manufacturers → What ISO Standards Do Tier 1 Suppliers Need?

The Standard Is the Starting Point

ISO 13485 is the operating language of modern medical device quality compliance. The QMSR has made that true in U.S. federal regulation, not just in international supply chains. EU MDR has made it true in Europe. Health Canada, TGA, PMDA, and ANVISA have made it true in every major market.

Organizations that are fluent in that language — that have read the standard, understood its requirements, and built quality systems that reflect its actual text — are the ones positioned for the FDA’s new inspection approach, for OEM supplier qualification requirements, and for global market access.

The standard costs less than a dinner for two. The quality system it enables is worth far more than that.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

ISO 14001 Certification Guide: Everything You Need to Know (2026)

ISO 14001:2026 was published April 15, 2026 — replacing ISO 14001:2015 as the world’s leading environmental management standard. If your organization is currently certified, you have until April 2029 to transition. If you’re pursuing certification for the first time, this is the standard you’re working toward. This complete guide covers every change, the full transition timeline, and exactly what your organization needs to do next.

The complete guide to ISO 14001:2026 environmental management certification — what changed from 2015, requirements, costs, audit process, transition timeline, and how to get certified in 2026.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

Environmental Compliance Is No Longer Optional — And the Standard Just Changed

The pressure on manufacturers, contractors, and industrial operations to demonstrate environmental responsibility has never been higher. Customers are demanding it. Regulators are tightening requirements. And supply chain qualification processes increasingly include environmental management as a prerequisite — not a preference.

On April 15, 2026, the International Organization for Standardization published ISO 14001:2026 — the new edition of the world’s most widely used environmental management standard. It replaces ISO 14001:2015 and sets new priorities for environmental management systems across every industry.

If your organization is currently certified to ISO 14001:2015, you have until April 2029 to transition. If you’re pursuing certification for the first time, you’re now working toward the 2026 version.

This guide covers everything — what changed, what the standard requires, how much certification costs, how the audit process works, and exactly what your organization needs to do next.

In This Guide

What’s new in ISO 14001:2026 and what changed from 2015
The full ISO 14001:2026 transition timeline
What ISO 14001 actually requires clause by clause
Who needs ISO 14001 certification and why
The complete certification process step by step
How much ISO 14001 certification costs in 2026
How to implement ISO 14001 in a manufacturing environment
Common audit findings and how to avoid them
Where to get the standard, training, and certification support

👉 Start Here (Top Resources)

👉 Get ISO 14001 certified with an accredited certification body → ISOQAR ISO 14001 Certification

👉 Get ISO 14001:2026 training for your team → BSI Group ISO 14001 Training

👉 Purchase the official ISO 14001:2026 standard → ISO 14001:2026 — ANSI Webstore

👉 Save on the full ISO 14001 standards collection → ISO 14001 Collection — ANSI Webstore

👉 Save up to 50% buying ISO standards as a bundle → ISO Standards Packages — ANSI Webstore

👉 Use coupon code CC2026 for 5% off ISO standards at checkout → ANSI Webstore (valid through December 31, 2026)

What Is ISO 14001:2026?

ISO 14001:2026 is the fourth edition of the internationally recognized standard for environmental management systems (EMS). Published by the International Organization for Standardization on April 15, 2026, it replaces ISO 14001:2015 — including the climate change amendment introduced in 2024 — and sets new requirements for how organizations identify, manage, and improve their environmental performance.

Over 670,000 organizations in more than 170 countries hold ISO 14001 certification. It is the most widely recognized environmental management standard in the world — and in many industries, it is becoming as expected as ISO 9001.

What ISO 14001 Is — And What It Isn’t

ISO 14001:2026 does not specify what your environmental performance targets must be. It does not require you to achieve a certain emissions level or waste reduction percentage. What it requires is that you:

Identify the environmental aspects of your operations and their potential impacts
Understand your legal, regulatory, and other environmental obligations
Set measurable objectives to improve environmental performance
Build systems to control and monitor your environmental impacts
Demonstrate ongoing improvement over time

This distinction matters. ISO 14001 is a management system standard — it defines how you manage your environmental responsibilities, not what the outcome must be.

What Changed from ISO 14001:2015 to ISO 14001:2026

The 2026 revision does not reinvent the standard. It sharpens it. The core structure (Clauses 4–10) remains intact, and no entirely new requirements are introduced. What changes are clarifications, stronger language, and expanded scope on several critical topics.

Here’s a clause-by-clause breakdown of the key changes:

Clause 4 — Context of the Organization

What changed: Environmental conditions must now be explicitly considered in your context analysis. This means your organization must assess how issues like climate change, biodiversity loss, pollution levels, and natural resource availability affect — and are affected by — your operations. The EMS scope must also reflect a lifecycle approach.

Your action: Update your context analysis and stakeholder maps to explicitly reference environmental conditions. Revise your EMS scope definition to reflect lifecycle considerations.

Clause 5 — Leadership and Commitment

What changed: Updated terminology — “meet compliance obligations” replaces “fulfil compliance obligations.” Greater emphasis is placed on conserving natural resources and protecting ecosystems within the environmental policy commitments.

Your action: Revise your environmental policy to reflect updated language and ensure active executive engagement — not just authorization.

Clause 6 — Planning

What changed: This is the most significant structural change in the 2026 revision:

New Clause 6.3 — A formal, structured approach to managing EMS-related change is now required. Change management must be planned and controlled.
Emergency situations are now separated from abnormal operations for greater clarity
Planning is restructured into two sub-clauses: 6.1.4 (identify risks and opportunities) and 6.1.5 (plan actions accordingly)

Your action: Build a change management process into your EMS. Refresh your risk registers, aspect-impact evaluations, and planning documentation against the new sub-clause structure.

Clause 7 — Support

What changed: Terminology is now standardized — all EMS records must be “available as documented information.” Communication requirements are strengthened to explicitly empower employees to contribute to continual improvement.

Your action: Review all documentation references for terminology consistency. Strengthen internal communication processes around environmental responsibilities.

Clause 8 — Operations

What changed: “Outsourced processes” are now referred to as “externally provided processes, products or services” — aligning with ISO 9001 language. Operational control must now explicitly extend to suppliers and partners. Emergency preparedness must align with risk planning under Clause 6.1.2.

Your action: Review supplier and contractor controls. Update emergency preparedness procedures to align with Clause 6.1.2 risk planning.

Clause 9 — Performance Evaluation

What changed: An explicit requirement to evaluate both environmental performance AND EMS effectiveness is introduced. Internal audits must now define objectives in addition to scope and criteria. Management reviews are restructured into three sub-clauses: inputs, process, and results.

Your action: Update internal audit planning to include objectives. Restructure management review records to reflect the new three-part format.

Clause 10 — Improvement

What changed: Clause 10.1 has been removed — its content is now integrated into 10.2 (nonconformity and corrective action) and 10.3 (continual improvement). A clearer linkage is established between Clause 9 performance findings and Clause 10 improvement actions.

Your action: Update your nonconformance and corrective action procedures. Strengthen root cause analysis and improvement tracking systems.

ISO 14001:2026 Transition Timeline

Milestone	Date
ISO 14001:2015 published	September 2015
Climate change amendment (Amd1)	2024
Draft International Standard (DIS)	June 2025
Final Draft International Standard (FDIS)	January 2026
ISO 14001:2026 published	April 15, 2026
Transition deadline	April 2029

What the transition means for your organization:

Currently certified to ISO 14001:2015: Your certificate remains valid until April 14, 2029 at the latest. You must transition to ISO 14001:2026 before that deadline to maintain valid certification. Most certification bodies will incorporate transition audits into your existing surveillance and recertification cycle.

Pursuing certification for the first time: You are now working toward ISO 14001:2026 — not the 2015 version. Certification bodies have begun accreditation for the 2026 edition.

Recommended approach: Start your gap assessment against ISO 14001:2026 now. Organizations that plan and execute their transition early avoid the certification bottleneck that typically occurs in the final 12 months before a deadline.

→ Get transition support and ISO 14001:2026 certification → ISOQAR ISO 14001 Certification

→ Get ISO 14001:2026 transition training → BSI Group ISO 14001 Training

Who Needs ISO 14001 Certification?

ISO 14001 is a voluntary standard — no single law makes it universally mandatory. But in practice, market forces and supply chain requirements have made it effectively mandatory in many industries.

ISO 14001 for production facilities feature image showing industrial plant with environmental sustainability icons, emissions control, and compliance themes — ISO 14001 helps production facilities manage environmental impact, reduce risk, and stay compliant with regulations.

Organizations That Need ISO 14001

Manufacturers with significant environmental footprints

Any manufacturing operation generating waste, using hazardous materials, emitting process gases, discharging wastewater, or consuming significant energy has environmental aspects that need systematic management. ISO 14001 provides the framework — and certification proves the management is real.

Tier 1 and Tier 2 suppliers in regulated supply chains

Automotive, aerospace, energy, and defense supply chains increasingly require ISO 14001 certification from their suppliers. If you supply to an ISO 14001 certified OEM, expect the requirement to flow down. See What ISO Standards Do Tier 1 Suppliers Need? for the full picture.

Construction and civil engineering contractors

Large public and private construction projects routinely require ISO 14001 from general contractors and major subcontractors. Environmental management during construction — dust, noise, runoff, waste disposal — is a significant contractual concern.

Organizations pursuing government or public sector contracts

Many government procurement frameworks give preference or mandatory status to ISO 14001 certified suppliers, particularly in Europe, the UK, and increasingly in North America.

Organizations already certified to ISO 9001

If you’re ISO 9001 certified, adding ISO 14001 is significantly more efficient than starting from scratch. Both standards share the same High Level Structure — meaning your existing management system infrastructure, internal audit program, and management review process can be extended to cover environmental requirements without rebuilding from the ground up. See Integrated Management Systems for how this works.

Organizations with ESG commitments and disclosure obligations

Environmental, Social, and Governance (ESG) reporting has moved from voluntary disclosure to investor expectation — and in many jurisdictions, regulatory requirement. ISO 14001:2026 certification provides something ESG self-reporting cannot: independently audited, third-party verified environmental credentials.

As regulators, investors, and lenders increasingly scrutinize the accuracy of environmental claims, the difference between self-reported ESG data and certified EMS performance is becoming a material business consideration. ISO 14001:2026 certification demonstrates that your environmental management system has been evaluated by an accredited third party against internationally recognized requirements — not just internally assessed and disclosed.

For organizations subject to ESG scrutiny from investors or lenders, or those preparing for mandatory climate-related disclosure requirements, ISO 14001:2026 certification provides a credible, audited foundation that strengthens the defensibility of environmental performance claims. → ISOQAR ISO 14001 Certification

ISO 14001:2026 Requirements — Clause by Clause

ISO 14001:2026 uses the Harmonized Structure (HS) — the same framework used by ISO 9001 and ISO 45001. Clauses 4 through 10 cover the fundamental management system elements, with environmental-specific requirements layered throughout.

Clause 4 — Context of the Organization

Your organization must understand its internal and external context — now explicitly including environmental conditions such as climate change impacts, biodiversity, pollution levels, and natural resource availability. You must identify interested parties and their environmental expectations. Your EMS scope must reflect a lifecycle approach.

Clause 5 — Leadership

Top management must demonstrate active commitment to the EMS. The environmental policy must include commitments to protect the environment and natural resources, meet compliance obligations, and continually improve EMS effectiveness. Leadership accountability has been strengthened throughout the 2026 revision.

Clause 6 — Planning

The strategic core of ISO 14001:2026. Organizations must:

Identify environmental aspects and their impacts under normal, abnormal, and emergency conditions
Determine significant environmental aspects using documented criteria
Identify all compliance obligations
Address risks and opportunities (new structure: 6.1.4 and 6.1.5)
Set measurable environmental objectives with documented plans
Manage EMS-related changes through a structured change management process (new Clause 6.3)

Clause 7 — Support

Resources, competence, awareness, communication, and documented information. All personnel whose work affects the environment must be competent and aware of their role. Communication must empower employees to actively contribute to continual improvement.

→ Get your team trained → BSI Group ISO 14001 Training

Clause 8 — Operation

Operational planning and control covering significant environmental aspects. Controls must now explicitly extend to externally provided processes, products, and services — your suppliers and contractors. Emergency preparedness must align with risk planning from Clause 6.1.2.

Clause 9 — Performance Evaluation

Monitoring, measurement, analysis, and evaluation of both environmental performance and EMS effectiveness. Internal audits must define objectives in addition to scope and criteria. Management reviews are restructured into three sub-clauses: inputs, process, and results.

Clause 10 — Improvement

Nonconformities must be investigated and addressed through corrective action. The linkage between performance evaluation findings (Clause 9) and improvement actions (Clause 10) is now explicitly required — not implied.

For a comparison of how ISO 14001 requirements align with ISO 9001, see ISO 9001 vs ISO 14001.

The ISO 14001 Certification Process Step by Step

Step 1 — Purchase the ISO 14001:2026 Standard

Before building your EMS, purchase the authoritative source. → ISO 14001:2026 — ANSI Webstore. Use coupon code CC2026 to save 5% through December 31, 2026.

Step 2 — Conduct a Gap Assessment

Compare your current environmental management practices against ISO 14001:2026 requirements. If you’re transitioning from ISO 14001:2015, focus your gap assessment on the new and changed requirements — particularly Clause 6.3 (change management), the expanded Clause 4 context requirements, and the restructured Clause 9 and 10 elements.

Step 3 — Define Your EMS Scope

Determine which parts of your organization, locations, and activities are covered. Scope must now reflect a lifecycle approach — from procurement of inputs through end-of-life of products and services.

Step 4 — Identify Environmental Aspects and Impacts

For every activity, product, and service your organization performs, identify what interacts with the environment, what the potential impact could be, and whether conditions are normal, abnormal, or emergency. Under ISO 14001:2026, this must explicitly include consideration of climate change impacts, biodiversity, and natural resource use.

Step 5 — Identify Compliance Obligations

Every environmental legal requirement, permit condition, customer requirement, and voluntary commitment must be identified, documented, and tracked. Terminology note: ISO 14001:2026 uses “meeting compliance obligations” rather than the 2015 term “fulfilling.”

Step 6 — Build Your Change Management Process (New for 2026)

New Clause 6.3 requires a structured approach to managing changes that affect your EMS. Document how your organization identifies, evaluates, and controls planned changes — and how unplanned changes are addressed.

Step 7 — Build Your EMS Documentation

All required documented information must be in place before your certification audit. See What Documentation ISO 14001 Requires below.

Step 8 — Train Your Team

All personnel with environmental responsibilities must be trained and competent. Awareness must reach all employees whose work can affect the environment.

→ ISOQAR ISO 14001 Training → BSI Group ISO 14001 Training

For the full training sequence, see ISO Training for Manufacturing Teams.

Step 9 — Operate Your EMS

Run your EMS for a meaningful period before your certification audit — typically three to six months minimum. You need records demonstrating the system is actually operating, not just documented.

Step 10 — Conduct an Internal Audit

Audit your own EMS against every ISO 14001:2026 requirement before your certification body arrives. Internal audit objectives must now be defined alongside scope and criteria.

Step 11 — Conduct a Management Review

Top management must review EMS performance. Under ISO 14001:2026, management review is now structured into three sub-clauses: inputs, process, and results — all must be documented.

Step 12 — Stage 1 Audit (Documentation Review)

Your certification body reviews your EMS documentation to verify completeness and readiness for Stage 2.

Step 13 — Stage 2 Audit (Certification Audit)

Full on-site audit verifying your documented system is implemented. Successful completion results in ISO 14001:2026 certification.

→ ISOQAR ISO 14001 Certification

How Much Does ISO 14001 Certification Cost?

ISO 14001 certification cost breakdown showing calculator, stacked coins, and financial documents representing environmental management system implementation expenses.

Cost Category	Typical Range	Notes
ISO 14001:2026 Standard	$150–$200	Required — purchase from ANSI
Gap Assessment	$1,500–$5,000	Internal or consultant-led
Training	$500–$3,000 per person	Based on course level
Implementation (internal labor)	$5,000–$20,000	Highly variable by size
Stage 1 Audit	$1,500–$4,000	Certification body fee
Stage 2 Audit	$3,000–$8,000	Certification body fee
Annual Surveillance Audits	$2,000–$5,000/year	Required to maintain certification
Recertification (every 3 years)	$3,000–$7,000	Full audit cycle

Total first-year investment for a small to mid-size manufacturer: $12,000–$40,000 depending on implementation approach and existing system maturity.

For currently certified organizations transitioning from ISO 14001:2015, transition costs are significantly lower — most of your system is already in place. Focus cost planning on gap assessment, training on the 2026 changes, and documentation updates.

→ Save on standard purchases — use coupon code CC2026 for 5% off ISO 14001:2026 at the ANSI Webstore through December 31, 2026.

For a full cost breakdown, see How Much Does ISO 14001 Cost? and How Much Does ISO Certification Cost?

How Long Does ISO 14001 Certification Take?

Phase	Duration
Gap assessment and planning	4–6 weeks
Aspect identification and compliance register	4–8 weeks
Documentation development	6–10 weeks
Team training	2–4 weeks (overlapping)
EMS operation and record generation	8–12 weeks minimum
Internal audit and management review	2–3 weeks
Stage 1 audit and gap closure	2–4 weeks
Stage 2 audit	1–2 days on-site

New certification (starting from scratch): 6–12 months Transition from ISO 14001:2015: 3–6 months for most organizations

For a fully sequenced implementation roadmap, see ISO Implementation Timeline for Manufacturers.

How ISO 14001 Works With ISO 9001 and ISO 45001

Integrated Management System diagram showing ISO 9001, ISO 14001, and ISO 45001 overlap for quality, environmental, and safety management — A visual representation of how ISO 9001, ISO 14001, and ISO 45001 integrate into a single management system to improve quality, environmental performance, and workplace safety.

ISO 14001:2026 uses the same Harmonized Structure as ISO 9001:2015 and ISO 45001:2018 — meaning your management review, internal audit, document control, and corrective action processes can serve all three systems simultaneously.

ISO 14001 + ISO 9001 The most common combination in manufacturing. Organizations pursuing both certifications together typically reduce combined implementation time by 30–40%. See ISO 9001 vs ISO 14001.

ISO 14001 + ISO 45001 Environmental and safety management systems share significant overlap in manufacturing. Many organizations pursue both as a combined EHS management system. See ISO 14001 vs ISO 45001.

ISO 14001 + ISO 50001 ISO 50001 covers energy management. For energy-intensive operations, combining ISO 14001 with ISO 50001 creates a powerful framework for managing both environmental impact and energy costs. → ISO 50001 — ANSI Webstore

The Integrated Management System Approach Organizations pursuing ISO 9001 + ISO 14001 + ISO 45001 together can implement a single integrated system satisfying all three standards simultaneously — reducing documentation overhead and simplifying auditing. See Integrated Management Systems.

→ Save on purchasing all three standards together → ISO Standards Packages — ANSI Webstore

How to Implement ISO 14001 in a Manufacturing Environment

Manufacturing operations typically generate environmental aspects across these categories:

Air emissions — welding fumes, paint booth exhaust, dust from grinding and cutting, VOC emissions from coatings and solvents
Water — process wastewater, stormwater runoff, cooling water discharge, chemical spills
Waste — metal scrap, used cutting fluids, spent solvents, contaminated PPE, hazardous waste streams
Energy — electricity from machinery, compressed air, HVAC, lighting
Land — chemical storage and spill potential, contaminated soil from historical operations
Biodiversity, ecosystems, and natural capital (new in ISO 14001:2026) — how your operations affect local ecosystems, water quality, soil health, and biodiversity must now be explicitly evaluated. This means assessing how water usage, chemical discharge, land use, and waste disposal impact the natural environment beyond your facility boundary — not just your direct emissions and waste streams.

Each must be assessed for significance and controlled within your EMS.

Key Environmental Controls for Manufacturers

Hazardous material storage and secondary containment
Spill response procedures and spill kit placement
Waste segregation and labeling systems
Environmental permit tracking and compliance monitoring
Air emission monitoring where required
Stormwater pollution prevention plans
Energy consumption monitoring and reduction targets
Supplier environmental controls (now explicitly required under ISO 14001:2026 Clause 8)

For a full breakdown, see ISO 14001 for Production Facilities and Environmental Standards for Manufacturing.

What Documentation ISO 14001 Requires

A Note on Annex A

ISO 14001:2026 includes Annex A — a non-mandatory but highly practical section that provides implementation guidance directly within the standard document. Annex A clarifies the intent behind specific clauses, offers examples of how requirements can be applied in different organizational contexts, and addresses common areas of misinterpretation. It does not add new requirements — but it significantly reduces the guesswork involved in implementing the standard correctly. When you purchase the official ISO 14001:2026 document, Annex A is included. It is one of the most underused resources available to first-time implementers and is worth reading in full before beginning documentation development.

Document / Record	Clause	Audit Risk if Missing
Environmental Policy	5.2	Major nonconformance
EMS Scope	4.3	Major nonconformance
Environmental Aspects Register	6.1.2	Major nonconformance
Significant Environmental Aspects	6.1.2	Major nonconformance
Compliance Obligations Register	6.1.3	Major nonconformance
Risk and Opportunity Register	6.1.4	Major nonconformance
Actions to Address Risks and Opportunities	6.1.5	Major nonconformance
Change Management Process (NEW 2026)	6.3	Major nonconformance
Environmental Objectives and Plans	6.2	Major nonconformance
Competence / Training Records	7.2	Minor to major finding
Operational Control Procedures	8.1	Major nonconformance
Emergency Preparedness Procedures	8.2	Major nonconformance
Monitoring and Measurement Records	9.1	Minor to major finding
Compliance Evaluation Records	9.1.2	Major nonconformance
Internal Audit Records (with objectives)	9.2	Major nonconformance
Management Review Records (3 sub-clauses)	9.3	Minor to major finding
Nonconformance and Corrective Action Records	10.2	Minor to major finding

For implementation support and documentation resources, see ISO Documentation Kits for Manufacturers.

Common ISO 14001 Audit Findings

1. Incomplete Environmental Aspects Register The most common major finding — particularly under the 2026 version where climate change, biodiversity, and ecosystem impacts must now be explicitly evaluated. Organizations that carry over their 2015 aspects register without updating it for 2026 requirements will face findings.

2. No Change Management Process (New Finding for 2026) New Clause 6.3 requires a structured approach to managing EMS-related changes. Organizations transitioning from 2015 without building this process will receive a major nonconformance.

3. Compliance Register Not Current A register built during implementation but never maintained is a finding. Regulations change — your register must be actively managed.

4. Environmental Objectives Without Plans Setting objectives is not enough — ISO 14001:2026 requires documented plans with actions, responsibilities, timelines, and performance indicators.

5. Supplier Controls Missing The 2026 revision strengthens requirements for controlling externally provided processes. Organizations that only control their own operations without extending controls to key suppliers will face findings.

6. Internal Audit Without Defined Objectives New in 2026 — internal audits must define objectives in addition to scope and criteria. Carrying over 2015-era audit plans without adding objectives will generate a finding.

7. Management Review Not Following 2026 Structure The three-part structure (inputs, process, results) must be reflected in your management review records. Undocumented reviews or reviews that don’t cover all required inputs are consistent findings.

8. Emergency Response Not Tested ISO 14001 requires that emergency preparedness procedures be tested periodically. No drill records means no compliance evidence.

For context on what non-compliance costs, see Cost of Non-Compliance in Manufacturing.

Maintaining Certification After Your Initial Audit

ISO 14001 certification is valid for three years — subject to annual surveillance audits in years one and two. A full recertification audit is required in year three.

For ISO 14001:2015 certificate holders: Your certificate remains valid until April 14, 2029. Your certification body will work with you to transition your certificate to ISO 14001:2026 — typically through your next scheduled surveillance or recertification audit.

What keeps certification on track:

Active compliance register maintenance
Ongoing internal audit program (with objectives defined)
Annual management review (following new three-part structure)
Environmental objectives monitored and updated
Corrective actions tracked and closed
Training records maintained for new personnel
Change management process operating for EMS-related changes

📥 Free Resources

👉 ISO 9001 Roadmap (Step-by-Step Implementation Guide)
👉 Manufacturing Compliance Checklist
👉 Supplier Quality Checklist

Frequently Asked Questions

What is ISO 14001:2026?

ISO 14001:2026 is the fourth edition of the international standard for environmental management systems, published April 15, 2026. It replaces ISO 14001:2015 and introduces stronger requirements around climate change, biodiversity, change management, supplier controls, and internal audit objectivity.

Do I need to recertify if I’m already certified to ISO 14001:2015?

Not immediately. Your ISO 14001:2015 certificate remains valid until April 14, 2029. However, you must transition to ISO 14001:2026 before that deadline. Start your gap assessment now — organizations that plan early avoid the certification rush in 2028–2029.

What are the biggest changes in ISO 14001:2026?

The most significant changes are: new Clause 6.3 requiring a structured change management process, expanded Clause 4 requirements explicitly including climate change and biodiversity, restructured planning sub-clauses (6.1.4 and 6.1.5), strengthened supplier controls in Clause 8, internal audit objectives requirement in Clause 9, and restructured management review in three sub-clauses.

Is ISO 14001 mandatory?

ISO 14001 is a voluntary standard — no single law makes it universally mandatory. However, it is increasingly required by customers, supply chain qualification programs, and government procurement frameworks. See Are ISO Standards Mandatory?

How long is ISO 14001:2026 certification valid?

ISO 14001:2026 certification is valid for three years, subject to annual surveillance audits in years one and two. A full recertification audit is required in year three.

Can I get ISO 14001 certified without ISO 9001?

Yes. ISO 14001 can be implemented and certified independently. However, organizations already certified to ISO 9001 can leverage their existing management system infrastructure to significantly reduce implementation time and cost.

Where can I buy ISO 14001:2026?

Purchase the official standard from the ANSI Webstore. Use coupon code CC2026 for 5% off through December 31, 2026. Only the official standard is accepted as the authoritative reference in certification audits.

How do I choose an ISO 14001 certification body?

Look for accreditation from a recognized national accreditation body. Ensure the certification body has experience in your industry and with the 2026 revision. ISOQAR is accredited and offers both ISO 14001 training and certification services.

What’s the difference between ISO 14001 and ISO 50001?

ISO 14001 covers environmental management broadly. ISO 50001 focuses specifically on energy management. The two are complementary and can be implemented together for maximum environmental and energy performance impact.

What is the difference between adopting ISO 14001 and getting certified?

Adoption means implementing the ISO 14001:2026 framework internally without formal third-party certification. Certification means an accredited certification body audits your system and issues a certificate confirming conformance to the standard.
Both deliver real value. Certification adds external credibility — independently verified evidence that your EMS meets the standard, which customers, supply chain partners, and investors increasingly expect. If your customers or supply chain qualification programs require ISO 14001, certification is typically necessary. If you’re implementing for internal improvement or ESG reporting support, adoption without certification may be sufficient for now. Many organizations start with adoption and pursue certification when contractual requirements demand it.

Not Sure What to Do Next?

🔹 You’re ready to pursue ISO 14001:2026 certification → ISOQAR ISO 14001 Certification — accredited ISO 14001:2026 certification from an experienced certification body

🔹 You need to transition from ISO 14001:2015 to ISO 14001:2026 → ISOQAR ISO 14001 Certification — transition audit support and certification services → BSI Group ISO 14001 Training — ISO 14001:2026 transition training

🔹 You need ISO 14001:2026 training for your team → BSI Group ISO 14001 Training — foundation through lead implementer level → ISOQAR ISO 14001 Training — accredited training from a certification body

🔹 You need the official ISO 14001:2026 standard → ISO 14001:2026 — ANSI Webstore → ISO 14001 Standards Collection — ANSI Webstore → Use coupon CC2026 for 5% off → Apply at ANSI

🔹 You want to save by purchasing multiple ISO standards together → Save up to 50% on ISO Standard Packages — ANSI Webstore

🔹 You need ISO 50001 energy management alongside ISO 14001 → ISO 50001 — ANSI Webstore

🔹 You want to understand how ISO 14001 compares to other standards → ISO 9001 vs ISO 14001 → ISO 14001 vs ISO 45001 → Integrated Management Systems

🔹 You want to understand the full cost of certification → How Much Does ISO 14001 Cost? → How Much Does ISO Certification Cost? → ISO Certification Cost Calculator

The Bottom Line on ISO 14001:2026

The April 2026 publication of ISO 14001:2026 is not a disruption — it’s an opportunity. Organizations that move early on their transition will be ahead of the compliance curve while competitors scramble to meet the April 2029 deadline.

For organizations pursuing certification for the first time, you’re entering with the most current, most strategically aligned version of the standard ever published — one that integrates climate change, biodiversity, and supply chain accountability into your core environmental management framework.

ISO 14001:2026 certification signals to customers, regulators, investors, and supply chain partners that your organization manages environmental responsibilities with rigor and intent.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on — including everything you need to navigate the ISO 14001:2026 transition.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

ISO Documentation Packages: Are They Worth It for Manufacturers? (2026 Guide)

Most manufacturers underestimate ISO 9001 documentation until they’re staring down a certification audit with nothing audit-ready. This guide breaks down exactly what ISO documentation kits include, what separates a useful kit from a useless one, and how manufacturers can get audit-ready without hiring a consultant or building hundreds of documents from scratch.

What ISO documentation packages include, when they save time and money, when they don’t, and how to choose one that actually holds up under a certification audit.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

Documentation Is Where Most ISO Implementations Stall

ISO certification doesn’t fail at the audit. It fails in the months before the audit — when the implementation team runs out of time, energy, or clarity building documentation that should have taken weeks but stretched into months.

The documentation phase of ISO 9001 implementation — developing procedures, work instructions, forms, records templates, and the quality manual — is consistently the most time-consuming and most commonly underestimated phase of the entire certification project.

ISO documentation packages exist to solve this problem. Pre-built, structured sets of templates, procedures, and forms aligned to ISO requirements that give you a starting point instead of a blank page.

But they’re not all equal. Some genuinely compress implementation timelines and reduce audit failure risk. Others are generic documents that look complete until an auditor asks an operator to describe the procedure they’re working from — and the operator has never seen it.

This guide tells you what’s actually in documentation packages, which ones work for manufacturing environments, and how to use them correctly.

In This Guide

What ISO documentation packages include — mandatory vs optional documents
What ISO 9001 actually requires you to document
The three types of documentation packages — and which works best for manufacturers
When documentation packages are worth it — and when they’re not
What makes a documentation package fail at audit
How to customize templates so they survive real-world audit scrutiny
Documentation packages vs consultants vs DIY — honest cost and timeline comparison
How documentation fits into the full ISO implementation process

👉 Start Here (Top Resources)

👉 Deploy a proven ISO 9001 documentation system for manufacturers → 9001Simplified Documentation Kits — fastest path from gap assessment to certification-ready documentation

👉 Get ISO 9001 certified with an accredited certification body → ISOQAR ISO 9001 Certification

👉 Purchase the official ISO 9001:2015 standard — required before building any documentation → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

👉 Get ISO 9001 training before documentation begins → BSI Group ISO 9001 Training

👉 Save up to 50% buying ISO standards as a bundle → ISO Standards Packages — ANSI Webstore

What ISO 9001 Actually Requires You to Document

ISO documentation packages for manufacturers with policies, procedures, templates, and ISO 9001 quality manual in industrial setting (2026 guide) — Are ISO documentation packages worth it for manufacturers? Learn the pros, cons, costs, and when to use them for ISO 9001 compliance in this 2026 guide.

Before evaluating documentation packages, it’s critical to understand what ISO 9001 actually requires — because many manufacturers over-document, creating maintenance burden, and others under-document, creating audit findings.

Mandatory Documented Information Under ISO 9001:2015

ISO 9001 explicitly requires the following documented information:

Documented information that must be maintained (procedures):

Scope of the QMS (Clause 4.3)
Quality policy (Clause 5.2)
Quality objectives (Clause 6.2)
Documented information required by the organization to support process operation (Clause 7.5) — this is where your procedures, work instructions, and forms live

Documented information that must be retained (records):

Evidence of fitness for purpose of monitoring and measurement resources — calibration records (Clause 7.1.5)
Evidence of competence — training records (Clause 7.2)
Evidence of product and service conformity — inspection records (Clause 8.6)
Nonconforming output records (Clause 8.7)
Internal audit results (Clause 9.2)
Management review results (Clause 9.3)
Results of corrective actions (Clause 10.2)

What’s notably NOT explicitly required: A quality manual is not explicitly required in ISO 9001:2015. A specific number of procedures is not required. ISO 9001 requires documented information to the extent necessary to support your processes — not a specific document structure.

This matters when evaluating documentation packages — a package that delivers 40 rigid procedures for every conceivable scenario may create more compliance burden than it solves.

For the complete clause breakdown, see ISO 9001 Clauses Explained.

Manufacturing-Specific Documentation Requirements

Beyond the ISO 9001 mandatory list, manufacturing environments require additional documented information driven by the nature of their processes:

For fabrication and welding shops:

Welding Procedure Specifications (WPS) and Procedure Qualification Records (PQR) — required by Clause 8.5.1 for special processes
Welder qualification records (WPQ)
Material traceability records — MTR filing system
Traveler packets

For all manufacturers:

Inspection and test plans by process type
Calibration register and calibration records
Nonconforming material control procedure and NCR forms
Supplier qualification records and approved vendor list
Corrective action records

A good documentation package for manufacturing should include templates for all of these — not just the generic ISO 9001 procedure set.

For the fabrication-specific documentation requirements in full detail, see ISO 9001 Requirements for Fabricators.

What Is an ISO Documentation Package?

ISO documentation packages for ISO 9001 showing procedures, templates, and forms used to build a quality management system — ISO documentation packages provide pre-built procedures, templates, and forms that help manufacturers implement ISO 9001 faster and more efficiently.

An ISO documentation package is a pre-built set of templates, procedures, forms, and records designed to help organizations implement an ISO management system faster than building from scratch.

A complete, quality documentation package for ISO 9001 manufacturing typically includes:

Procedures: Document and record control, internal audit, corrective action, nonconforming product control, management review, supplier evaluation and qualification, and customer communication.

Work instruction templates: Inspection and test plan templates, calibration procedure template, and special process control templates for welding and heat treatment.

Forms and records: NCR form, corrective action report, internal audit checklist by clause, calibration log and register, training records template, supplier evaluation form and approved vendor list template, management review agenda and minutes template.

Quality manual or scope document: A high-level document describing the QMS scope, the organization’s processes, and how they interact.

Implementation guidance: Instructions for how to customize and deploy each document — the difference between a documentation package and a box of blank forms.

The Three Types of Documentation Packages

Type 1 — Basic Template Downloads

Collections of Word or PDF templates available for low cost or free download. Generic structure, minimal guidance, no implementation support.

When they work: For experienced quality managers who understand ISO 9001 deeply and need a starting structure rather than guidance.

When they fail: When used by organizations implementing ISO 9001 for the first time. Without implementation guidance, templates get filled in with generic language that doesn’t reflect actual operations — the most common cause of Stage 2 audit failures traceable to documentation.

Cost: Free to a few hundred dollars.

Type 2 — Guided Implementation Toolkits

Structured documentation packages that include not just templates but step-by-step implementation guidance — how to customize each document, what each clause requires, and how to deploy the system across your organization.

When they work: For small to mid-size manufacturers implementing ISO 9001 for the first time or rebuilding an underperforming system. The implementation guidance makes the difference between a template set and a working system.

When they don’t work: For highly specialized operations with processes so unique that generic procedure frameworks don’t map to their actual work.

Cost: $500–$3,000 depending on scope and support included.

→ 9001Simplified Documentation Kits — our recommended guided toolkit for manufacturers — specifically built for manufacturing environments including fabrication, machining, and job shop operations

Type 3 — Consultant-Developed Custom Documentation

Fully customized documentation systems developed by an ISO consultant specifically for your organization’s processes, terminology, and operational structure.

When they work: For large or complex organizations, multi-site operations, or situations where the investment in full customization is justified by operational complexity.

When they don’t work: For small manufacturers where the consulting cost ($10,000–$50,000+) significantly exceeds the value of the customization relative to a good guided toolkit.

Cost: $10,000–$50,000+ depending on organizational complexity.

Are ISO Documentation Packages Worth It for Manufacturers?

ISO documentation packages infographic showing manufacturing documentation bottleneck vs ready-made toolkit with templates, procedures, and audit checklists — ISO documentation packages help manufacturers eliminate documentation bottlenecks by providing structured templates, procedures, and audit tools.

When Documentation Packages Are Worth It

You don’t have prior ISO experience. Organizations implementing ISO 9001 for the first time consistently underestimate the volume and complexity of documentation required. A guided toolkit prevents the blank-page paralysis that stalls most first-time implementations.

You need to move quickly. A quality guided toolkit reduces the documentation development phase from 10–12 weeks to 4–6 weeks for most small to mid-size manufacturers. If you have a customer deadline driving your certification timeline, this time compression matters significantly.

You want to avoid full consulting costs. A guided toolkit typically costs 80–95% less than full consulting while delivering comparable documentation quality — if chosen correctly and customized properly.

Your quality manager has operational experience but not ISO documentation experience. This is the most common manufacturing profile that benefits most from documentation toolkits — an experienced quality or operations professional who understands the processes but needs ISO documentation structure.

When Documentation Packages Don’t Work Well

You copy templates without customizing them. This is the most common documentation package failure mode — and it almost guarantees a Stage 2 audit failure. Generic procedures that don’t describe your actual processes will be exposed when auditors interview operators and find the disconnect between documentation and reality.

Your processes are genuinely unusual. Standard ISO 9001 documentation templates are designed for typical manufacturing processes. If your operation involves highly specialized processes with no standard analog, a custom approach may be more efficient.

You expect them to replace training. Documentation packages provide structure — they don’t provide understanding of what the clauses require. Lead implementer training before documentation begins is still the most important investment in any ISO implementation project.

You treat documentation as the goal. The goal is a functioning management system. Organizations that treat documentation completion as success consistently struggle through surveillance audits when the system isn’t actually operating.

What Makes a Documentation Package Fail at Audit

Generic procedures that don’t describe actual operations The most common and most damaging failure. A corrective action procedure that describes a generic process instead of how your organization actually investigates and closes nonconformances. Auditors don’t just read procedures — they interview personnel and compare what operators describe against what’s written.

Missing manufacturing-specific documents Generic ISO 9001 packages built for service industries don’t include welding procedure templates, calibration registers appropriate for shop floor equipment, or traveler packet formats. Using an office-environment template set for a fabrication shop leaves gaps that auditors find immediately.

Procedures written in compliance language instead of operational language Procedures that read like ISO clause paraphrases rather than operational instructions. “The organization shall control nonconforming output” is a clause requirement — not a work instruction. “When a nonconforming part is found, the inspector shall tag it with an NCR tag, place it in the red quarantine rack, and complete an NCR form within 24 hours” is a procedure.

Records templates with no completion instructions Forms that have fields but no guidance on who completes them, when, and what detail is required. Incomplete records at audit generate Clause 8.6 findings.

Calibration systems that don’t account for all shop floor equipment Documentation packages that include a calibration log but don’t address the full scope of measurement equipment used in manufacturing environments. Auditors walk the shop floor and check calibration stickers. Equipment not on the register generates immediate findings.

For the full calibration requirements guide, see Calibration Standards for Industrial Equipment.

How to Customize Documentation Templates Correctly

Step 1 — Complete lead implementer training before touching any templates Understanding what each clause requires before customizing ensures you’re adapting templates to meet real requirements — not just filling in blanks with plausible-sounding content.

Step 2 — Walk your actual processes before writing procedures For each process you’re documenting, physically walk it, observe how it actually operates, interview the people who do it, and document what actually happens — not what you wish happened or what the template assumes happens.

Step 3 — Replace generic language with specific operational language Every instance of “the organization” should become a specific role in your facility. Generic role names should be replaced with your actual job titles.

Step 4 — Add manufacturing-specific content where templates are silent If your package doesn’t include specific guidance for welding special process controls, add it. If it doesn’t include a traveler packet template appropriate for your job types, build one. The template is a starting point — not a ceiling.

Step 5 — Verify procedures against reality before Stage 1 Before Stage 1, walk through each key procedure with the personnel responsible for executing it. If they read the procedure and it doesn’t match how they do the work, fix the procedure.

Documentation Packages vs Consultants vs DIY

ISO 9001 certification comparison chart showing DIY, documentation and training system, and consultant options with cost, speed, and benefits — Compare the three main paths to ISO 9001 certification and choose the approach that fits your timeline, budget, and experience level.

Approach	Cost	Timeline Impact	Audit Failure Risk	Best For
Basic templates	$0–$500	Minimal	High	Experienced quality managers rebuilding a system
Guided toolkit ⭐	$500–$3,000	Significant — reduces Phase 3 by 4–6 weeks	Low if customized correctly	Most small to mid-size manufacturers
Full consulting	$10,000–$50,000+	Fastest Phase 3	Lowest	Large or complex organizations
DIY from scratch	Low external / high internal labor	Longest	Highest	Organizations with deep prior ISO experience

The recommended approach for most manufacturers: a guided implementation toolkit combined with lead implementer training. This delivers consultant-level documentation quality at a fraction of the cost — and builds genuine internal QMS understanding that sustains the system through surveillance cycles.

→ 9001Simplified Documentation Kits

→ BSI Group ISO 9001 Training

How Documentation Fits Into ISO Implementation

Documentation development is Phase 3 of the ISO 9001 certification process — not the starting point and not the finish line.

Phase	Activity	Duration
1	Standard purchase and lead implementer training	2–3 weeks
2	Gap assessment	2–3 weeks
3	Documentation development	4–12 weeks
4	System implementation and record generation	10–14 weeks minimum
5	Internal audit and management review	2–3 weeks
6	Stage 1 and Stage 2 certification audits	4–8 weeks

Organizations that mistake documentation completion for implementation completion attempt to schedule Stage 1 immediately after finishing their procedures — and generate Stage 1 deferrals when auditors find inadequate operating records. The minimum operating period is non-negotiable regardless of how fast documentation was completed.

👉 Download the Free ISO 9001 Roadmap — the full phase-by-phase implementation guide from gap assessment through certificate issuance.

For the complete implementation timeline, see ISO Implementation Timeline for Manufacturers and How Long Does ISO Certification Take?

What to Look for in a Manufacturing Documentation Package

Use this checklist when evaluating documentation packages:

Content completeness:

Includes all ISO 9001 mandatory procedure areas — document control, corrective action, internal audit, nonconforming product, management review
Includes manufacturing-specific templates — calibration register, inspection records, NCR forms, traveler packet template
Includes special process controls template for welding or other special processes
Includes supplier qualification forms and approved vendor list template
Internal audit checklists cover all ISO 9001 clauses

Implementation support:

Includes instructions for customizing each document — not just blank templates
Provides guidance on deploying documents across the organization
Includes gap assessment tool or checklist

Practical usability:

Written in operational language — not ISO clause language
Forms designed for shop floor use — appropriate field structure, logical workflow
Editable Word or similar format — not locked PDFs

Standard alignment:

Aligned to ISO 9001:2015 — not an older edition
References correct clause numbers throughout
Internal audit checklist matches current standard requirements

👉 Download the Free Manufacturing Compliance Checklist — use it alongside your documentation package to verify all compliance areas are addressed before your certification audit.

Frequently Asked Questions

Do I need an ISO documentation package to get certified?

No — ISO 9001 doesn’t require a specific documentation system or format. But organizations that attempt to build documentation from scratch consistently take longer and produce more audit findings than those using purpose-built structured systems.

Can I just copy a documentation package and use it as-is?

No — and this is the most common reason documentation packages fail at audit. Procedures that don’t describe your actual processes will be exposed when auditors interview operators. Every template must be customized to reflect how your specific operation actually works.

Are documentation packages worth it for small manufacturing companies?

Yes — particularly for small manufacturers without internal ISO experience. A guided toolkit provides the structure and implementation guidance that prevents the most common small manufacturer implementation failures. The cost ($500–$3,000) is a fraction of the time cost of building from scratch.

What’s the difference between a documentation package and a quality manual?

A quality manual is a single high-level document describing your QMS scope and processes — one component of a complete documentation system. A documentation package is the complete set of all documented information your QMS requires — procedures, work instructions, forms, records, and the quality manual or scope document.

How long does documentation development take with a package?

With a good guided toolkit, most small to mid-size manufacturers complete documentation development in 4–6 weeks. Without a package, the same work typically takes 10–12 weeks.

What makes a documentation package fail at a certification audit?

The most common causes: generic procedures that don’t describe actual operations, missing manufacturing-specific documents (calibration registers, special process controls, traveler formats), records templates that aren’t being completed consistently, and calibration systems that don’t account for all shop floor measurement equipment.

Should I buy the official ISO standard as well as a documentation package?

Yes — always. A documentation package provides structure; the official standard provides the requirements your documentation must satisfy. Building a QMS without owning the standard is the single most common cause of preventable audit findings. Use coupon CC2026 for 5% off at ANSI.

📥 Free Resources

👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide — the complete phase-by-phase guide from gap assessment through certification
👉 Manufacturing Compliance Checklist — verify all compliance areas are addressed before your audit
👉 Supplier Quality Checklist — covers all supplier qualification and incoming inspection requirements

Not Sure What to Do Next?

🔹 You’re ready to deploy a documentation system → 9001Simplified Documentation Kits — guided ISO 9001 documentation toolkit built for manufacturing environments

🔹 You need the official ISO 9001:2015 standard first → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

🔹 You want to save buying ISO standards together → Save up to 50% on ISO Standards Packages — ANSI Webstore

🔹 You need ISO training before building documentation → BSI Group ISO 9001 Training → ISOQAR ISO Training

🔹 You’re ready to pursue ISO 9001 certification → ISOQAR ISO 9001 Certification

🔹 You want to understand what documentation your operation needs → ISO 9001 Requirements for Fabricators → ISO 9001 Clauses Explained → Supplier Quality Requirements for Manufacturers → Calibration Standards for Industrial Equipment

🔹 You want to understand the full implementation process → How to Get ISO 9001 Certified → ISO Implementation Timeline for Manufacturers → How Long Does ISO Certification Take?

🔹 You want to understand certification costs → How Much Does ISO 9001 Cost? → ISO Certification Cost Calculator

🔹 You want to choose the right certification body → Best ISO Certification Bodies — Ranked & Reviewed

The Right Documentation. Correctly Customized. Actually Followed.

A documentation package is a tool — not a shortcut. Organizations that use guided toolkits correctly — purchasing the official standard first, completing lead implementer training, genuinely customizing templates to reflect actual operations, and deploying the system before scheduling audits — consistently achieve first-attempt certification and sustain it through surveillance cycles.

The documentation is the starting point. The system is what actually gets you certified.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Welding Standards: AWS vs ASME vs ISO (2026 Complete Guide)

The definitive comparison of AWS, ASME, and ISO welding standards — what each requires, where each applies, how WPS/PQR qualification works under each framework, and how to determine which standard governs your operation.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

FROM THE SHOP FLOOR: When Nobody Can Agree on Which Standard Applies

One of the most time-consuming and commercially damaging situations in a fabrication shop is a disagreement between operations and quality about which standard governs the job currently on the floor.

I deal with this regularly. A project comes in with specifications referencing AWS, ASME, AISC, and a customer-specific addendum. Different sections of the same job are governed by different standards — and in some cases, those standards have requirements that don’t align perfectly with each other. When operations and quality aren’t on the same page about which standard applies to which work scope, assumptions get made. Those assumptions cost time and money.

The most dangerous word in a fabrication environment is “assumed.” I assumed we were working to AWS. I assumed the AISC tolerances applied. I assumed the customer would accept the deviation. Every time I’ve heard those words, there was rework behind them.

The fix isn’t complicated — but it requires discipline at the front end of every project. Before production begins, the applicable standard for every work scope must be identified, documented, and communicated to the production team. Job specifications must be read completely — not summarized. The five minutes spent confirming which standard governs a particular inspection activity can save days of rework and thousands of dollars in a single project.

Three Standard Bodies. One Shop Floor. Knowing Which Governs Your Work.

Walk into most fabrication shops and welding operations and you’ll find references to multiple welding standards on the same job — AWS D1.1 procedures on the structural steel, ASME Section IX qualifications for the pressure piping, and ISO 3834 requirements from a European customer’s purchase order.

These aren’t alternatives to each other. They govern different applications, address different risk categories, and in many operations apply simultaneously to different work being performed in the same facility.

Understanding which standard governs which application — and what each actually requires — is the difference between a qualification program that holds up under audit and one that generates major nonconformances when an auditor asks to see the PQR for the weld currently in progress.

This guide covers all three standard bodies in detail — what each requires for procedure qualification, welder qualification, inspection, and documentation — and gives you the practical framework for determining which standard applies to your operation.

In This Guide

What welding standards are and why they’re classified as special processes
AWS standards — what D1.1 requires and when it applies
ASME standards — what Section IX requires and when it applies
ISO welding standards — ISO 3834, ISO 9606, ISO 15614 explained
WPS, PQR, and WPQ requirements compared across all three frameworks
Inspection and NDT requirements by standard
Which standard applies when multiple standards are in play
How welding standards integrate with ISO 9001 quality management
Where to buy official welding standards

👉 Start Here (Top Resources)

👉 Purchase AWS D1.1/D1.1M:2025 structural welding code → AWS D1.1/D1.1M:2025 — ANSI Webstore

👉 Purchase ASME welding standards → ASME Standards — ANSI Webstore

👉 Purchase ISO 9606 welder qualification standard → ISO 9606 — ANSI Webstore

👉 Purchase ISO 15614 welding procedure qualification standard → ISO 15614 — ANSI Webstore

👉 Purchase the complete AWS welding standards collection → AWS Standards Collection — ANSI Webstore

👉 Purchase ISO 9001:2015 — the quality management foundation for welding special process controls → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

👉 Get ISO 3834 welding quality certification → ISOQAR ISO 3834 Certification

👉 Get ISO 9001 certified — the management system that governs welding special process controls → ISOQAR ISO 9001 Certification

👉 Deploy a ready-to-use ISO 9001 documentation system with welding procedure templates → 9001Simplified Documentation Kits

👉 Save up to 50% buying ISO standards as a bundle → ISO St a ndards Packages — ANSI Webstore

Why Welding Is a Special Process

ISO 9001 welding special process infographic showing Clause 8.5.1 requirements, welder performing fabrication, and quality controls for manufacturing — Learn how ISO 9001 classifies welding as a special process under Clause 8.5.1 and what it means for fabrication shop quality control and compliance.

Before comparing the three welding standard bodies, the foundational concept that explains why welding standards are so detailed and strictly enforced:

Under ISO 9001 Clause 8.5.1, welding is classified as a special process — a process where the output cannot be fully verified by subsequent inspection or measurement alone. A completed weld joint may look visually acceptable while containing internal defects — incomplete fusion, porosity, cracks — that only become apparent under load or through destructive testing.

This classification has a direct consequence: because quality cannot be inspected in after the fact, it must be controlled during the process itself. This drives the three core requirements that all welding standards share in some form:

Qualified procedures — the welding process must be validated through testing before production begins. The Welding Procedure Specification (WPS) documents the variables. The Procedure Qualification Record (PQR) documents the testing that validates the WPS.

Qualified personnel — the welder performing the work must be qualified through testing to the variables they’ll be working within. The Welder Performance Qualification (WPQ) documents this.

Controlled process parameters — during production, the variables that affect weld quality must be monitored and controlled. Deviating from qualified variables without re-qualification is a nonconformance under every welding standard.

This framework — qualified procedures, qualified personnel, controlled parameters — is universal. What differs between AWS, ASME, and ISO is which specific variables are essential, what tests are required for qualification, and what the acceptance criteria are.

AWS Welding Standards — Structural and Fabrication Applications

The American Welding Society (AWS) publishes the most widely used welding standards in North American structural fabrication, general manufacturing, and construction applications.

AWS D1.1 — Structural Welding Code: Steel

AWS D1.1/D1.1M is the primary welding code for structural steel applications. It is the standard referenced on most structural fabrication drawings and contracts in the United States and is recognized internationally.

Scope: Welding of structural steel with minimum yield strength up to 100 ksi. Applies to statically and dynamically loaded structures — buildings, bridges, cranes, industrial equipment supports, and structural assemblies.

What AWS D1.1 Covers:

Prequalified joint designs One of AWS D1.1’s most practically significant features — a library of joint configurations that have been pre-approved for use without requiring a PQR qualification test. If your joint design matches a prequalified configuration and your welding variables fall within the prequalified ranges, you can use a prequalified WPS without running a qualification test weld.

This significantly reduces qualification burden for organizations doing standard structural welding. However, prequalified status has requirements — base metal type, filler metal specification, preheat minimums, and joint geometry all have specific limitations. Using a prequalified WPS outside its prequalified parameters invalidates the prequalified status.

WPS requirements under AWS D1.1 For joints that are not prequalified — or where the fabricator chooses to test rather than use prequalified status — a full WPS with supporting PQR is required. Essential variables under AWS D1.1 include: process, base metal specification and group, filler metal classification, position, joint design, preheat and interpass temperature, post-weld heat treatment, and electrical characteristics.

Welder qualification under AWS D1.1 Welders must be qualified by test for each process, position combination, and base metal group they weld. AWS D1.1 qualifications remain valid as long as the welder continues to use the qualified process — there is no specific time limit if continuity is maintained (typically demonstrated by producing welds with the process at least every six months, though the standard doesn’t specify a mandatory interval).

Inspection under AWS D1.1 Visual inspection is required for all welds — acceptance criteria for profile, size, length, and surface condition are specified. Additional NDT (UT, MT, PT, RT) requirements depend on the joint category, structure loading type, and contract specifications.

AWS D1.1 Supplementary Standards AWS publishes parallel D1.x standards for other materials:

D1.2 — Structural Welding Code: Aluminum
D1.6 — Structural Welding Code: Stainless Steel
D1.8 — Structural Welding Code: Seismic Supplement

→ AWS D1.1/D1.1M:2025 — ANSI Webstore

→ AWS Standards Collection — ANSI Webstore

ASME Welding Standards — Pressure and Safety-Critical Applications

The American Society of Mechanical Engineers (ASME) publishes the Boiler and Pressure Vessel Code (BPVC) — the legal framework governing welding for pressure-containing applications in the United States and many countries globally.

ASME BPVC Section IX — Welding, Brazing, and Fusing Qualifications

ASME Section IX is the foundational qualification standard for all pressure system welding. It does not govern the design of pressure systems — that’s covered by other ASME sections — but it defines how welding procedures and welders must be qualified for any pressure-containing weld.

Who must comply with ASME Section IX: Any organization manufacturing pressure vessels, boilers, heat exchangers, process piping (ASME B31.1, B31.3), nuclear components, or any other ASME Code-governed system. Compliance is legally required — ASME Code compliance is mandated by state and local laws in most U.S. jurisdictions for pressure-containing equipment.

Essential Variables — The Critical ASME Concept

The most important concept in ASME Section IX is essential variables — welding parameters whose change requires re-qualification of the WPS through a new PQR. Change an essential variable and you must run a new qualification test. Non-essential variables can be changed within the WPS without re-qualification; supplementary essential variables apply only when impact testing is required.

Key essential variables in ASME Section IX include:

Base metal P-number grouping — ASME groups base metals by P-number (1 through 15F); welding from one P-number group to another may require a separate qualification
Filler metal classification — F-number grouping; changing filler metal F-number typically requires re-qualification
Post-weld heat treatment — whether PWHT is or isn’t applied is an essential variable
Shielding gas composition — for applicable processes
Position — depending on the process and qualification scope

WPS and PQR requirements under ASME Section IX Every production weld on a pressure-containing system must be performed using a qualified WPS supported by a PQR that documents all actual welding variables used during qualification testing and the mechanical test results confirming the weld meets minimum requirements.

Mechanical tests required for most ASME PQRs include tension tests and guided bend tests. Impact tests (Charpy) are required as supplementary essential variables when impact toughness requirements are specified.

Welder qualification under ASME Section IX Welders are qualified by test for specific essential variable ranges. Unlike AWS D1.1, ASME Section IX qualifications expire if the welder has not used the qualified process within a 6-month period. Expired qualifications require re-qualification by test before the welder can return to production work on pressure systems.

This 6-month continuity requirement is a consistent source of audit findings in shops that perform both structural (AWS) and pressure (ASME) work — welders who are active on structural work may allow their ASME qualifications to lapse without realizing it.

ASME BPVC Section VIII — Pressure Vessels

Section VIII governs the design, fabrication, inspection, and testing of pressure vessels. Division 1, Division 2, and Division 3 cover different pressure ranges and design approaches. Fabricators of pressure vessels must hold an appropriate ASME Certificate of Authorization (U, U2, U3) and operate under a documented Quality Control (QC) program — the ASME analog to ISO 9001 for pressure vessel manufacturers.

ASME B31.3 — Process Piping

B31.3 governs piping systems used in chemical plants, petroleum refineries, and related processing facilities. Welding qualification requirements reference ASME Section IX, with additional requirements specific to process piping applications.

→ ASME Standards — ANSI Webstore

ISO Welding Standards — Quality Systems and Global Applications

The International Organization for Standardization (ISO) publishes a family of welding quality standards increasingly required in global manufacturing, export-driven fabrication, and European supply chains.

ISO 3834 — Quality Requirements for Fusion Welding

ISO 3834 is the international welding quality standard — providing a framework for welding quality management that complements ISO 9001 for organizations where welding is a primary manufacturing process.

ISO 3834 has three conformity levels:

Level	Standard	Applies To
Comprehensive	ISO 3834-2	Safety-critical, complex, or high-risk welding
Standard	ISO 3834-3	General industrial welding applications
Elementary	ISO 3834-4	Simple, low-risk welding operations

What ISO 3834 requires beyond ISO 9001: ISO 3834 goes significantly deeper into welding-specific quality management than ISO 9001 alone — covering contract review and design input for welded structures, subcontracting controls for welding operations, welding personnel qualification and authorization, welding equipment maintenance and calibration, production planning for welding operations, weld joint preparation and dimensional inspection, pre-production testing, heat treatment controls, and post-weld inspection and testing.

Who needs ISO 3834: Organizations supplying to European customers where ISO 3834 is contractually specified, pressure equipment manufacturers subject to the EU Pressure Equipment Directive (PED), and fabrication shops seeking to differentiate their welding quality credentials from competitors holding only ISO 9001.

→ ISOQAR ISO 3834 Certification

ISO 9606 — Qualification Testing of Welders

ISO 9606 is the ISO standard for welder performance qualification — equivalent in purpose to AWS D1.1 welder qualification and ASME Section IX welder performance qualification, but using ISO’s variable sets and acceptance criteria.

ISO 9606 has separate parts by base material:

ISO 9606-1: Steels
ISO 9606-2: Aluminum and aluminum alloys
ISO 9606-3: Copper and copper alloys
ISO 9606-4: Nickel and nickel alloys
ISO 9606-5: Titanium and titanium alloys

ISO 9606 vs AWS/ASME welder qualification: ISO 9606 qualifications are not interchangeable with AWS D1.1 or ASME Section IX qualifications. A welder qualified under AWS D1.1 is not automatically qualified under ISO 9606, and vice versa. Organizations serving both North American (AWS/ASME) and international (ISO) customers may need separate qualification records for each framework.

→ ISO 9606 — ANSI Webstore

ISO 15614 — Specification and Qualification of Welding Procedures

ISO 15614 is the ISO standard for welding procedure qualification — the ISO equivalent of ASME Section IX PQR testing. Like ASME, ISO 15614 defines the essential variables, test requirements, and acceptance criteria for procedure qualification testing.

ISO 15614 has multiple parts covering different welding processes and base materials — including arc welding of steels and nickel alloys (Part 1), arc welding of aluminum (Part 2), and others.

→ ISO 15614 — ANSI Webstore

AWS vs ASME vs ISO — Full Comparison

AWS vs ASME vs ISO welding standards comparison showing structural welding, pressure systems, and quality system requirements for ISO certification for fabrication shops — Visual comparison of AWS, ASME, and ISO welding standards used in fabrication, pressure systems, and global manufacturing quality systems.

Factor	AWS	ASME	ISO
Publishing body	American Welding Society	American Society of Mechanical Engineers	International Organization for Standardization
Primary application	Structural welding — steel, aluminum, SS	Pressure systems — vessels, boilers, piping	Quality systems, global manufacturing
Legal status	Contract-specified — not legally required	Legally required for pressure systems in most U.S. jurisdictions	Voluntary — commercially required
Prequalified joints	Yes — extensive library	No	No
WPS required	Yes	Yes	Yes (ISO 15614)
PQR required	Yes (except prequalified)	Yes — always	Yes (ISO 15614)
Welder qualification	Yes (WPQ)	Yes — expires after 6 months without use	Yes (ISO 9606)
Essential variables concept	Yes	Yes — extensive P-number and F-number system	Yes (ISO 15614)
NDT requirements	Visual minimum — additional per contract	Per Code section and Division	Per ISO 3834 and customer specification
Certification/stamps	No mandatory stamp	Yes — U, S, PP stamps for ASME Code work	ISO 3834 third-party certification
Transferability	U.S. dominant	U.S. and international	Global
Who uses it	Structural fabricators, general manufacturers	Pressure vessel and piping fabricators	Global manufacturers, European customers

WPS, PQR, and WPQ Requirements Compared

The three documents that govern welding qualification — WPS, PQR, and WPQ — exist in all three frameworks. Here’s how they compare:

Welding Procedure Specification (WPS)

Factor	AWS D1.1	ASME Section IX	ISO 15614
Required for all welds?	Yes — or prequalified status	Yes — always	Yes
Prequalified option?	Yes — extensive library	No	No
Essential variables documented?	Yes	Yes	Yes
Format specified?	No — content required	Yes — QW-482 form	Yes — per Part requirements

Procedure Qualification Record (PQR)

Factor	AWS D1.1	ASME Section IX	ISO 15614
Mechanical tests required	Tension, bend	Tension, bend — impact if required	Tension, bend, impact, macro examination
Who performs testing	Welder or test lab	Must be done by or witnessed by AWS CWI or equivalent	Approved testing body
Transferability	Not transferable between standards	Not transferable	Not transferable

Welder Performance Qualification (WPQ)

Factor	AWS D1.1	ASME Section IX	ISO 9606
Qualification method	Test weld — visual and bend	Test weld — visual and bend	Test weld — visual, bend, or RT
Qualification expiry	Continuity-based — no fixed expiry	Expires after 6 months without use	Varies by Part — typically 2 years
Position qualification	Position-specific	Position-specific	Position-specific
Transferability	Not interchangeable with ASME or ISO	Not interchangeable with AWS or ISO	Not interchangeable with AWS or ASME

Inspection and NDT Requirements by Standard

AWS D1.1 Inspection

AWS D1.1 specifies visual inspection as the minimum requirement for all welds. Visual acceptance criteria cover weld profile, size, porosity, cracks, undercut, overlap, and surface condition.

Additional NDT requirements depend on:

Joint category (statically vs dynamically loaded)
Loading type (tension vs compression)
Contract or customer specification

Common NDT methods specified in or alongside AWS D1.1: ultrasonic testing (UT), magnetic particle testing (MT), liquid penetrant testing (PT), and radiographic testing (RT).

ASME Section IX and Code Section Inspection

ASME Section IX defines procedure and welder qualification — NDT requirements for production welds are specified in the applicable Code section (Section VIII for pressure vessels, B31.3 for process piping, etc.).

ASME Code NDT requirements are typically more prescriptive than AWS D1.1 — driven by the safety criticality of pressure systems. For example, ASME Section VIII Division 1 specifies mandatory radiographic or ultrasonic examination requirements for certain weld joint categories, regardless of customer preference.

ISO 3834 Inspection

ISO 3834 inspection requirements depend on the conformity level — Comprehensive (Part 2) requirements are more extensive than Standard (Part 3). ISO 3834 references ISO inspection standards including:

ISO 17637 — Visual testing of fusion welds
ISO 5817 — Quality levels for imperfections in steel welds

Which Standard Applies When Multiple Are in Play

Many fabrication shops — particularly those serving both structural and pressure applications — operate under multiple welding standards simultaneously. Here’s the framework for determining which standard governs which work:

The contract and drawing govern first The welding standard applicable to any specific job is determined by the contract documents and engineering drawings — not by the fabricator’s preference. If the drawing references AWS D1.1, that’s the governing standard for that joint. If the piping spec references ASME B31.3 and Section IX, ASME governs regardless of what AWS qualifications the welder holds.

Separate qualification records for each standard AWS D1.1 welder qualifications do not satisfy ASME Section IX requirements, and vice versa. If your shop performs both structural and pressure work, welders performing pressure welds must have current ASME Section IX qualifications — separate from their AWS qualifications.

ISO requirements layer over, not instead of When a customer requires ISO 3834 compliance alongside AWS or ASME, ISO 3834 adds quality management system requirements — it doesn’t replace the technical welding standard. Your WPS and PQR still comply with AWS D1.1 or ASME Section IX as applicable; ISO 3834 governs how you manage the welding quality system.

When there is a conflict When customer requirements conflict with a referenced standard — for example, a customer specifying tighter NDT requirements than AWS D1.1 mandates — the customer’s requirements govern. Customer requirements always supplement, and may exceed, the referenced standard’s minimums.

How Welding Standards Integrate With ISO 9001

ISO 9001 requirements for Fabrication shops covering ISO 9001 quality, ISO 14001 environmental, and ISO 45001 safety standards — Learn how ISO 9001, ISO 14001, and ISO 45001 apply to fabrication and welding shops. Improve quality, safety, and compliance with this 2026 guide.

ISO 9001 Clause 8.5.1 classifies welding as a special process — requiring validated procedures, qualified personnel, and controlled parameters. But ISO 9001 does not define what “validated” and “qualified” mean for welding. AWS, ASME, and ISO welding standards fill that gap.

How the integration works in practice:

Your WPS and PQR documents — qualified under AWS D1.1, ASME Section IX, or ISO 15614 — satisfy ISO 9001’s requirement for validated welding procedures simultaneously.

Your WPQ records — under whichever welding standard applies — satisfy ISO 9001 Clause 7.2’s requirement for documented competence evidence.

Your inspection and test records — visual inspection, NDT results, dimensional checks — satisfy ISO 9001 Clause 8.6’s requirement for evidence of conformity.

Building these records correctly from the start means a single documentation system serves your welding standard compliance and your ISO 9001 QMS simultaneously — not two parallel systems.

For the complete ISO 9001 requirements breakdown in a fabrication context, see ISO 9001 Requirements for Fabricators and Quality Standards for Fabrication Shops.

For the full fabrication and welding shop compliance guide, see ISO for Fabrication & Welding Shops.

Where to Buy Official Welding Standards

Welding standards are copyrighted documents — unofficial copies found online are typically outdated, missing amendments, or incomplete. Always purchase from authorized sources.

AWS Standards

The ANSI Webstore is the authorized U.S. distributor for AWS standards — including AWS D1.1, D1.2, D1.6, and the complete AWS standards library. ANSI also serves international buyers with standards available in multiple languages.

→ AWS D1.1/D1.1M:2025 — ANSI Webstore

→ AWS Standards Collection — ANSI Webstore

ISO Standards

ISO welding standards including ISO 3834, ISO 9606, and ISO 15614 are available through the ANSI Webstore. Use coupon CC2026 for 5% off ISO and IEC standards through December 31, 2026.

→ ISO Standards — ANSI Webstore — use coupon CC2026 for 5% off

→ ISO Standards Packages — ANSI Webstore — save up to 50% buying multiple standards together

ASME Standards

ASME standards including BPVC Section IX and B31.3 are available directly from ASME at asme.org and through the ANSI Webstore.

You need ASME welding standards → ASME Standards — ANSI Webstore

Frequently Asked Questions

What is the difference between AWS and ASME welding standards?

AWS D1.1 governs structural welding applications — buildings, bridges, and structural assemblies. ASME Section IX governs welding qualification for pressure-containing applications — pressure vessels, boilers, and process piping. They are not interchangeable. A shop performing both structural and pressure work needs separate qualification programs under each standard.

Do AWS welder qualifications satisfy ASME requirements?

No. AWS D1.1 welder qualifications are not interchangeable with ASME Section IX qualifications. If your welders perform pressure welds, they must have current ASME Section IX qualifications separate from any AWS qualifications they hold.

What is ISO 3834 and do I need it?

ISO 3834 is the international standard for welding quality requirements — it adds welding-specific quality management requirements on top of ISO 9001. It is increasingly required by European customers and in international project specifications. Organizations exporting fabricated products, supplying to ISO-certified global manufacturers, or working under the EU Pressure Equipment Directive may find ISO 3834 certification necessary.

When does an ASME Section IX welder qualification expire?

ASME Section IX welder qualifications expire if the welder has not used the qualified process within a 6-month period. This is one of the most consistently missed requirements in shops that perform both structural and pressure work — welders active on structural jobs can allow their ASME qualifications to lapse without realizing it.

What are prequalified joints under AWS D1.1?

Prequalified joints are joint configurations in AWS D1.1 that have been pre-approved for use without requiring a PQR qualification test — provided all welding variables fall within the prequalified ranges. This reduces qualification burden for standard structural welding applications. Using a WPS designated as prequalified outside the prequalified variable ranges invalidates the prequalified status.

What is a WPS and why is it required for welding?

A WPS (Welding Procedure Specification) is a documented set of welding variables — process, base metal, filler metal, joint design, preheat, position, and others — that has been qualified through testing. It is required under all welding standards because welding is a special process where quality must be controlled during the process, not inspected in after completion.

How does ISO 9001 relate to welding standards?

ISO 9001 Clause 8.5.1 classifies welding as a special process requiring validated procedures and qualified personnel — but doesn’t define what validated and qualified mean. AWS, ASME, and ISO welding standards fill that gap. A correctly built QMS uses welding standard qualification documents (WPS, PQR, WPQ) as the evidence that satisfies ISO 9001’s special process requirements.

Which welding standard should my fabrication shop use?

The governing standard is determined by your customers’ contracts and engineering drawings — not your preference. Structural steel work typically references AWS D1.1. Pressure vessel and piping work typically references ASME Section IX. International or export work may reference ISO standards. Review your actual contract documents to determine which standard applies to each job.

📥 Free Resources

👉 ISO 9001 Roadmap (Step-by-Step Implementation Guide)
👉 Manufacturing Compliance Checklist
👉 Supplier Quality Checklist

Not Sure What to Do Next?

🔹 You need AWS D1.1 structural welding code → AWS D1.1/D1.1M:2025 — ANSI Webstore → AWS Standards Collection — ANSI Webstore

🔹 You need ISO standards for your welding quality system → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off → ISO Standards Packages — ANSI Webstore — save up to 50%

🔹 You need ASME welding standards → ASME Standards — ANSI Webstore

🔹 You need ISO welding qualification standards → ISO 9606 — ANSI Webstore → ISO 15614 — ANSI Webstore

🔹 You need ISO 3834 welding quality certification → ISOQAR ISO 3834 Certification

🔹 You need ISO 9001 certification for your welding quality system → ISOQAR ISO 9001 Certification

🔹 You need ISO training for your quality team → BSI Group ISO Training → ISOQAR ISO Training

🔹 You need a documentation system for ISO 9001 welding controls → 9001Simplified Documentation Kits

🔹 You want fabrication-specific compliance guidance → ISO 9001 Requirements for Fabricators → Quality Standards for Fabrication Shops → ISO for Fabrication & Welding Shops → OSHA vs ISO Requirements for Metal Fabrication

🔹 You want to understand ISO 9001 special process requirements → ISO 9001 Clauses Explained → ISO 9001 Certification Guide

🔹 You want to understand certification costs and timeline → How Much Does ISO 9001 Cost? → How Long Does ISO Certification Take?

Know Your Standard. Control Your Process. Pass Your Audit.

The organizations that navigate multi-standard welding environments successfully are the ones that understand which standard governs which work — and build qualification programs that satisfy each standard’s specific requirements without conflating them.

AWS D1.1 qualifications are not ASME qualifications. ASME qualifications are not ISO qualifications. Prequalified joints are only prequalified within their stated limits. ASME welder qualifications expire. Knowing these distinctions before an auditor asks is what separates a compliant welding program from one that generates major findings.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

ISO 14971 Is No Longer Optional for Medical Device Manufacturers

In This Guide

Table of Contents

👉 Start Here (Top Resources)

What Is ISO 14971:2019?

ISO 14971:2019 vs ISO 14971:2007 — Which Do You Need?

Where to Buy ISO 14971:2019 — Official Sources Only

ISO 14971 Formats Available

How Much Does ISO 14971:2019 Cost?

Who Needs to Purchase ISO 14971?

If you are at this stage:

What ISO 14971 Does NOT Include

Common Purchasing Mistakes to Avoid

Why Organizations Delay This — And What It Costs Them

Related Standards You Will Also Need

Frequently Asked Questions

What is ISO 14971:2019?

Is ISO 14971 required for ISO 13485 certification?

What is the difference between ISO 14971:2019 and ISO 14971:2007?

Where is the best place to buy ISO 14971:2019?

Can I share my ISO 14971 PDF with my design team?

Do I need both ISO 14971 and ISO 13485?

Does ISO 14971 apply to software?

What is ISO/TR 24971?

How much does ISO 14971:2019 cost?

📥 Free Resources

Not Sure What to Do Next?

Still figuring out where to start?

The Standard That Makes Everything Else Auditable

Subscribe

ISO 13485 Tells You to Manage Risk. ISO 14971 Tells You How.

In This Guide

Table of Contents

✅ Start Here (Top Resources)

What Is ISO 13485?

What Is ISO 14971?

ISO 14971 vs ISO 13485 — Key Differences

Where ISO 13485 References ISO 14971

Clause 7.1 — Planning of Product Realization

Clause 7.3 — Design and Development

Clause 7.4 — Purchasing

Clause 8.2 — Monitoring and Measurement

Clause 8.5 — Improvement

Is ISO 14971 Actually Mandatory Under ISO 13485?

The QMSR Changes the Practical Answer

How the Two Standards Work Together in Practice

Concept and Planning Stage

Design and Development

Purchasing and Supplier Controls

Production

Post-Market Surveillance and CAPA

The Risk Management File — Where They Intersect Most Clearly

From the Shop Floor

Which Standard Do You Buy First?

Frequently Asked Questions

What is the main difference between ISO 14971 and ISO 13485?

Is ISO 14971 required if you have ISO 13485?

Can you be certified to ISO 14971?

Which came first — ISO 13485 or ISO 14971?

Does ISO 14971 apply to software as a medical device?

How does the QMSR affect the relationship between ISO 13485 and ISO 14971?

What is the Risk Management File and which standard requires it?

Do I need ISO/TR 24971 as well?

How does ISO 14971 differ from ISO 31000?

✅ Free Resources

Not Sure What to Do Next?

Still Figuring Out Where to Start?

ISO 13485 and ISO 14971 Are Not Optional to Each Other

Subscribe

From the Shop Floor

ISO 14971 Is the Standard Your QMS Is Already Required to Implement

In This Guide

Table of Contents

✅ Start Here (Top Resources)

What Is ISO 14971?

Who Needs ISO 14971?

The ISO 14971 Risk Management Process — Six Steps

Step 1 — Risk Analysis

Step 2 — Risk Evaluation

Step 3 — Risk Control