How ISO 9001 and ISO 13485 differ in focus, requirements, and regulatory weight — and why the FDA’s 2024 QMSR final rule makes understanding that difference more important than ever.
Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.
The FDA Just Changed the Relationship Between These Two Standards
For decades, manufacturers made a relatively simple distinction between ISO 9001 and ISO 13485. ISO 9001 was for everyone — the universal quality management standard applicable across every industry. ISO 13485 was for medical device manufacturers — a specialized voluntary standard for a regulated industry.
That distinction no longer holds.
In 2024, the FDA published the Quality Management System Regulation (QMSR) final rule — which did not simply update or elevate ISO 13485. It replaced 21 CFR Part 820, the legacy Quality System Regulation, with a new regulatory framework that uses ISO 13485:2016 as its structural backbone. The compliance date was February 2, 2026. That date has passed.
This means ISO 13485 is no longer a voluntary international standard that sophisticated U.S. manufacturers pursue for global market access. It is now the regulatory expectation — the framework FDA inspectors use, the structure FDA-regulated quality systems must reflect, and the language the medical device supply chain is increasingly required to speak.
Organizations that still treat ISO 13485 as “the medical version of ISO 9001” — a slight variation on a familiar theme — are misreading both what the standard requires and what the FDA now expects from it.
This guide covers the real differences between ISO 9001 vs ISO 13485 — structurally, operationally, and regulatorily — so manufacturers can make informed decisions about which standard their organization needs, and what implementing either one actually requires in a post-QMSR world.
In This Guide
- What ISO 9001 and ISO 13485 share — the Harmonized Structure foundation
- The key operational differences — focus, traceability, design controls, CAPA
- How the FDA’s 2024 QMSR final rule changes the ISO 13485 landscape
- The three QMSR gaps that ISO 13485 certified organizations must address
- Who needs ISO 9001, who needs ISO 13485, and who needs both
- Can ISO 9001 substitute for ISO 13485?
- Cost and timeline comparison
- How to transition from ISO 9001 to ISO 13485
Table of Contents
👉 Start Here (Top Resources)
👉 Purchase the official ISO 9001:2015 standard → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026
👉 Purchase the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off
👉 Get ISO 13485 training → BSI Group ISO 13485 Training
👉 Get ISO 9001 certified → ISOQAR ISO 9001 Certification
👉 Get ISO 13485 certified → ISOQAR ISO 13485 Certification
👉 Save up to 50% buying both standards as a bundle → ISO Standards Packages — ANSI Webstore
What ISO 9001 and ISO 13485 Share
Before examining the differences, understanding what ISO 9001 and ISO 13485 share explains why organizations with ISO 9001 experience can transition to ISO 13485 more efficiently than starting from scratch.
Both standards follow the Harmonized Structure — the common clause framework used across all major ISO management system standards. This means both are organized around the same ten-clause framework:
| Clause | Topic |
|---|---|
| 1–3 | Scope, normative references, terms |
| 4 | Context of the organization |
| 5 | Leadership |
| 6 | Planning |
| 7 | Support |
| 8 | Operations |
| 9 | Performance evaluation |
| 10 | Improvement |
Shared management system elements include:
- Document and record control
- Internal audit program
- Corrective and preventive action
- Management review
- Competence and training requirements
- Communication processes
- Continual improvement orientation
Organizations implementing ISO 13485 on an existing ISO 9001 foundation build the medical device-specific layer on top of shared infrastructure — rather than building everything from scratch. This is the most significant practical advantage of prior ISO 9001 certification when transitioning to ISO 13485.
For the full ISO 9001 requirements guide, see ISO 9001 Clauses Explained.
ISO 9001 vs ISO 13485 — Full Comparison
| Factor | ISO 9001:2015 | ISO 13485:2016 |
|---|---|---|
| Primary objective | Customer satisfaction and continual improvement | Regulatory compliance and patient safety |
| Industry scope | Universal — any organization, any industry | Medical device manufacturers and supply chain |
| Regulatory connection | No specific regulatory mandate | FDA QMSR, EU MDR, Health Canada, TGA, global markets |
| Continual improvement | Central, required throughout | Required but secondary to regulatory compliance |
| Risk management | Risk-based thinking throughout | Explicit — ISO 14971 required throughout lifecycle |
| Design controls | Required — relatively flexible | Prescriptive — Design History File required |
| Traceability | Required where specified by contract | Required for all devices — implantables to patient level |
| Validation | Special processes | Broader — includes software validation, installation |
| CAPA | Required | More prescriptive — specific investigation structure |
| Complaint handling | Required | Stricter — mandatory adverse event reporting connection |
| Document retention | Defined by organization | Longer — device lifetime plus regulatory requirements |
| Sterile devices | Not addressed | Specific requirements |
| Supplier controls | Clause 8.4 — risk-based | More demanding — quality agreements required |
| Software | Not specifically addressed | IEC 62304 connection — software lifecycle required |
| Certification body | Any accredited body (ANAB/UKAS) | Accredited body — Notified Body for EU MDR |
| Typical first-year cost | $8,000–$35,000 | $15,000–$100,000+ |
| Typical timeline | 4–8 months | 8–18 months |
Key Operational Differences in Detail
1. Primary Objective — Customer Satisfaction vs Patient Safety
This is the most fundamental difference between the two standards — and it shapes everything else.
ISO 9001 is built around the concept of customer satisfaction. The standard requires that organizations understand customer requirements, meet them consistently, and seek to improve customer satisfaction over time. Continual improvement is a core principle — organizations are expected to get better over time, not just maintain compliance.
ISO 13485 is built around regulatory compliance and patient safety. Where ISO 9001 asks “are customers satisfied?”, ISO 13485 asks “is the device safe and does it conform to regulatory requirements?” Continual improvement is required — but it is explicitly secondary to maintaining regulatory compliance. An organization cannot compromise regulatory compliance in pursuit of improvement.
This difference in objective drives differences in emphasis throughout both standards. ISO 9001 is flexible by design — it accommodates diverse industries and business models. ISO 13485 is prescriptive by necessity — because the consequences of quality failures affect patient safety.
2. Risk Management — Risk-Based Thinking vs ISO 14971
Both standards require risk management — but the approach differs significantly.
ISO 9001 incorporates “risk-based thinking” throughout — identifying risks to process conformity and customer satisfaction and taking appropriate action. The standard doesn’t prescribe a specific risk management methodology.
ISO 13485 requires risk management per ISO 14971 — the international standard for risk management for medical devices. ISO 14971 defines a formal risk management process covering hazard identification, risk estimation, risk evaluation, risk control, residual risk evaluation, and risk management review throughout the device lifecycle.
ISO 14971 is not optional supplementary guidance for ISO 13485 — it is a required companion standard woven throughout ISO 13485’s requirements. Organizations implementing ISO 13485 must purchase and implement ISO 14971.
→ ISO 14971:2019 — ANSI Webstore
3. Design and Development Controls
ISO 9001 requires design and development planning, inputs, outputs, review, verification, and validation — but the standard is relatively flexible in how organizations structure these activities.
ISO 13485 requires all of the above with significantly more prescription:
- Design History File (DHF): A comprehensive record of the design history of each device type — design plans, inputs, outputs, review records, verification and validation records, and all design changes. The DHF must demonstrate the device was developed in accordance with the approved design plan.
- Design transfer: A formal process for transferring device designs into production — confirming the production processes are capable of consistently producing devices that conform to design specifications.
- Design changes: Each design change must be evaluated for its effect on function, performance, safety, and regulatory compliance before implementation. This is more rigorous than ISO 9001’s general change management requirements.
4. Traceability — Contractual vs Regulatory
ISO 9001 requires traceability where it is a stated requirement — typically driven by customer contracts or industry standards.
ISO 13485 requires traceability of medical devices as a baseline regulatory requirement — not contingent on customer specification. The extent of traceability must be consistent with applicable regulatory requirements:
- All medical devices: Traceable to manufacturing lot, raw materials, and key production records
- Active implantable devices and implantable devices: Traceable to the patient who received the device — requiring distribution records that track the device through the supply chain to the healthcare provider and patient record
- Sterile devices: Additional traceability requirements for sterilization
This difference is operationally significant — ISO 13485 traceability systems are substantially more complex than typical ISO 9001 traceability implementations.
5. CAPA — General Corrective Action vs Structured Investigation
ISO 9001 requires corrective action — identifying nonconformances, determining root causes, and implementing actions to prevent recurrence. The standard is relatively flexible in how this is structured.
ISO 13485 requires a more structured CAPA system with specific elements:
- Defined trigger criteria for when a CAPA must be initiated
- Documented root cause investigation using systematic analysis methods
- Action plans with defined effectiveness criteria — established before implementation
- Effectiveness verification — documented evidence that the corrective action eliminated the root cause
- Trend analysis — reviewing CAPA data to identify patterns requiring systemic action
The ISO 13485 CAPA system is one of the most closely scrutinized areas in FDA inspections — inadequate CAPA systems are among the most common FDA 483 observations. This scrutiny will intensify under QMSR.
6. Supplier Controls — Risk-Based vs Quality Agreements
ISO 9001 Clause 8.4 requires risk-based supplier controls — qualifying suppliers, communicating requirements, and monitoring performance. The depth of control is proportionate to risk.
ISO 13485 goes significantly further:
- Written quality agreements with critical suppliers — formal contracts specifying quality requirements, change notification obligations, audit rights, and regulatory compliance responsibilities
- Supplier qualification criteria must include assessment of regulatory compliance capability — not just quality system certification
- Ongoing supplier monitoring — performance tracking, requalification at defined intervals
- Regulatory requirement flow-down — applicable regulatory requirements must be communicated to and confirmed by suppliers
The FDA QMSR Factor — Why ISO 13485 Carries More Weight in 2026
The FDA’s 2024 Quality Management System Regulation (QMSR) final rule, effective February 2, 2026, directly incorporated ISO 13485:2016 by reference as the foundational quality system framework for U.S. medical device manufacturers.
This is the first time in history that ISO 13485 has been embedded in U.S. federal regulation.
What this means practically:
For manufacturers previously operating only under 21 CFR Part 820: Your quality system must now be structured around ISO 13485 requirements and terminology. The old QSR framework has been retired. FDA inspectors are now using ISO 13485 structure as their inspection framework under the new lifecycle-focused model.
For ISO 13485 certified organizations: Your certification provides a strong foundation for QMSR compliance — but it is not automatically QMSR compliant. Three specific gaps exist between ISO 13485 and QMSR that must be addressed.
For ISO 9001 certified manufacturers in the medical device supply chain: Your customers — medical device OEMs — must now demonstrate QMSR compliance. They will increasingly require ISO 13485 certification from their component suppliers, contract manufacturers, and sub-tier suppliers. The same pattern that happened in automotive (IATF 16949 flowing down the supply chain) is now happening in medical devices.
The Three QMSR Gaps ISO 13485 Certified Organizations Must Address
Even organizations with mature ISO 13485 systems have gaps relative to the new QMSR requirements. The three most significant:
Gap 1 — Risk Management Integration ISO 13485 requires risk management primarily in design and development. QMSR requires risk-based thinking embedded throughout the entire QMS — purchasing controls, production processes, complaint handling, and CAPA. If your risk management process lives only in your design files, you have a QMSR gap.
Gap 2 — Organizational Knowledge QMSR explicitly requires organizations to maintain and make available the knowledge necessary for QMS operation and product conformity. This is a new requirement with no direct ISO 13485 equivalent — it has real documentation implications for knowledge management processes.
Gap 3 — Management Review QMSR’s management review requirements are more prescriptive than ISO 13485 — requiring specific inputs related to post-market surveillance data, customer feedback trends, and risk management outputs beyond what ISO 13485 Clause 5.6 alone requires.
FDA Inspection Protocol CP 7382.850 is specifically designed to test QMSR compliance. Any FDA inspection going forward will be assessed against this protocol — not the retired QSIT framework.
For the complete QMSR transition guide, see our dedicated FDA QSR vs ISO 13485 article — coming soon.
Who Needs ISO 9001?
ISO 9001 is the right standard for:
- Manufacturing organizations supplying to industrial OEMs, government contractors, or general supply chains where no industry-specific standard applies
- Organizations in any industry seeking a universal quality management credential
- Organizations building the QMS foundation before adding IATF 16949, AS9100, or ISO 13485
- Any organization whose customer contracts specify ISO 9001 certification
ISO 9001 is the most widely required quality management standard in the world — applicable across every industry and recognized by virtually every supply chain.
For the complete ISO 9001 certification guide, see How to Get ISO 9001 Certified.
→ ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off
Who Needs ISO 13485?
ISO 13485 is required for:
- Medical device manufacturers placing products in any regulated market — U.S., EU, Canada, Australia, Japan, Brazil, and most other major markets
- Component suppliers whose products are incorporated into medical devices
- Contract manufacturers producing devices or device components
- Sterilization service providers for medical devices
- Organizations in the medical device supply chain whose OEM customers require ISO 13485 certification
The QMSR has effectively made ISO 13485 required for any organization participating in the U.S. medical device market — either directly as a manufacturer or indirectly as a supply chain participant whose OEM customers must demonstrate QMSR compliance.
For the complete ISO 13485 guide, see What Is ISO 13485?
→ ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off
Can ISO 9001 Substitute for ISO 13485?
No — and this is one of the most important distinctions in the entire medical device quality landscape.
ISO 9001 certification does not satisfy ISO 13485 requirements. The standards share a structural framework but serve different regulatory purposes with different specific requirements. An ISO 9001 certificate presented to an FDA inspector or EU Notified Body as evidence of medical device QMS compliance will not be accepted.
Where this confusion causes the most damage:
Component suppliers to medical device OEMs who hold ISO 9001 certification and assume it satisfies their customer’s supplier qualification requirements. As OEMs align to QMSR — which requires ISO 13485 structure — they will increasingly require ISO 13485 certification from suppliers rather than accepting ISO 9001 as equivalent.
The practical path: Organizations in the medical device supply chain that currently hold ISO 9001 should begin planning an ISO 13485 gap assessment. The ISO 9001 foundation significantly reduces the cost and timeline of ISO 13485 implementation — but the transition requires deliberate planning.
Implementing Both Standards Together
Many organizations need both ISO 9001 and ISO 13485 — either because they serve both medical device and non-medical device customers, or because they want to build their QMS on the universal ISO 9001 foundation before adding the ISO 13485 layer.
The integrated approach works well because:
The Harmonized Structure shared by both standards means document control, corrective action, internal audit, management review, and training records are built once and serve both standards simultaneously.
What you build once:
- Document control system
- Corrective action and CAPA process
- Internal audit program and schedule
- Management review agenda and records
- Training records system
- Communication processes
What you build for ISO 13485 specifically on top of the shared foundation:
- ISO 14971 risk management integration throughout the QMS
- Design History File structure (for design-responsible organizations)
- Device master record and device history record system
- Traceability system to device level (and patient level for implantables)
- Written quality agreements with critical suppliers
- Complaint handling connected to adverse event reporting
- Post-market surveillance procedures
- Software validation processes (where applicable)
- Regulatory compliance obligations register for all applicable markets
Cost and Timeline Comparison
| Factor | ISO 9001 | ISO 13485 | ISO 13485 with ISO 9001 Foundation |
|---|---|---|---|
| Standard purchase | $150–$200 | $325–$425 (incl. ISO 14971) | Same |
| Training | $2,500–$9,000 | $5,000–$15,000 | $3,000–$10,000 |
| Documentation | $2,000–$12,000 | $5,000–$20,000 | $3,000–$12,000 |
| Certification audit | $4,000–$15,000 | $6,000–$24,000 | $6,000–$24,000 |
| Internal labor | $5,000–$15,000 | $10,000–$20,000 | $6,000–$14,000 |
| Total first year | $8,000–$35,000 | $15,000–$100,000+ | $12,000–$65,000 |
| Typical timeline | 4–8 months | 8–18 months | 6–12 months |
Organizations with existing ISO 9001 certification typically reduce ISO 13485 first-year costs by 35–50% and timeline by 30–40% — because the QMS infrastructure is already built.
For the complete ISO 13485 cost breakdown, see How Much Does ISO 13485 Cost?
For the complete ISO 9001 cost breakdown, see How Much Does ISO 9001 Cost?
How to Transition from ISO 9001 to ISO 13485
Step 1 — Purchase ISO 13485:2016 and ISO 14971:2019 Read both completely before conducting your gap assessment.
→ ISO 13485:2016 — ANSI Webstore → ISO 14971:2019 — ANSI Webstore
Step 2 — Download and read the FDA QMSR Final Rule Available free at FDA.gov. Read the preamble — it explains the three QMSR gaps and the FDA’s intent for each addition to ISO 13485 requirements.
Step 3 — Complete ISO 13485 lead implementer training ISO 13485 training must address both standard requirements and applicable regulatory frameworks. This is more specialized than ISO 9001 training.
→ BSI Group ISO 13485 Training
Step 4 — Conduct an ISO 13485 gap assessment against your existing ISO 9001 QMS Focus on the ISO 13485-specific elements rather than the shared elements you’ve already built. Key gap areas: traceability system, design controls (if applicable), ISO 14971 integration, CAPA structure, supplier quality agreements, complaint handling.
Step 5 — Conduct a QMSR gap assessment Separately assess the three QMSR gaps beyond ISO 13485 — risk management integration, organizational knowledge, management review inputs.
Step 6 — Build ISO 13485-specific documentation on your ISO 9001 foundation Add medical device-specific procedures, forms, and records without duplicating what you’ve already built.
Step 7 — Operate the integrated system and generate records
Step 8 — Conduct combined internal audit Your internal audit must cover all ISO 13485 clauses — including the medical device-specific additions.
Step 9 — Pursue ISO 13485 certification → ISOQAR ISO 13485 Certification
Frequently Asked Questions
What is the main difference between ISO 9001 and ISO 13485?
ISO 9001 is a universal quality management standard focused on customer satisfaction and continual improvement — applicable to any industry. ISO 13485 is a medical device-specific quality management standard focused on regulatory compliance and patient safety. ISO 13485 has more prescriptive requirements for traceability, design controls, risk management, CAPA, and document retention.
Can ISO 9001 replace ISO 13485 for medical device manufacturers?
No. ISO 9001 certification does not satisfy ISO 13485 requirements. The standards share a structural framework but serve different regulatory purposes. Medical device manufacturers and their supply chains require ISO 13485 — ISO 9001 alone is not accepted by FDA, EU Notified Bodies, or medical device OEM supplier qualification programs.
Does ISO 13485 include ISO 9001?
ISO 13485 is not a superset of ISO 9001 — it is a separate standard with different objectives and requirements. The two standards share the Harmonized Structure but are not interchangeable. An ISO 13485 certificate does not imply ISO 9001 certification.
Is ISO 13485 required by the FDA?
Effectively yes, since February 2, 2026. The FDA’s QMSR final rule incorporated ISO 13485:2016 by reference as the foundational QMS framework for U.S. medical device manufacturers. ISO 13485 certification from an accredited body is the most efficient path to demonstrating QMSR compliance.
How much more does ISO 13485 cost than ISO 9001?
ISO 13485 typically costs 40–80% more than ISO 9001 for equivalent organization sizes without prior QMS experience. Organizations with existing ISO 9001 certification reduce that gap significantly — typically spending 35–50% less on ISO 13485 implementation than starting from scratch. See How Much Does ISO 13485 Cost?
How long does it take to transition from ISO 9001 to ISO 13485?
Organizations with existing ISO 9001 certification typically complete ISO 13485 certification in 6–12 months — compared to 8–18 months starting from scratch. The ISO 9001 QMS foundation significantly compresses the gap assessment, documentation development, and implementation phases.
What is ISO 14971 and is it required for ISO 13485?
ISO 14971 is the international standard for risk management for medical devices. It is a required companion to ISO 13485 — not optional guidance. ISO 14971 defines the formal risk management process that must be applied throughout the medical device lifecycle and integrated throughout ISO 13485 requirements.
What are the three QMSR gaps that ISO 13485 certified organizations must address?
Risk management integration throughout the QMS (not just design), organizational knowledge documentation, and more prescriptive management review inputs including post-market surveillance data and risk management outputs. These are additions to ISO 13485 requirements that the QMSR specifically mandates.
📥 Free Resources
- 👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide — build your ISO 9001 foundation before adding ISO 13485
- 👉 Manufacturing Compliance Checklist — assess your current compliance status across quality, environmental, and safety
- 👉 Supplier Quality Checklist — supplier qualification requirements applicable to medical device supply chains
Not Sure What to Do Next?
🔹 You need the official ISO 9001:2015 standard → ISO 9001:2015 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026
🔹 You need the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off
🔹 You need ISO 14971 — required risk management companion → ISO 14971:2019 — ANSI Webstore
🔹 You want to save buying multiple standards together → Save up to 50% on ISO Standards Packages — ANSI Webstore
🔹 You need ISO 13485 training before implementation → BSI Group ISO 13485 Training
🔹 You need ISO 9001 training → BSI Group ISO 9001 Training
🔹 You’re ready to pursue ISO 9001 certification → ISOQAR ISO 9001 Certification
🔹 You’re ready to pursue ISO 13485 certification → ISOQAR ISO 13485 Certification
🔹 You want to understand what ISO 13485 requires → What Is ISO 13485? → Buy ISO 13485 — Complete Purchasing Guide → How Much Does ISO 13485 Cost?
🔹 You want to understand ISO 9001 requirements → ISO 9001 Clauses Explained → ISO 9001 Certification Guide → How Much Does ISO 9001 Cost?
🔹 You want to understand the FDA QMSR transition → Coming soon — FDA QSR vs ISO 13485: The Complete QMSR Transition Guide
🔹 You want to understand certification costs and timelines → ISO Certification Cost Calculator → How Long Does ISO Certification Take? → Best ISO Certification Bodies
ISO 9001 Opens Doors. ISO 13485 Opens Medical Device Markets.
ISO 9001 is the universal quality management credential — recognized in every industry, required in most supply chains, and the right starting point for almost every manufacturer.
ISO 13485 is the medical device quality credential — and since February 2026, the structural foundation of FDA quality system regulation in the United States. It serves a different purpose, addresses a different risk profile, and carries regulatory weight that ISO 9001 alone cannot provide.
For manufacturers in or entering the medical device supply chain, the question is no longer whether ISO 13485 is relevant. The FDA’s QMSR has answered that. The question is how efficiently your organization can transition from wherever it is now to where the medical device market requires it to be.
At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.
👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists
Subscribe below to stay ahead.