ISO 13485 Consulting

Get ISO 13485 Certified — With Expert Support at Every Stage of Your Quality System Journey

Our ISO 13485 consulting services help medical device manufacturers and suppliers across Europe build effective quality management systems and achieve certification. We handle the complexity so you can focus on running your business.

Medical Device Certification Isn't Just a Quality Exercise — It's a Market Access Requirement

For organisations operating in the medical device sector, ISO 13485 certification is rarely optional. Under the EU Medical Device Regulation (MDR 2017/745) and the In Vitro Diagnostic Medical Devices Regulation (IVDR 2017/746), placing a device on the European market requires a documented, controlled quality management system. In practice, ISO 13485:2016 is the standard that notified bodies and competent authorities expect to see as evidence that a medical device QMS meets those regulatory obligations.

The pressure extends beyond regulators. Large device manufacturers, hospital procurement bodies, and distributors routinely require ISO 13485 certification from their suppliers as a condition of doing business. If you supply components, contract manufacturing, software, or sterilisation services, your customers are passing their own regulatory obligations down to you — and they will ask to see your certificate.

31,215
ISO 13485 certificates issued globally
43,957
Sites certified worldwide

Source: ISO Survey 2024

ISO 13485 provides the framework to meet these requirements systematically — not through ad hoc compliance exercises, but by building a documented, auditable quality management system that demonstrates how your organisation designs, manufactures, and controls medical devices to consistent standards.

What ISO 13485 Actually Is (And How It Differs From ISO 9001)

ISO 13485 is the international standard for Quality Management Systems (QMS) in the medical device industry. Published by the International Organisation for Standardisation and currently in its 2016 edition — referred to as ISO 13485:2016 — it applies to any organisation involved in the design, development, production, installation, or servicing of medical devices, including suppliers of components, software, and services that form part of a device's lifecycle.

It is not a general quality standard. While ISO 13485 shares structural roots with ISO 9001, it diverges in ways that matter for regulated industries. ISO 9001 places significant emphasis on continual improvement as a management philosophy. ISO 13485 places primary emphasis on regulatory compliance and on demonstrating consistent conformity to applicable requirements. Where ISO 9001 gives organisations flexibility to define their own improvement targets, ISO 13485 mandates specific controls — over design, production, traceability, sterility, and post-market surveillance — that align with what regulators and notified bodies require.

The standard is structured around five interconnected areas:

Quality management system

Establishing and maintaining documented processes that define how your organisation controls every aspect of the device lifecycle, from design inputs to disposal.

Management responsibility

Requiring senior leadership to demonstrate active commitment to the QMS, set quality objectives, conduct regular management reviews, and maintain clear accountability for regulatory compliance.

Resource management

Ensuring the organisation provides the competent personnel, infrastructure, and controlled work environment necessary to produce safe medical devices consistently, including any contamination control requirements relevant to your product.

Product realisation

Covering the full device lifecycle: design and development controls, purchasing and supplier management, production and process validation, traceability, sterility controls, and post-market surveillance obligations aligned with EU MDR and IVDR requirements.

Measurement, analysis, and improvement

Embedding monitoring, internal audit, corrective and preventive action (CAPA), and customer feedback mechanisms that keep the QMS effective, compliant, and responsive to field data.

An ISO 13485 certificate is issued by an accredited, independent certification body after a two-stage audit. The certificate is valid for three years, subject to annual surveillance audits.

What ISO 13485 Certification Actually Gets You

The certificate matters. What sits behind it is what makes your business defensible to regulators, customers, and notified bodies.

Access to the EU market and global regulatory recognition.

ISO 13485 certification is the primary evidence that a medical device QMS meets the requirements of the EU MDR and IVDR. In Canada, Australia, Japan, and Brazil, it is recognised under national medical device frameworks. Without it, market access is constrained. With it, you hold an independently audited proof point that answers the first question regulators and notified bodies ask.

A stronger position with notified bodies.

Notified bodies scrutinise QMS documentation as part of their technical file and conformity assessment work. A well-implemented ISO 13485 system reduces requests for additional evidence, shortens the back-and-forth during assessment, and demonstrates that your quality controls are integrated into operations rather than assembled for the audit.

Reduced regulatory and product liability exposure.

A functioning QMS gives you documented traceability, controlled nonconforming product procedures, and a CAPA process that addresses root causes rather than symptoms. Post-market surveillance requirements embedded in ISO 13485 align directly with MDR obligations, reducing the risk of regulatory action and the consequences of a field safety corrective action or competent authority inspection.

Qualification as a supplier in medical device supply chains.

Device manufacturers are required to control their suppliers under both ISO 13485 and the MDR. They do this by requiring documented evidence of QMS capability — typically ISO 13485 certification. If you supply components, contract manufacturing, software, or sterilisation services, your customers will ask for it.

A foundation that integrates with ISO 9001 and other management systems.

ISO 13485 and ISO 9001 are structurally compatible. If you already hold ISO 9001 certification, the gap analysis typically focuses on the medical device-specific requirements that ISO 9001 does not address — you are extending an existing system rather than building a parallel one. HEIC consults on both standards and can plan an integrated approach from the outset.

A Practical Path From Your Current Position to a Certified Medical Device QMS

Every organisation starts from a different position. Some already have elements of a quality system in place — validation records, technical files, or documented procedures inherited from an ISO 9001 programme. Others are building from scratch. We meet you where you are and guide you through a structured certification process that reaches the outcome without unnecessary complexity.

Phase 1 — Scoping and Gap Analysis

We begin by understanding your operations: the devices or services you provide, the markets you supply, and any existing QMS documentation you hold. We then conduct a structured gap analysis, mapping your current position against ISO 13485:2016 requirements and identifying what is missing, incomplete, or not yet implemented.

What you get:
A written gap analysis report with prioritised action planA realistic project timelineA clear picture of what the certification process involves for your specific organisation and device scope

Phase 2 — Regulatory Context and QMS Design

ISO 13485 requirements do not exist in isolation from the regulatory environment. We review the applicable regulatory context — EU MDR and IVDR requirements, national regulations in your target markets, and notified body expectations relevant to your device classification — and design a QMS architecture that satisfies ISO 13485 while remaining coherent with those broader obligations.

What you get:
A QMS design blueprint covering processes and document hierarchyRisk management integrationRegulatory mapping specific to your organisation and scope

Phase 3 — Implementation and Documentation

With the design confirmed, we work with your team to implement the controls, procedures, and monitoring processes required by the standard. We develop quality manuals, standard operating procedures, work instructions, validation protocols, and post-market surveillance frameworks that reflect how your organisation actually operates — not generic templates that will not survive scrutiny in a real audit.

What you get:
A fully documented QMS with mandatory proceduresCAPA processes and risk management recordsDesign control documentation and supplier management frameworksTraceability controls

Phase 4 — Internal Audit and Certification Preparation

Before external auditors arrive, we conduct a full internal audit — reviewing your QMS against ISO 13485:2016 with the same rigour your certification body will apply. We identify any remaining gaps, help you close them, and prepare your team for the Stage 1 documentation review and Stage 2 implementation audit that follow.

What you get:
An internal audit reportA corrective action plan for any findingsA management review confirming the QMS is ready for external certification

25 Years of Management System Experience, With a Record to Show for It

  • Proven certification track record. We have supported over 500 organisations across Europe through management system certification. That number reflects a consistent, structured process that gets clients to certification without unnecessary rework or repeat audits.
  • Zero major nonconformities. Our clients go into certification audits prepared. When we say a system is ready, we mean it has been reviewed against the standard with the same rigour an external auditor applies — not simply checked against a template. Our track record of zero major nonconformities at certification audits is the result.
  • Regulatory context, not just standard requirements. ISO 13485 cannot be read in isolation from the MDR, IVDR, and the expectations of notified bodies. We work with the full regulatory picture — mapping standard requirements to applicable regulations and designing documentation that serves both the certification audit and the broader conformity assessment process.
  • Practical documentation, not generic templates. The documentation we build for you reflects your actual operations and your actual devices. It is maintainable after we leave, understandable to your quality team, and defensible in front of both a certification auditor and a notified body assessor.
  • Multi-standard capability. HEIC consults on ISO 13485, ISO 9001, ISO 14001, ISO 45001, and ISO 27001, among others. If you hold or are pursuing multiple standards, we can plan and deliver that work as a single coordinated engagement, reducing cost, documentation duplication, and the burden on your team.

Frequently Asked Questions About ISO 13485 Certification

The timeline depends on the size of your organisation, the complexity of your devices and processes, and how much is already documented. For most organisations, the full journey from gap analysis to certification audit runs between five and twelve months. We provide a project timeline at the outset of each engagement so you know what to expect.

The total cost has two parts: consulting fees for the gap analysis, QMS design, implementation support, and audit preparation, and the certification audit fee charged by the certification body you choose. Both vary with organisation size, device complexity, and scope. We provide a scoped cost estimate after an initial assessment — there is no single figure that applies to all organisations.

While both are QMS standards, ISO 13485 is designed specifically for the medical device sector and contains requirements with no equivalent in ISO 9001. These include controls for sterile product, product traceability, design and development documentation specific to medical devices, and post-market surveillance obligations that align with regulatory requirements. ISO 9001 certification does not satisfy the requirements of ISO 13485. Many organisations hold both, particularly where they produce medical devices alongside non-medical product lines, and the two can be integrated into a single system.

ISO 13485 certification is not itself a legal requirement under EU law — the MDR and IVDR require manufacturers to have a quality management system in place, but do not mandate a specific certification scheme. In practice, however, notified bodies and competent authorities expect ISO 13485 certification as the primary evidence that a QMS meets MDR and IVDR requirements. Without it, demonstrating compliance becomes significantly more resource-intensive and carries greater risk during conformity assessment.

ISO 13485:2016 was developed in parallel with the EU MDR and maps closely to the QMS requirements set out in Annex IX and Annex XI of that regulation. A certified ISO 13485 QMS provides the foundation for MDR conformity, but does not automatically guarantee it — specific MDR obligations, such as the appointment of a Person Responsible for Regulatory Compliance (PRRC) and post-market clinical follow-up requirements, sit outside the standard and must be addressed alongside it.

Yes, and for many organisations this is the most efficient approach. If you already hold ISO 9001 certification, a significant portion of your QMS infrastructure — documented processes, internal audit programme, management review, corrective action procedures — already exists. The gap analysis focuses on the medical device-specific requirements that ISO 9001 does not address. We can scope and deliver the ISO 13485 work as an extension of your existing system rather than a parallel build.

A Corrective and Preventive Action (CAPA) process is a mandatory requirement of ISO 13485 and one of the areas certification auditors and notified bodies examine most closely. It is the mechanism by which your organisation identifies the root cause of nonconformities, implements corrections, verifies their effectiveness, and prevents recurrence. A poorly implemented CAPA process is one of the most common sources of major nonconformities at certification audits. We build and test your CAPA process as part of the implementation phase.

Ready to Build a Medical Device Quality System That Stands Up to Scrutiny?

Whether you are pursuing ISO 13485 certification for the first time, updating your QMS to align with EU MDR requirements, or integrating medical device quality management with an existing ISO 9001 system, we can help you get there. Speak to one of our consultants about your situation. We will tell you honestly where you stand, what the certification journey looks like for your organisation, and how long it will realistically take.

  • A clear project timeline based on your size and device scope
  • Practical, tailored advice — not a one-size-fits-all approach
  • An honest assessment of costs, effort, and what to expect from auditors
  • No obligation — just a conversation about your options
Speak to an Expert

Speak to an Expert

We'll get back to you within one business day.

We respect your privacy. No spam, ever.