ISO 27001 is an organisational information security management system standard. It is useful but not required for MDR conformity. A startup should pursue ISO 27001 when a named enterprise customer has made it a contractual gate, not as a speculative investment. EN IEC 81001-5-1:2022 is the product-level standard the notified body cares about. The two are complementary, not interchangeable.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • ISO/IEC 27001 is the international standard for an information security management system (ISMS). It is an organisational standard covering how a company manages information security across people, processes and technology.
  • MDR does not require ISO 27001. MDR requires state-of-the-art software security under Annex I Sections 17.2 and 17.4, which maps to EN IEC 81001-5-1:2022 and is interpreted by MDCG 2019-16 Rev.1.
  • A notified body auditing an MDR technical file looks for EN IEC 81001-5-1:2022 lifecycle evidence and ISO 14971 integrated cybersecurity risk. A hospital CISO buying a networked device looks for supplier assurance that is partially covered by ISO 27001.
  • The right time to certify is when an enterprise customer has written ISO 27001 into a procurement gate and the deal value justifies the cost. The wrong time is pre-revenue, speculative, or "to look serious".
  • In Tibor's audit experience, ISO 27001 on its own never satisfied the notified body for product cybersecurity. It sits beside the product evidence, not on top of it.
  • In Felix's startup coaching work, the common failure is treating ISO 27001 as a sales badge rather than an operational discipline. The certificate without the practice is worse than neither.

Why this matters (Hook)

A series-A medtech founder receives two security questions on the same day. The notified body asks whether cybersecurity risks are integrated into the ISO 14971 risk file and whether the product lifecycle follows EN IEC 81001-5-1:2022. A German university clinic's procurement office asks whether the startup holds ISO 27001. The founder thinks both questions ask about "cybersecurity" and answers both with the same document. Neither audience is satisfied.

The confusion is not the founder's fault. The word "cybersecurity" covers both product security, which is what the notified body regulates, and organisational information security, which is what enterprise procurement often gates on. They share vocabulary and nothing else. In Tibor's audit work this conflation regularly shows up when a startup produces an ISO 27001 Statement of Applicability in response to a request for EN IEC 81001-5-1:2022 evidence. It looks similar to an untrained eye. It does not answer the question.

Felix has watched the same confusion burn runway. A pre-seed startup sent six months and a quarter of its engineering budget chasing ISO 27001 certification before there was a product in the market or a paying customer who required the certificate. The sales deal that was supposed to justify the effort evaporated for unrelated reasons. The certificate now sits in the data room, unused.

What MDR actually says (Surface)

MDR is product regulation. ISO 27001 is an organisational management system standard. They regulate different things and meet at only one point: the output of an ISMS can feed the organisational side of a secure development lifecycle.

MDR Annex I Section 17.2. For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.

MDR Annex I Section 17.4. Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.

EN IEC 81001-5-1:2022. The state-of-the-art standard for security activities across the health software product life cycle. This is the standard a notified body uses to judge whether MDR Annex I Section 17.2 is met on the security dimension.

MDCG 2019-16 Rev.1 "Guidance on Cybersecurity for medical devices". Authoritative interpretation of MDR cybersecurity requirements. MDCG 2019-16 Rev.1 explicitly expects cybersecurity to be integrated into the ISO 14971 risk management process and to follow a secure development lifecycle, which is exactly what EN IEC 81001-5-1:2022 specifies.

EN ISO 13485:2016+A11:2021. The QMS standard referenced by MDR. Clause 4.1.6 requires that software used in the QMS be validated for its intended use. The QMS is the place where information security controls on internal systems live when they affect device quality.

ISO/IEC 27001. An international standard for information security management systems. It specifies how an organisation plans, implements, maintains and continually improves an ISMS. ISO 27001 is not harmonised under MDR. It is not referenced in MDR Annex I. A notified body does not use it to assess product security. It is commercially relevant, not regulatorily required.

Plain language: MDR says the product must be secure and the process behind it must be a secure development lifecycle. EN IEC 81001-5-1:2022 describes that lifecycle. MDCG 2019-16 Rev.1 interprets the MDR expectation. ISO 27001 describes how an organisation runs its information security as a whole. The notified body audits the first three. Enterprise customers sometimes ask about the fourth.

A worked example (Test)

Consider a 15-person startup with a Class IIa SaMD platform approaching its first notified body audit. The team has two full-time developers, one part-time regulatory lead, and a fractional CISO one day per week. Cash runway is 14 months. There is no signed enterprise contract. Three pilots are running.

Scenario A. The founders decide to pursue ISO 27001 in parallel with the MDR submission because "enterprise customers will ask for it". Cost estimate from a reputable certification body: 60 to 120 thousand euros over 12 months, plus roughly 0.5 to 1 full-time equivalent of internal effort. Outcome: the notified body still asks for EN IEC 81001-5-1:2022 evidence on the product side, which the team has not prepared because the ISO 27001 project absorbed the cybersecurity budget. The NB raises a non-conformity on Annex I Section 17.2. The audit clock slips three months while the team catches up. No enterprise customer converts during that window, because enterprise procurement was not the gating constraint in the first place.

Scenario B. The founders decide to invest in EN IEC 81001-5-1:2022 lifecycle activities integrated into the EN 62304 software process and the ISO 14971 risk file, in line with MDCG 2019-16 Rev.1. They prepare a lightweight supplier security assurance pack for hospital procurement. They skip ISO 27001. Six months after CE mark, a large hospital chain signs a framework agreement and lists ISO 27001 as a preferred but not mandatory criterion. The startup commits to a Stage 1 ISO 27001 audit within the next fiscal year as part of the commercial agreement. ISO 27001 now has a clear business case tied to a specific contract with specific revenue.

Both scenarios use the same technical team and the same runway. The second one spends money when the contract justifies it. The first one spends money on a speculative badge.

The Subtract to Ship playbook (Ship)

The Subtract to Ship principle here is brutal on timing. Certification is not the thing. The practice behind the certificate is the thing. The question is not "should the startup have ISO 27001" but "when does ISO 27001 become the cheapest path to close a specific deal".

Step 1. Satisfy MDR first. Build EN IEC 81001-5-1:2022 lifecycle evidence inside the EN 62304 process. Integrate cybersecurity risks into the ISO 14971 risk file as required by MDCG 2019-16 Rev.1. This is non-negotiable. No amount of organisational certification substitutes for product security evidence.

Step 2. Build a supplier security assurance pack. A five-page PDF that answers a hospital CISO's questionnaire from existing QMS artefacts. Covered in more depth in the related post on NIS-2 and MedTech market access.

Step 3. Treat ISO 27001 as a commercial decision with a named customer and a signed revenue number. Before committing, answer four questions. Which named customer has written ISO 27001 into a procurement gate? What is the contract value? What alternative evidence, for example SOC 2 Type II or HDS in France, would satisfy the same gate? Does the runway allow 12 months of ISMS build without starving the product roadmap?

Step 4. Do not start ISO 27001 pre-revenue unless a regulated enterprise sector (banking, telecom) is the primary market. In those sectors, ISO 27001 is table stakes and absence is a deal-breaker. In hospital sales, absence is a friction point that a good supplier security pack resolves in most cases.

Step 5. If the ISO 27001 decision is yes, scope it minimally. Certify only the business unit that touches the product, not the entire company. Use an experienced lead implementer with medtech experience so the ISMS aligns with, rather than duplicates, the ISO 13485 QMS. Duplicate management systems are where early-stage companies quietly die of overhead.

Step 6. Reuse QMS evidence aggressively. Under ISO 13485, the startup already has document control, records control, training, internal audit, corrective action, management review, and supplier control. All of these are ISO 27001 Annex A controls with different names. The overlap is large, and the integrated approach is the cheap path.

Step 7. Measure the ISO 27001 ROI in closed revenue within 12 months of certification. If the certificate does not unlock the specific deal it was built for, the practice was the wrong instrument.

Reality Check

  1. Is the notified body expecting EN IEC 81001-5-1:2022 evidence and is the team building it, not ISO 27001, as the first priority?
  2. Is there a named enterprise customer whose procurement has written ISO 27001 into a gate, or is the decision speculative?
  3. If a customer requires ISO 27001, has SOC 2 Type II, HDS or another equivalent been offered as an alternative?
  4. Can the startup afford 12 months of ISMS build without slipping product milestones or clinical evidence work?
  5. Does the ISO 13485 QMS exist in a state that ISO 27001 can plug into, or are both management systems being built at the same time?
  6. Is the ISO 27001 scope limited to the business unit that touches the product, or is the whole company being certified?
  7. What is the closed revenue target tied to the certificate and who owns it?

Frequently Asked Questions

Is ISO 27001 required for MDR CE marking? No. MDR does not reference ISO 27001. The notified body assesses product cybersecurity against EN IEC 81001-5-1:2022 and MDCG 2019-16 Rev.1, integrated into the ISO 14971 risk file. ISO 27001 is organisational and does not substitute for product evidence.

Does ISO 27001 replace ISO 13485? No. ISO 13485 is the medical device QMS standard referenced by MDR. ISO 27001 is an information security management system standard. They are complementary. A medtech company needs ISO 13485. It may choose to add ISO 27001 for commercial reasons.

How long does ISO 27001 certification take? Typically 6 to 12 months from decision to Stage 2 audit, depending on the existing management system maturity. A company that already runs a strong ISO 13485 QMS can move faster because roughly half the Annex A controls map to existing QMS processes.

Can a startup get away with SOC 2 instead? Depending on the customer. SOC 2 Type II is widely accepted by US and some European enterprise customers. German and French hospital chains tend to prefer ISO 27001 or national equivalents like HDS. The right answer is to ask the specific customer before committing.

What does ISO 27001 cost for a 15-person startup? Rough range: 60 to 120 thousand euros for consulting plus certification body fees, plus internal time. Recertification at year three is cheaper but not free. The real cost is the ongoing operational discipline, not the certificate itself.

Is ISO 27001 useful for investors or due diligence? For growth-stage investors, sometimes. For early-stage medtech investors, rarely. Investors care about the MDR path and clinical evidence first. ISO 27001 is a late-stage commercial asset, not an early-stage signal.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I Sections 17.2, 17.4.
  2. MDCG 2019-16 Rev.1 "Guidance on Cybersecurity for medical devices", July 2020.
  3. EN IEC 81001-5-1:2022 "Health software and health IT systems safety, effectiveness and security Part 5-1: Security".
  4. EN ISO 13485:2016+A11:2021 "Medical devices Quality management systems Requirements for regulatory purposes".
  5. ISO/IEC 27001 "Information security, cybersecurity and privacy protection Information security management systems Requirements".