ISO 9001 is the general quality management standard for any industry; ISO 13485 is the quality management standard for medical devices. ISO 13485 keeps the ISO 9001 framework but adds heavy regulatory, risk, design-control, and documentation requirements, and it drops ISO 9001's emphasis on continual improvement and customer satisfaction in favor of consistently meeting regulatory requirements.

They look like cousins because ISO 13485 grew out of ISO 9001, but they are built for different jobs. ISO 9001 wants a business to keep getting better and keep customers happy. ISO 13485 wants a medical device maker to be provably safe, traceable, and compliant, every single time, whether or not the process is "improving." Understanding where they diverge saves you from certifying to the wrong one, or from assuming your ISO 9001 system already covers what a device regulator will demand.

What is the difference between ISO 9001 and ISO 13485?

The core difference is purpose. ISO 9001 (ISO 9001:2015) is a generic framework for a quality management system that any organization can use to improve performance and satisfy customers. ISO 13485 (ISO 13485:2016) applies that framework specifically to organizations that design, produce, install, or service medical devices, and it is written to align with medical device regulations around the world.

That difference in purpose drives every other difference. ISO 9001 is flexible and improvement-driven. ISO 13485 is prescriptive and safety-driven. Where ISO 9001 says "continually improve," ISO 13485 more often says "maintain the effectiveness of" the system, because in a regulated device context, an unvalidated "improvement" is a risk, not a win. ISO 13485 also stayed on the older structure rather than adopting the high-level Annex SL structure that ISO 9001:2015 uses, so the two do not map clause-for-clause.

ISO 9001 and ISO 13485 overlap and differencesShared framework, different emphasisISO 9001ISO 13485continualimprovementcustomersatisfactionSHARED QMS:doc controlinternal auditmgmt reviewprocess controlregulatoryrisk mgmtdesign controlvalidationtraceability
Both share the same quality-management skeleton. ISO 9001 leans toward improvement; ISO 13485 bolts on the safety and regulatory muscle a device maker cannot skip.

Where does ISO 13485 add requirements?

ISO 13485 takes the shared QMS and layers on the controls a regulator expects of anyone making a device that goes in, on, or near a patient. The big additions:

What ISO 13485 stacks on top of the shared QMSISO 13485 = shared QMS + regulated-device layersSHARED QMS FRAMEWORK (both standards)+ regulatory requirements throughout+ risk management (ISO 14971)+ design controls + validation+ post-market surveillancemoreregulated
Start from the shared framework and stack the regulated-device layers. That stack is roughly what an ISO 9001 shop has to add to reach ISO 13485.

What does ISO 13485 drop or change from ISO 9001?

ISO 13485 is not simply "ISO 9001 plus." It deliberately steps back from two of ISO 9001's signature ideas. First, continual improvement: ISO 9001 makes it a central obligation, while ISO 13485 asks you to maintain the effectiveness of the QMS and improve where needed, but does not push continual improvement as an overarching goal. Second, customer satisfaction: ISO 9001 treats it as a key measure, while ISO 13485 focuses on meeting customer and regulatory requirements and on feedback as a safety signal rather than a satisfaction metric.

The logic is safety, not indifference. In a device context, chasing improvement or satisfaction without regulatory discipline can introduce uncontrolled change. So ISO 13485 trades some of ISO 9001's flexibility for predictability and documented control. This is also why ISO 13485 leans harder on documentation: more required procedures, more required records, tighter document and record control.

A useful way to feel the gap: in ISO 9001, if your team finds a better way to run a process, you can often just adopt it and document the change. In ISO 13485, that same change may require a risk assessment, updated design or process validation, regulatory review, and a controlled change record before it can go live. Neither approach is wrong; they are tuned for different stakes. When the failure mode is an unhappy customer, speed and improvement win. When the failure mode is a patient injury, control and evidence win.

DimensionISO 9001:2015ISO 13485:2016
ScopeAny industry or organizationMedical device design, production, and service
Primary aimImprove performance, satisfy customersMeet regulatory requirements, ensure device safety
Continual improvementCentral requirementMaintain effectiveness; improve where needed
Customer satisfactionRequired measure of performanceFeedback treated as a safety and quality signal
Risk managementRisk-based thinking, strategic levelProduct and process risk throughout (ISO 14971)
Design controlsLighter; excludable if no designFormal, mandatory design and development file
ValidationGeneral process controlProcess, sterilization, and software validation
DocumentationFlexible, less prescriptiveHeavier, more required procedures and records
StructureAnnex SL high-level structureOlder ISO 9001-based structure

Do you need both ISO 9001 and ISO 13485?

Most medical device manufacturers certify to ISO 13485 alone, because it is what regulators, notified bodies, and device customers ask for. You generally do not need ISO 9001 on top of it; ISO 13485 already contains a full QMS. Some companies that serve both device and non-device markets hold both certificates, and a supplier that makes components for device makers but also for other industries might use ISO 9001 as its base and add ISO 13485 for the device line.

If you make devices, ISO 13485 is almost always the right target. If you make components for device makers, ask your customers: many will accept ISO 9001 with additional controls, while others flow down ISO 13485 requirements. The two share enough DNA that a strong ISO 9001 system, especially its internal audit and corrective action discipline, is a solid foundation to build ISO 13485 on.

One caution: holding an ISO 9001 certificate does not mean you are close to ISO 13485. The shared framework gets you the plumbing, but the regulated-device layers, design controls, risk files, validation protocols, and post-market systems, are real work that ISO 9001 never asked for. Teams that assume their existing certificate covers most of the gap tend to underestimate the design-control and validation effort most of all.

How do you decide which standard to certify to?

Use this short decision sequence:

  1. Identify what you make. If any product meets the regulatory definition of a medical device, ISO 13485 is on the table. If not, ISO 9001 is your baseline.
  2. Ask your customers and regulators. Device customers and notified bodies usually require ISO 13485. Non-device customers usually require ISO 9001. Let the people who buy from you and regulate you set the target.
  3. Check whether you design. If you design devices, you need ISO 13485's full design controls. If you only manufacture to someone else's design, confirm which controls they flow down to you.
  4. Assess your regulatory exposure. The more your product can harm a patient, the more the risk management, validation, and traceability of ISO 13485 matter. Higher-risk devices make ISO 13485 non-negotiable, and a notified body will expect the full design and validation record before it grants the certificate.
  5. Decide on one or both. Pure device makers pick ISO 13485. Mixed-market suppliers may hold both. Build whichever you choose on the shared QMS core so you are not maintaining two disconnected systems.

The standards in numbers

Reference points from the issuing body:

Whichever standard applies, the operational headache is the same: keeping controlled records, traceability, and evidence straight without drowning the floor in paperwork, which is especially punishing under ISO 13485's documentation load. Harmony's part is narrow: capture quality checks and production records digitally at the station, keep them searchable and traceable, and surface the patterns, working alongside your QMS and existing systems rather than replacing them. No rip-and-replace. If you build devices or components for them, our notes on medical device manufacturing and supplier quality go deeper, and you can see the digitization approach in a plant at our features overview. Pick the standard your product and customers demand, then build one clean QMS underneath it.