Logo

Assuric

Sign inBook a demo

ISO 9001 Fundamentals: A Practical Guide for UK Digital Health Teams

ISO 9001 for healthtech: what the standard requires, how it compares to ISO 13485, and when it's the right next step for UK digital health teams.

Cordi Mahony

Cordi Mahony

ISO 9001 Fundamentals: A Practical Guide for UK Digital Health Teams

ISO 9001 is the internationally recognised standard that defines the criteria for a quality management system (QMS). It outlines a framework organisations use to ensure their products and services are delivered consistently, meet customer expectations, and comply with regulatory requirements.

This post covers what ISO 9001 actually requires, how it compares to ISO 13485, who in healthtech really needs it, and the common pitfalls we see.

What is ISO 9001?

For digital health companies, achieving ISO 9001 certification signals that products and services are built on clear, repeatable processes that consistently deliver high-quality results. Meeting the standard demonstrates a commitment to quality management, reliability, and in some cases, patient safety.

What is a Quality Management System (QMS)?

A quality management system (QMS) is the set of policies, processes, and procedures an organisation uses to manage quality across everything it does. In practice, it's a documented framework that captures what your organisation does, how it does it, who is responsible, and how performance is measured and improved over time.

For digital health companies, the QMS typically covers how products are designed and developed, how changes are managed, how customer feedback is handled, and how incidents or non-conformances are resolved. ISO 9001 defines the requirements a QMS must meet to achieve certification. It doesn't tell you what your processes should look like, but it does require that they exist, that they're followed consistently, and that there's evidence to prove it.

What Does ISO 9001 Require?

ISO 9001 takes a process-based approach to quality. As mentioned, ISO 9001 doesn't prescribe exactly what your company does. It asks that you can describe what you do, do it consistently, measure how well it's working, and improve when it isn't.

ISO 9001:2015 is built on two complementary approaches: the process approach and risk-based thinking. The standard is structured across seven clauses of requirements (clauses 4–10), and is informed by the following seven quality management principles:

The 7 Principles of ISO 9001
  • Customer Focus: Meet and exceed customer requirements; measure satisfaction and act on it.
  • Leadership: Leaders at all levels create conditions for people to achieve quality objectives. Unity of purpose and direction.
  • Engagement of People: Competent, empowered, and engaged people at every level are essential to delivering value.
  • Process Approach: Understanding and managing interrelated processes as a system improves consistency and predictability of outcomes.
  • Improvement: Continual improvement is a permanent organisational objective, both reactive (corrective action) and proactive (innovation).
  • Evidence-Based Decision Making: Decisions based on analysis and evaluation of data and information are more likely to produce desired results.
  • Relationship Management: Managing relationships with interested parties (including customers, employees, regulators, shareholders, suppliers, and partners) sustains performance over the long term.

Certification is awarded by an external certification body (we recommend using one accredited by UKAS) through a two-stage audit, a documentation review followed by an on-site or remote audit of the QMS in operation.

Once certified, some accredited certification bodies can conduct surveillance audits at years one and two, with a full recertification audit required at year three - though the exact frequency of this can vary by certification body.

ISO 9001 for Healthtech

Three groups of stakeholders tend to ask about ISO 9001 for digital health companies: enterprise customers (especially large healthcare organisations), NHS organisations running their own procurement, and investors during due diligence processes. In each case, ISO 9001 certification shows your QMS practices are in order!

It's worth noting, you don't strictly need ISO 9001 to sell into the NHS. Having said this, ISO 9001 increasingly shows up as a "preferred" or "desired" requirement in larger tenders, framework agreements, and trust-led procurements.

For private healthcare buyers, large insurance providers, and pharma-adjacent customers, the bar is often higher. ISO 9001 sits alongside ISO 27001 as a baseline expectation for any supplier handling business-critical workflows.

ISO 9001 vs ISO 13485

ISO 13485 is designed specifically for organisations involved in the design, manufacture, and servicing of medical devices. It carries stricter regulatory requirements, with a heavy focus on risk management, traceability, and patient safety. If your product is a regulated medical device or SaMD, it's the standard you'll need.

If your digital health product doesn't qualify as a medical device, ISO 9001 is likely the more appropriate starting point. It gives you the flexibility to build a quality management system around your own processes and customer requirements, without the additional regulatory burden that comes with medical device compliance.

That said, it's worth thinking ahead. ISO 13485 shares significant overlap with ISO 9001 but goes further in areas like design controls, post-market surveillance, and regulatory compliance specific to healthcare systems. If there's any chance your product roadmap takes you towards regulated device territory, building to ISO 13485 from the start is often the smarter move. You'll cover the ground ISO 9001 would have covered anyway, and you won't have to redo the work later!

Common Pitfalls when Pursuing ISO 9001

A few patterns we see often, and worth knowing about before you start:

  1. Treating ISO 9001 as a documentation exercise. Teams produce a 60-page manual nobody reads, and assume that's the QMS. While this can be useful, auditors don't grade you on the manual! They grade you on whether your team is actually doing what the manual says. The QMS lives in your operational behaviour, not in a PDF...
  2. Letting the QMS run parallel to the business. A quality system that sits separately from sprint planning, customer onboarding, or release management will quickly fair. We recommend embedding the QMS in the tools your team already uses, ensuring it gets baked into your day to day operations.
  3. Over-engineering for stage. A 20-person healthtech doesn't need the same QMS as a 200-person medical device manufacturer. ISO 9001 is intentionally proportionate, so this should be kept in mind for building the Quality manual and key SOPs.
  4. Underestimating the internal audit programme. Internal audits are where most first-time certifications wobble. We recommending building the audit calendar at the same time you build the policy, and not leaving the internal audit to just a few months before the certification body visits.
  5. Forgetting senior management review. A key part of ISO 9001 is the leadership review. This means senior leaders must visibly engage with the QMS.

How is ISO 9001 evolving?

ISO 9001:2015 is the current version, but ISO has recently signalled an update is coming, with consultation already underway and a revised standard expected in 2026 or 2027 (subject to ISO's process). The likely direction of travel: stronger expectations around climate-related risk, more explicit integration with information security and privacy management, and tighter language around evidence-based decision making.

For UK healthtechs, two adjacent shifts matter more than the ISO 9001 update itself. The first is NHS England's continued push to consolidate compliance expectations across DTAC, DSPT, and clinical safety frameworks. The second is the MHRA's evolving software and AI guidance, which is reshaping what "quality" means for any product touching patient care. Teams that build a QMS designed to flex with regulatory change, rather than one anchored to a single 2015 standard, will weather the next three years far better than teams chasing certificates one at a time.

How Assuric Helps with ISO 9001

We launched our ISO 9001 (QMS) Framework specifically because healthtech teams kept asking for a faster, NHS-aware route. Here's how we make it work:

Pre-built QMS templates mapped to ISO 9001 clauses, so you start with most of the documentation already drafted and reviewed by quality specialists.

Audit-ready evidence collection built into the platform, so you're capturing the evidence as you work rather than scrambling the week before a stage 2 audit.

Cross-framework mapping between ISO 9001, DTAC, DCB0129, ISO 27001 and ISO 13485, so the work you do once counts towards every framework you're pursuing.

Internal audit and management review tooling so the bits that trip up first-time certifications, audits and reviews, are handled by repeatable workflows rather than ad-hoc spreadsheets.

If you'd like to see how this works for your team, book a demo or get in touch with the team.

See all posts

Make your life easier
and talk to us to simplify compliance

Goodbye manual processes, hello automation. Let Assuric manage compliance and security, so you can focus on growth.

Talk to us
CTA Image