ISO Standards for NHS Healthcare
- Jul 2
- 10 min read
ISO Standards in the NHS Context
ISO standards play an increasingly important role in NHS procurement, assurance, and risk management. Developed by the International Organization for Standardization, they provide internationally recognised frameworks for managing quality, information security, business continuity, risk, and other critical organisational functions. While most ISO standards are voluntary, NHS organisations and procurement teams increasingly rely on them as evidence that suppliers operate mature, well-governed, and independently verified management systems.
For organisations supplying products and services to the NHS, ISO certification should be viewed as complementary to UK-specific regulatory and assurance requirements rather than a replacement for them. Medical device manufacturers must still comply with MHRA requirements and applicable UKCA marking obligations. Digital health suppliers may need to satisfy DTAC requirements, complete the Data Security and Protection Toolkit (DSPT), or demonstrate compliance with clinical safety standards such as DCB0129 and DCB0160. ISO standards help organisations build the governance, processes, and controls that support these obligations but do not remove the need to meet them directly.
This guide is intended for NHS suppliers across medical devices, Software as a Medical Device (SaMD), digital health, healthcare technology, and professional services. It explains the key ISO standards most commonly encountered in NHS procurement and assurance activities, what each standard covers, and how they relate to the wider healthcare compliance landscape.
NHS Supply Chain ISO Mandate from 2025
From February 2025, NHS Supply Chain introduced a quality management requirement for suppliers seeking inclusion in certain framework agreements. Suppliers must provide a valid, in-date BS EN ISO 9001:2015 or BS EN ISO 13485:2016 certificate, depending on the nature of the products or services being supplied. This makes accredited quality management certification a gateway requirement for affected frameworks, rather than simply a useful differentiator.
The certificate must be issued by a certification body accredited by the United Kingdom Accreditation Service (UKAS), or by another accreditation body recognised through the International Accreditation Forum (IAF). NHS Supply Chain states that this requirement is intended to ensure certificates are credible, independently audited, and globally recognised.
Where certification is in progress, suppliers must provide confirmation from the certification body that the process has started and that the expected outcome will be available within the timeframe specified in the Invitation to Tender. Suppliers should therefore plan certification early, rather than waiting until a tender opportunity is live.
The scope of certification is also critical. Certificates must cover the relevant products, services, and supply-chain activities being offered under the framework. Where subcontracted activities form part of delivery, suppliers should ensure these are appropriately controlled and reflected in the quality management evidence provided.
The commercial consequence is significant. Suppliers that cannot demonstrate suitable accredited ISO 9001 or ISO 13485 certification may be excluded from affected NHS Supply Chain frameworks. Even where certification is not a strict pass/fail requirement, weak or incomplete quality evidence can reduce credibility, increase buyer concern, and weaken positioning in NHS and wider public-sector tenders.
ISO 13485 and ISO 9001 Explained
Two of the most important quality management standards encountered by NHS suppliers are ISO 13485 and ISO 9001. Both provide frameworks for managing quality, improving consistency, and demonstrating organisational maturity, but they are designed for different purposes and audiences.
ISO 13485:2016 is the internationally recognised quality management system standard for medical devices. It is specifically designed for organisations involved in the design, development, manufacture, distribution, installation, servicing, or lifecycle management of medical devices and Software as a Medical Device (SaMD). The standard places significant emphasis on regulatory compliance, risk-based decision-making, design and development controls, supplier management, traceability, complaint handling, corrective actions, and post-market surveillance.
For medical device manufacturers, ISO 13485 plays a central role in demonstrating compliance with regulatory requirements under both the UK Medical Devices Regulations 2002 (UK MDR 2002) and the EU Medical Devices Regulation 2017/745 (EU MDR). In practice, a compliant quality management system is expected for most manufacturers seeking UKCA or CE marking. Within Europe, the standard is adopted as EN ISO 13485:2016, while in the UK it is published as BS EN ISO 13485, providing the recognised national implementation of the same international standard.
ISO 9001:2015 is a broader quality management standard applicable to organisations in almost any sector. It focuses on customer satisfaction, process management, continual improvement, leadership, and organisational performance. Within the NHS supply chain, ISO 9001 is commonly used by suppliers of healthcare services, consumables, logistics, facilities management, consultancy, software services, and other non-medical device products where a formal quality management system is required but medical device regulations do not apply.
In practical terms, medical device manufacturers, SaMD developers, and organisations placing regulated medical devices on the market will generally require ISO 13485. Non-device suppliers will often find ISO 9001 sufficient to meet procurement and quality assurance expectations. Some organisations maintain both standards, particularly where they operate across regulated medical device activities and broader commercial or service-based activities.
Although the standards share common quality management principles, ISO 13485 is generally regarded as the more stringent framework. It is built on many of the same quality management concepts found in ISO 9001 but incorporates additional regulatory, risk management, traceability, documentation, and lifecycle requirements. As a result, ISO 13485 is not simply a quality improvement standard; it is fundamentally intended to support compliance within highly regulated medical device environments.
ISO 27001 and NHS Information Security
ISO/IEC 27001:2022 is the international standard for establishing, operating and continually improving an Information Security Management System (ISMS). For NHS suppliers, it matters because information security expectations increasingly focus on demonstrable governance, risk management, incident response, supplier assurance and continual improvement, rather than isolated technical controls.
ISO 27001 is not a direct substitute for the NHS Data Security and Protection Toolkit (DSPT). Suppliers still need to complete the DSPT where it applies. However, a well-implemented ISO 27001 ISMS can materially accelerate DSPT submission by providing reusable evidence across areas such as risk assessment, asset management, access control, incident management, supplier oversight, business continuity, staff awareness and management review.
The direction of travel is also clear from NHS England's Cyber Security Charter for suppliers to the NHS, launched through an open letter in May 2025. The Charter reinforces expectations around proactive cyber risk management, collaboration with NHS England during incidents, and stronger supplier accountability. ISO 27001 evidence can help suppliers demonstrate that these expectations are supported by formal governance, documented controls and tested processes.
For organisations operating in Europe, NIS2 also raises the bar for cybersecurity governance and incident response. Its scope can extend to manufacturers of medical devices and in vitro diagnostic devices, making ISO 27001 a useful framework for demonstrating structured risk management, leadership accountability and incident handling capability.
Several related ISO standards are also relevant to NHS suppliers. ISO/IEC 27002 provides implementation guidance for information security controls. ISO/IEC 27018 supports protection of personally identifiable information in public cloud environments. ISO/IEC 27035 addresses incident management, while ISO/IEC 27036 covers supplier relationships. ISO 22301 supports business continuity and operational resilience. For healthcare-specific implementation, ISO 27799 provides guidance on applying ISO/IEC 27002 controls in health settings, including environments involving health software and medical devices.
For NHS suppliers, ISO 27001 should therefore be understood as a central information security framework that supports, but does not replace, NHS-specific assurance requirements.
ISO 14971 and Clinical Risk
ISO 14971:2019 is the international standard for risk management of medical devices. It provides a structured process for identifying hazards, estimating and evaluating risks, implementing risk controls, and monitoring residual risk throughout the entire product lifecycle. Unlike many quality or compliance standards, ISO 14971 focuses specifically on safety and is intended to be applied from initial concept and design through development, validation, production, post-market surveillance, and product retirement.
For manufacturers of medical devices, Software as a Medical Device (SaMD), and AI-enabled medical technologies, ISO 14971 is a cornerstone of regulatory compliance. It is closely linked to both the UK Medical Devices Regulations 2002 and the EU Medical Devices Regulation 2017/745, where effective risk management is a fundamental requirement. Typical outputs include hazard analyses, risk assessments, risk management plans, and risk management reports.
For NHS suppliers, however, ISO 14971 is only part of the clinical safety picture. NHS England requires compliance with DCB0129 for manufacturers of health IT systems and DCB0160 for organisations deploying and operating those systems within NHS care settings. These requirements derive from the Health and Social Care Act 2012 and apply to health software and digital systems used within NHS England.
Distinctions
Although there is overlap between the standards, NHS England draws an important distinction between them. ISO 14971 addresses risks to patients, users, and others throughout the device lifecycle and is intended for global regulatory use. DCB0129 and DCB0160 focus specifically on clinical safety risks arising within NHS deployments and healthcare workflows. The DCB standards also require the appointment of a suitably qualified Clinical Safety Officer (CSO) and the production of formal clinical safety documentation.
Another key difference is transparency. Under DCB0129, manufacturers are expected to provide a Clinical Safety Case Report and related safety information to deploying organisations so that local clinical safety assessments can be completed under DCB0160. ISO 14971 risk management files, by contrast, are generally regulatory and commercial documents that are not routinely shared with customers.
Several related standards are also relevant. ISO/TR 24971:2020 provides practical guidance on implementing ISO 14971 and is widely used by manufacturers to interpret risk management requirements. Meanwhile, the ISO 80001 family addresses risk management for IT networks that incorporate medical devices, making it particularly relevant to NHS hospitals integrating connected devices, clinical systems, and digital infrastructure. In practice, ISO 80001 complements DCB0160 by supporting the safe management of technology within complex healthcare environments.
Together, these standards help organisations manage risk across both regulated product development and real-world NHS deployment.
Other Relevant ISO Standards for the NHS
While ISO 9001, ISO 13485, ISO 27001, and ISO 14971 are among the standards most frequently encountered by NHS suppliers, a number of other ISO standards play important roles depending on the nature of the products and services being supplied.
ISO 14001:2015 provides a framework for environmental management systems and is becoming increasingly relevant as the NHS advances its Net Zero Supplier Roadmap. NHS organisations are placing greater emphasis on environmental sustainability within procurement and supplier assurance processes, making ISO 14001 a valuable way to demonstrate structured environmental governance. NHS Supply Chain itself maintains ISO 14001 certification as part of its own management systems.
ISO 45001:2018 focuses on occupational health and safety management. It is particularly relevant for suppliers with significant operational, manufacturing, logistics, installation, maintenance, or field-service activities where workforce health and safety forms an important component of risk management and contractual assurance.
For laboratory services, ISO 15189:2022 is the internationally recognised standard for quality and competence in medical laboratories. It underpins UKAS accreditation for NHS pathology and diagnostic laboratories and is often regarded as the benchmark for laboratory quality management and technical competence.
Several standards are particularly important for medical device and software manufacturers. IEC 62304 defines lifecycle requirements for medical device software, including Software as a Medical Device (SaMD), while IEC 62366 addresses usability engineering and the reduction of use-related risks. Both are widely used to support regulatory compliance and safe deployment of digital health technologies within NHS environments.
As artificial intelligence becomes more prominent in healthcare, ISO/IEC 42001:2023 is emerging as an important framework for AI management systems. The standard provides governance requirements for organisations developing or deploying AI-enabled systems and may become increasingly relevant alongside regulatory developments such as the EU AI Act and growing expectations around AI assurance.
A number of more specialised standards may also apply depending on the product. ISO 14155:2020 governs clinical investigations of medical devices. The ISO 10993 series addresses biological evaluation and biocompatibility. ISO 11607covers packaging and sterile barrier systems for terminally sterilised medical devices, while ISO 11135 relates to ethylene oxide sterilisation. ISO 17664 specifies information that manufacturers must provide for cleaning, disinfection, and reprocessing of reusable medical devices.
Together, these standards demonstrate the breadth of assurance expectations that can apply across the NHS supply chain, from sustainability and workforce safety to software engineering, artificial intelligence, laboratory quality, and medical device compliance.
ISO Standards Alongside NHS Frameworks
A common misconception among NHS suppliers is that ISO certification alone is sufficient to demonstrate compliance with NHS requirements. In reality, ISO standards and NHS-specific frameworks serve different but complementary purposes. ISO certifications provide evidence that recognised management systems, controls, and governance arrangements are in place, while NHS frameworks assess how those arrangements are applied within the specific context of healthcare delivery, patient safety, and NHS operations.
There is significant overlap between the two. ISO 9001 can support DTAC requirements relating to quality management and controlled processes. ISO 13485 provides a strong foundation for medical device quality systems, design controls, and aspects of clinical safety governance. ISO 27001 can substantially reduce the effort involved in completing the DSPT and demonstrating compliance with DTAC data protection and security requirements. Similarly, ISO 14971 underpins many clinical risk management activities but does not by itself satisfy the requirements of DCB0129 or DCB0160.
The key point is that NHS frameworks require their own evidence. A supplier may hold ISO 27001 certification yet still need to complete the DSPT. A medical device manufacturer may operate a certified ISO 13485 quality management system but still need DCB0129 clinical safety documentation, DTAC evidence, and regulatory submissions. NHS organisations will often request framework-specific artefacts rather than relying solely on certificates.
For suppliers targeting NHS procurement opportunities, the most effective approach is to treat ISO standards as the foundation of a wider assurance strategy. Strong organisations build once and evidence many times: quality management systems support DTAC responses, information security controls support DSPT submissions, and risk management processes feed into clinical safety activities. This creates a coherent evidence base that can be reused across tenders, due diligence exercises, audits, and assurance assessments while reducing duplication and strengthening credibility with NHS buyers.
FAQ and Next Steps
Is UKAS accreditation required for NHS work?
Not always, but it is increasingly expected where certification is used as evidence during procurement and supplier assurance activities. NHS Supply Chain and many NHS buyers require certificates issued by certification bodies accredited by UKAS or another accreditation body recognised through the International Accreditation Forum (IAF). Accreditation provides confidence that certification has been independently assessed and is internationally recognised.
Do NHS trusts set their own ISO requirements?
Yes. While national frameworks and procurement routes may specify particular standards, individual NHS trusts and integrated care systems often have their own assurance requirements based on the services, risks, and data involved. Some may request ISO certification, while others focus on evidence provided through DTAC, DSPT, clinical safety documentation, or cybersecurity assessments.
Does ISO 27001 replace the DSPT?
No. ISO 27001 and the DSPT are complementary but serve different purposes. ISO 27001 demonstrates that an organisation operates an Information Security Management System, while the DSPT is an NHS-specific assurance framework. A mature ISO 27001 implementation can provide valuable evidence for DSPT submissions, but suppliers must still complete the DSPT where it applies.
How long does ISO certification take?
Timescales vary depending on the organisation's size, complexity, and existing maturity. Organisations with established governance, policies, and management systems can often progress more quickly than those starting from scratch. Certification projects typically involve gap analysis, implementation, evidence generation, internal audits, management review, and independent certification audits before a certificate can be issued.
Do NHS suppliers need ISO 9001 or ISO 13485?
It depends on what they supply. Medical device manufacturers and many Software as a Medical Device (SaMD) developers will generally require ISO 13485 because of its role in regulatory compliance and quality management. Suppliers of services, consumables, logistics, software services, and other non-device products often rely on ISO 9001. Increasingly, procurement frameworks expect suppliers to hold one of these recognised quality management certifications.
Understanding how ISO standards interact with NHS-specific requirements can be challenging, particularly where regulatory, clinical safety, cybersecurity, and procurement obligations overlap. The AbedGraham Group supports health-tech companies, medical device manufacturers, digital health suppliers, and NHS vendors with quality management systems, ISO implementation, clinical safety, cybersecurity, and assurance programmes. Whether you are pursuing certification, preparing for procurement, or aligning multiple compliance frameworks, our specialists can help you build a proportionate and defensible approach. Book a discovery call to discuss your requirements.


Comments