ISO 13485 is the international quality management system standard for medical devices. For UK importers and distributors, it sits at the centre of MHRA compliance, customer due diligence requirements, and commercial credibility with NHS procurement and private healthcare buyers alike.

Yet many small UK medical device businesses — companies with fewer than 20 staff, a defined product portfolio, and a single site — approach ISO 13485 certification as though it were designed for large manufacturers. It was not. A focused, well-structured programme can bring a small company from a standing start to certification-ready in as little as two weeks.

This article explains what ISO 13485 actually requires, what the certification process looks like, and what to expect at each stage.

What ISO 13485 is — and what it is not

ISO 13485:2016 specifies requirements for a quality management system where an organisation needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.

It is not the same as ISO 9001. ISO 13485 is specifically designed for the medical device industry and places additional emphasis on regulatory compliance, risk management, sterile product controls, and the maintenance of effectiveness (rather than continual improvement, as ISO 9001 requires). Once a requirement is in the standard, the obligation is to meet it consistently — not to improve on it indefinitely.

For UK businesses, ISO 13485 certification:

  • Satisfies the QMS requirements under UK MDR 2002 (as amended post-Brexit)
  • Is expected by MHRA for manufacturers and, increasingly, for importers and distributors undergoing conformity assessment
  • Is required or strongly preferred by NHS Supply Chain and most large private healthcare procurement frameworks
  • Supports CE marking and UKCA marking processes
  • Is required for export to regulated markets including the EU, USA (FDA quality system alignment), Canada, Australia, and Japan

What the standard actually requires

ISO 13485 is organised into eight sections, with requirements beginning at Section 4. The practical compliance obligations for a small importer or distributor cluster into five areas:

Quality Management System documentation. You need a Quality Manual describing your QMS scope and structure, a Quality Policy, and a controlled document register. All documents must be version-controlled with defined review and approval processes.

Management responsibility. Top management must formally commit to the QMS, define quality objectives, conduct management reviews at planned intervals, and ensure the organisation has the resources to maintain the system. This cannot be delegated entirely to a quality manager and forgotten.

Resource management. Staff performing quality-affecting activities must have documented competence — training records, qualifications, role descriptions. Infrastructure and work environment requirements must be defined and maintained.

Product realisation. For importers and distributors, this covers the processes from supplier qualification through to customer delivery. Purchasing controls, supplier evaluation, incoming inspection or verification, storage, handling, and traceability are all within scope.

Measurement, analysis, and improvement. The standard requires internal audits at planned intervals, a mechanism for capturing and investigating non-conformances, a CAPA system, and management review of quality data. These are not optional — auditors specifically test whether these systems are functioning, not just documented.

The certification process step by step

ISO 13485 certification is issued by an accredited Certification Body (CB) — not by a consultant, not by MHRA, and not self-declared. In the UK, accredited CBs include BSI, SGS, Bureau Veritas, Lloyd’s Register, and others accredited by UKAS.

Stage 1 audit (document review). The CB auditor reviews your QMS documentation to assess whether it is sufficiently developed to proceed to Stage 2. Stage 1 is typically conducted remotely. If significant gaps are identified, Stage 1 will be paused and rescheduled once you have addressed them. A failed Stage 1 costs time and money — the value of proper preparation is that you pass Stage 1 cleanly.

Stage 2 audit (implementation audit). The CB auditor visits your site (or conducts a remote audit for appropriate scope) to verify that your QMS is not only documented but actively implemented. They will interview staff, review records, walk through your processes, and test your CAPA system. A Stage 2 audit that finds major non-conformances results in a conditional certificate or no certificate until non-conformances are closed.

Certificate issuance. If Stage 2 is passed with no major non-conformances, the certificate is issued, typically covering a three-year cycle with annual surveillance audits.

What a two-week certification readiness sprint looks like

For a small company with a defined product portfolio, the documentation and system-building required for ISO 13485 certification is achievable in a concentrated programme. A structured two-week sprint with experienced external support delivers the following:

Week 1 — Foundation. Gap analysis against ISO 13485:2016 conducted across all clauses, producing a prioritised gap report. This report functions as the organisation’s internal audit under Clause 8.2.2, with findings logged as CAPAs. Quality Manual drafted. Quality Policy written and approved. Organisational chart with quality roles defined. Approximately 10 to 12 core SOPs written and approved, covering document control, record control, management review, internal audit, CAPA, complaint handling, purchasing/supplier evaluation, incoming verification, storage and handling, and non-conforming product. Document register established with version control.

Week 2 — Implementation and closure. CAPAs from the gap analysis raised and closed against Week 1 deliverables. Staff training conducted on the QMS, with attendance records completed. Supplier evaluation completed for critical suppliers. Handover pack compiled: quality records template library, audit schedule, management review agenda template, and a Stage 1 audit preparation checklist.

At the end of Week 2, the company has a fully documented, implemented, and audited QMS. No further internal audit is required before booking Stage 1 with a Certification Body.

Common questions from small UK companies

Do importers and distributors need ISO 13485, or is it just for manufacturers? The standard formally applies to manufacturers, but its scope explicitly includes organisations involved in the supply chain for medical devices, including importers and distributors. NHS procurement frameworks and large private buyers increasingly require ISO 13485 certification regardless of whether the company manufactures. Certification removes ambiguity.

Can we self-certify against ISO 13485? No. ISO 13485 certification must be issued by a UKAS-accredited (or equivalent) Certification Body. A self-declaration against the standard has no standing with MHRA, NHS procurement, or EU market access processes.

How much does CB certification cost? For a small single-site company, a UKAS-accredited CB will typically charge between £2,500 and £6,000 for the Stage 1 and Stage 2 audit combined, depending on the CB and the scope of your QMS. Larger accredited CBs such as BSI may quote toward the higher end of this range; smaller UKAS-accredited CBs are often more competitive for straightforward importer and distributor scopes. Annual surveillance audits and three-year recertification audits are additional. It is worth obtaining quotes from at least two or three accredited CBs before committing, as pricing varies more than many companies expect.

How long between readiness and actual certificate? Once you are certification-ready, the CB scheduling timeline is typically four to eight weeks for Stage 1, and a further two to four weeks between Stage 1 and Stage 2. Plan for two to three months from first CB contact to certificate in hand.

Choosing a regulatory consultant for ISO 13485

The quality of external support matters significantly to the outcome. A consultant who understands the medical device industry, holds ISO 13485 lead auditor credentials, and has direct experience on both the audit and industry sides will identify issues that a generalist quality consultant may miss.

Vesta Consulting offers a two-week ISO 13485 certification readiness sprint for small UK medical device importers and distributors. The programme delivers a complete, implemented QMS — Quality Manual, Quality Policy, core SOPs, gap analysis/internal audit report, CAPA closure, staff training records, and handover pack — leaving your company ready to book Stage 1 with your chosen Certification Body. Get in touch to discuss your company’s scope and timeline.

Key references

– ISO 13485:2016 — Medical devices — Quality management systems — Requirements for regulatory purposes

– UK MDR 2002 (as amended), SI 2002/618

– MHRA Guidance: Placing medical devices on the UK market

– UKAS Accredited Certification Bodies directory: ukas.com

 

Tesha Hiralal is the founder of Vesta Consulting and a BSI-certified ISO 13485 Lead Auditor (CQI/IRCA). She holds an MSc in Regulatory Affairs and a B.Pharm (Hons), and is a former SAHPRA Medicines Control Officer and Inspector.