ISO 13485 Certification Timeline in 6 Steps

Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: How Long Does ISO 13485 Certification Really Take?

One of the first questions I get from medical device companies is: “How long will ISO 13485 certification take us?” And honestly, it’s the right question to ask. Without a clear timeline, it’s almost impossible to plan resources, align product launches, or budget properly.

Here’s what I’ve noticed over the years: most companies underestimate the time commitment. They think it’s just about writing procedures and scheduling an audit. In reality, ISO 13485 is a process—it requires building, running, and proving your quality system works before a certification body will even consider issuing a certificate.

The good news? If you understand the roadmap, you can avoid delays and move through certification faster than most. In this article, I’ll walk you through the six key steps every company must complete, with realistic timelines, common mistakes to avoid, and a few pro tips from real projects I’ve supported.

By the end, you’ll know exactly what to expect—and how to keep your certification journey on track.

Step 1 – Gap Analysis (2–4 Weeks)

Before you start drafting procedures or calling certification bodies, you need to know where you actually stand. That’s where the gap analysis comes in. Think of it as a health check for your current processes against ISO 13485 requirements.

Here’s what happens in this step:

• You compare your existing QMS (if you have one) against the standard.

• You identify what’s missing, what needs improvement, and what’s already solid.

• You create an action plan that guides the rest of your certification journey.

Pro Tip: Don’t try to do this entirely in-house if you’ve never implemented ISO 13485 before. An external consultant or fresh set of eyes can spot blind spots your team may overlook.

Common Mistake: Skipping this step because it feels like “extra work.” I’ve seen companies dive straight into writing SOPs, only to spend months rewriting everything once the first audit reveals the gaps. In one project, a startup lost three months of progress because their QMS templates didn’t actually align with ISO 13485.

If you do the gap analysis properly, you’ll start the journey with a clear roadmap—and that makes every following step smoother and faster.

Step 2 – QMS Development & Documentation (2–3 Months)

Once you know your gaps, it’s time to build or refine your Quality Management System (QMS). This is where ISO 13485 starts to feel real—because now you’re putting structure and documentation in place.

Here’s what typically happens during this step:

• Writing and approving procedures, work instructions, and policies.

• Creating the records and forms you’ll need to show evidence of compliance.

• Aligning your processes with ISO 13485 requirements (design, production, supplier control, etc.).

Pro Tip: Keep it practical. Auditors don’t want to see binders full of theoretical documents that no one actually uses. They want a system that works in daily operations. I always tell clients: “Write documents for your people, not for the auditor.”

Common Mistake: Copy-pasting generic templates without tailoring them. I’ve seen companies buy an “ISO 13485 kit,” drop their logo on it, and think they’re done. The problem? When the auditor asks an employee how a process works, they’ll point to a procedure that doesn’t match reality—and that’s an instant nonconformity.

In my experience, companies that take the time to align documentation with how they really work save themselves major headaches (and audit findings) later.

Step 3 – Implementation & Training (2–3 Months)

This is the stage where the QMS moves from paper to practice. Writing procedures is one thing—actually living them day-to-day is another. Auditors want to see not just documents, but evidence that your system is working.

Here’s what usually happens in this step:

• Rolling out the new or updated procedures into daily operations.

• Training employees so they understand their roles and responsibilities.

• Starting to collect records—because without records, there’s no proof of compliance.

Pro Tip: Begin generating records as soon as you can. Things like training logs, supplier evaluations, and design reviews build your compliance story. When Stage 1 comes around, you’ll already have a trail to show.

Common Mistake: Treating training as a one-off event. I’ve seen companies do a single “ISO 13485 awareness session” and call it done. Then, during the audit, staff couldn’t explain their responsibilities. Continuous, role-specific training works far better.

Quick story: One client of mine thought they were ready after documentation. But when we ran a mock audit, not a single employee could explain the complaint handling process. We paused, trained properly, and avoided what would’ve been major findings at Stage 2.

If you get this step right, you’ll enter the audit phase with a QMS that doesn’t just exist—it actually functions.

Step 4 – Internal Audits & Management Review (4–6 Weeks)

By this stage, your QMS should be up and running—but before you invite the certification body in, you need to check that everything actually works. That’s where internal audits and a management review come in. Both are mandatory, and both are often underestimated.

Internal Audit

This is your chance to test-drive your system. Internal auditors (either trained staff or external consultants) walk through your processes, look for gaps, and make sure your records back up what your procedures say.

Pro Tip: Treat this like a rehearsal. If your internal audit is weak, Stage 2 will be painful. If it’s tough and realistic, you’ll walk into certification with confidence.

Common Mistake: Doing a “checkbox” audit just to say it’s done. Auditors spot this immediately. If your internal audit didn’t catch anything, that’s usually a red flag.

Management Review

This is the leadership team’s formal opportunity to review the QMS: Are processes effective? Are resources enough? What improvements are needed? Certification bodies expect to see evidence of leadership involvement.

Quick Example: I worked with an SME that skipped management review until the last week before Stage 1. Their meeting notes looked rushed, and the auditor flagged it as a weakness. A proper review would’ve shown commitment and avoided that finding.

Done properly, this step gives you two things:

1. A clear picture of how ready you really are.

2. Confidence that your leadership team is backing the system—not just the quality manager.

Step 5 – Stage 1 Audit (1–2 Weeks to Schedule, 1–2 Days Audit)

Now it’s time to bring in the certification body for the first official check: the Stage 1 audit. Think of it as a readiness review rather than the full exam.

Here’s what typically happens:

• The auditor reviews your documentation to see if your QMS aligns with ISO 13485.

• They check that mandatory procedures and records exist (complaints, CAPA, design control, supplier management, etc.).

• They confirm you’re ready to move on to Stage 2.

Pro Tip: Use Stage 1 feedback wisely. Auditors often highlight weak areas. Fix them before Stage 2, and you’ll save yourself stress (and potentially extra costs).

Common Mistake: Treating Stage 1 as a formality. I’ve seen companies go in unprepared, only to be told they need significant changes before Stage 2. That can delay certification by months.

Real example: One client had their Stage 1 scheduled too early—before they had enough records to prove their QMS was being used. The CB postponed Stage 2 by 6 weeks, which pushed back their product launch.

Handled correctly, Stage 1 is your chance to catch and fix issues before the main event.

Step 6 – Stage 2 Audit & Certification Decision (6–10 Weeks)

This is the big one—the Stage 2 audit is where your certification body decides if your QMS truly meets ISO 13485 requirements. Unlike Stage 1, this isn’t about readiness—it’s the real test.

Here’s what happens:

• Auditors visit your site (sometimes multiple sites) and walk through your processes in action.

• They interview employees, check records, and make sure your QMS is not only documented but actually working.

• Every requirement of ISO 13485 is covered—no skipping around.

After the audit, the CB reviews the auditor’s report and makes the certification decision. If you had nonconformities, you’ll need to close them before the certificate is issued.

Pro Tip: Respond quickly to nonconformities. Most CBs allow 30 days, but if you drag your feet, you’ll delay your certification.

Common Mistake: Ignoring “minor” findings. Even small issues need documented corrective actions. I’ve seen companies lose two months just because they didn’t close out a supplier evaluation properly.

Real story: An SME I supported wrapped up their Stage 2 audit with only two minor findings. They submitted corrective actions within a week, and their certificate was approved in under six weeks. Fast response = faster certification.

At this point, once the CB issues the certificate, you’re officially ISO 13485 certified. But remember—it doesn’t end there. Surveillance audits in years 2 and 3 keep you on your toes.

FAQs on the ISO 13485 Certification Timeline

Q1: How long does ISO 13485 certification usually take from start to finish?

Most companies complete certification in 6–12 months. Smaller startups with focus and external support can finish in as little as 6–8 months. Larger organizations or those starting from scratch often take closer to a year.

Q2: Can we speed up the process?

Yes. Strong preparation, quick responses to findings, and using experienced consultants can shave months off your timeline. The biggest time-saver? Collecting records early, so you’re not scrambling right before audits.

Q3: Do we have to be “perfect” before Stage 2?

No. Minor nonconformities are common, and auditors expect them. The key is showing a functioning QMS with real records—and being ready to correct any gaps promptly.

Conclusion: Your Certification Journey in 6 Steps

ISO 13485 certification isn’t a one-day event—it’s a structured journey. The timeline can feel daunting, but broken down into six steps, it becomes manageable:

1. Gap Analysis

2. QMS Development & Documentation

3. Implementation & Training

4. Internal Audits & Management Review

5. Stage 1 Audit

6. Stage 2 Audit & Certification Decision

Here’s the takeaway: companies that succeed are the ones that prepare early, treat each step seriously, and keep leadership engaged throughout.

In my experience, the difference between a smooth 8-month certification and a painful 14-month one comes down to planning, records, and how fast you act on findings.

Next Step: Map out where your company is today against these six steps. That simple exercise will give you a realistic timeline—and help you plan resources without surprises.