Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Why ISO 13485 Mandatory Procedures Matter

I’ll be honest with you—one of the biggest headaches I see medical device companies face is figuring out which ISO 13485 procedures are actually mandatory. Over the years, I’ve guided dozens of teams through audits, and the same confusion comes up every time: “Do we really need all these documented procedures, or just a few?”

Here’s the reality. ISO 13485 doesn’t drown you in paperwork for fun. The mandatory procedures exist because they’re the backbone of a functioning Quality Management System. Skip them, and you’re almost guaranteed to run into major nonconformities during your audit.

What I’ve noticed is that once companies get clarity on the must-haves—things like document control, internal audits, and CAPA—the rest of the QMS suddenly feels a lot less overwhelming. Instead of spreading resources thin, they can focus on doing the essentials really well. And that’s what auditors want to see.

So in this guide, I’m going to walk you through the exact list of mandatory ISO 13485 procedures, explain why each one matters, share some real-world mistakes I’ve seen (and how to avoid them), and give you practical tips to keep auditors happy without drowning in paperwork.

Understanding ISO 13485 Mandatory Procedures

Before we jump into the list, let’s clear up one common misunderstanding: ISO 13485 doesn’t come with a giant checklist of every procedure you might need. Instead, it highlights a handful of procedures that are explicitly mandatory. Everything else depends on your processes, risks, and how complex your operations are.

Here’s what I’ve noticed—companies often get tripped up because they confuse records with procedures. Records are proof that you did something (like a signed-off audit report). Procedures are the documented steps that explain how you’re going to do it (like your internal audit process). Mix those up, and suddenly you’re missing half the system.

Another trap? Treating these procedures as “box-ticking documents.” Auditors can spot a generic, copy-paste template from a mile away. The mandatory procedures need to reflect how your organization actually works. A client of mine once tried to use a borrowed CAPA procedure word-for-word—and the auditor quickly flagged it, because it didn’t match their actual workflow. Painful lesson, but it stuck.

The bottom line is this: knowing which procedures are mandatory is step one, but implementing them in a way that makes sense for your business is what gets you through an audit smoothly.

Now that we’ve cleared that up, let’s dive into the first mandatory procedure: Document Control.

Document Control Procedure (Clause 4.2.4)

If there’s one procedure every auditor will zoom in on, it’s document control. Why? Because your entire Quality Management System hangs on it. If your procedures, work instructions, or forms are outdated or floating around in multiple versions, your audit’s going downhill fast.

Here’s what I’ve noticed: most nonconformities in this area don’t come from not having a document control procedure—they come from not using it consistently. A client once had a beautifully written procedure, but when the auditor asked operators on the floor which version of the work instruction they used, three different copies showed up. That was an immediate finding.

Pro Tip: Always make sure there’s a single source of truth. Whether you’re using a QMS software or a shared drive, employees should know exactly where to find the latest approved document. Bonus points if your system automatically archives old versions so no one accidentally grabs the wrong one.

Common Pitfall: Forgetting about external documents. Standards, regulatory guidelines, and supplier specifications often get overlooked, but they also need to be controlled. Auditors will ask, “How do you make sure you’re using the latest version of ISO 13485 or FDA guidance?”—and you’ll need a clear answer.

At the end of the day, document control isn’t about bureaucracy. It’s about ensuring everyone is following the same playbook. Get this right, and you’ve already built trust with your auditor.

Now that we’ve covered document control, let’s move on to the next critical one: Record Control.

Record Control Procedure (Clause 4.2.5)

If document control is about making sure people follow the right instructions, record control is about proving they actually did. Auditors love records because they’re the breadcrumbs that show whether your QMS works in real life—not just on paper.

Here’s what I’ve noticed: records often become an afterthought. Teams focus on keeping procedures polished but forget that every action—like a calibration, a design review, or a training—needs a record. During one audit I supported, the client had a spotless internal audit procedure. But when the auditor asked for the last audit record, it was incomplete and unsigned. That single missing signature turned into a nonconformity.

Pro Tip: Make records easy to capture and retrieve. If staff see it as a painful extra step, they’ll either delay filling it out or miss it altogether. A simple checklist, electronic form, or even a QR code on equipment that links to a log can save you a lot of headaches.

Common Pitfall: Ignoring retention rules. Different regulators (FDA, EU MDR, etc.) expect records to be kept for different lengths of time, often linked to the product lifecycle. I’ve seen companies get burned because they purged records too early. Always tie your retention schedule to regulatory and contractual requirements.

Real-world example: One manufacturer I worked with had a complaint investigation record requested by an auditor. Because they had a well-structured indexing system, they pulled it up in under a minute. The auditor’s response? “That’s exactly how records should be controlled.” That one moment earned them a lot of credibility.

Bottom line: if document control shows the plan, record control proves the execution. Both go hand in hand—and both are non-negotiable in ISO 13485.

Next, let’s talk about one of the most powerful tools for improvement in any QMS: Internal Audits.

Internal Audit Procedure (Clause 8.2.4)

If there’s one procedure that separates a company that’s just passing audits from one that’s actually improving, it’s the internal audit process. ISO 13485 makes this mandatory for a reason—it’s your chance to catch problems before an external auditor does.

In my experience, too many companies treat internal audits like a chore. They rush through them just to tick a box. But here’s the truth: when done right, internal audits are one of the best tools you have for strengthening your QMS.

Pro Tip: Don’t just audit against the standard—audit the process. For example, if you’re looking at purchasing, don’t limit yourself to checking if supplier evaluations are on file. Ask: are those evaluations actually helping us choose better suppliers? That’s the kind of insight that prevents bigger problems down the line.

Common Pitfall: Using the same person to audit their own work. It sounds obvious, but I’ve seen it happen often—especially in smaller companies. Auditors will flag this immediately because it kills the independence of the process. Even in lean teams, you can train cross-functional staff to audit each other.

Real-world story: I worked with a medical device startup that dreaded internal audits. Once we shifted their approach—treating audits as “health checks” instead of “compliance police”—their findings turned into actual improvements. Six months later, their external audit had zero major nonconformities. The lead auditor even complimented their audit program.

The takeaway? Internal audits aren’t about catching people out. They’re about building confidence that your system works. And when you do them right, your external audit becomes a lot less stressful.

Now that we’ve covered internal audits, let’s tackle another critical one: Control of Nonconforming Product.

Control of Nonconforming Product (Clause 8.3)

Let’s be real—mistakes happen. Products sometimes don’t meet specifications, and that’s okay. What’s not okay is letting those nonconforming products slip through to the customer. That’s why ISO 13485 requires a clear procedure for how you identify, control, and dispose of nonconforming product.

Here’s what I’ve noticed: the biggest risks usually come from poor segregation. I once saw a company get a major nonconformity because defective parts were stored right next to good ones, with no clear labeling. When the auditor asked, “How do you make sure nonconforming products aren’t used?” the answer wasn’t convincing. That’s an easy avoidable mistake.

Pro Tip: Make it impossible to mix things up. Use bright tags, designated “quarantine” bins, or even a physically separate area. The clearer the distinction, the less chance someone accidentally grabs the wrong item.

Common Pitfall: Stopping at identification. It’s not enough to tag a product as “nonconforming.” You also need a documented decision—are you scrapping it, reworking it, or sending it back to the supplier? Auditors will expect to see that documented trail.

Real-world story: A manufacturer I supported tightened up their nonconformance process by linking it directly to their CAPA system. Instead of just recording the issue, they asked: “Is this a one-off, or part of a bigger trend?” That small shift helped them spot a recurring supplier issue months earlier than they otherwise would have.

At the end of the day, this procedure is about protecting patients and customers. If you can show your auditor that nonconforming products are caught, controlled, and dealt with properly, you’re proving your QMS is doing its job.

Next up, we’ll look at the heart of continuous improvement in ISO 13485: Corrective and Preventive Action (CAPA).

Corrective and Preventive Action (CAPA) – Clauses 8.5.2 & 8.5.3

If there’s one procedure that shows whether your QMS is truly alive (and not just paperwork on a shelf), it’s CAPA. Auditors often call it the engine of improvement—and for good reason. CAPA is where you show how problems get solved for good, not just patched over.

In my experience, most companies struggle here. Either their CAPAs are too vague (“training provided” is a classic weak corrective action), or they balloon into massive projects that never close. Both approaches frustrate auditors.

Pro Tip: Keep your CAPAs focused and actionable. A solid CAPA has three things: a clear root cause, specific corrective steps, and evidence that those steps worked. If you can tie your CAPA back to risk reduction, even better—that’s exactly what auditors love to see.

Common Pitfall: Treating CAPA as a dumping ground. I’ve seen teams throw every little issue into the CAPA system, from a missing signature to a full-blown product recall. That clogs the system and makes it unmanageable. Not everything needs a CAPA—sometimes a quick correction is enough. Save CAPA for issues that truly matter.

Real-world example: I helped a company that was drowning in open CAPAs—some over two years old. We streamlined their process by adding a triage step: minor issues were handled immediately, while systemic problems went into CAPA. Within six months, they cut their backlog by 70% and impressed their auditor with a clean, well-prioritized CAPA log.

At its core, CAPA isn’t about pleasing the auditor. It’s about building a culture where mistakes lead to learning and real fixes. Get this right, and you’ll not only pass your audit—you’ll actually see your QMS adding value to the business.

Now that we’ve nailed the big five, let’s talk about a few additional procedures that, while not always spelled out as “mandatory,” are practically unavoidable in real-world audits: Risk Management, Complaint Handling, and Supplier Control.

Additional Essential Procedures: Risk Management, Complaint Handling & Supplier Control

Here’s something I’ve noticed time and time again: companies get laser-focused on the six “official” mandatory procedures and then act surprised when auditors raise findings about areas like risk management or complaint handling. Technically, these aren’t all labeled as “mandatory procedures” in ISO 13485—but in practice, auditors treat them as non-negotiable.

Risk Management

Risk management isn’t just a clause; it’s woven into the DNA of ISO 13485 and medical device regulations. If you don’t have a clear procedure for identifying, evaluating, and controlling risks, you’ll run into trouble. One client I worked with had brilliant technical designs but no documented risk management procedure. Their certification audit nearly failed until they fixed it.

Pro Tip: Link your risk management procedure to product lifecycle stages—design, production, post-market. That way, auditors see you’re not treating risk as a one-off exercise.

Complaint Handling

Auditors and regulators care deeply about how you handle complaints, because complaints are often the first sign of product issues in the field. Even if ISO 13485 doesn’t list it as a “mandatory” procedure, skipping it is a guaranteed red flag.

Common Pitfall: Treating complaints like customer service tickets. Complaints must feed into CAPA and risk management if they highlight systemic problems. If you miss that link, you’ll lose credibility fast.

Supplier Control

Medical device companies don’t work in isolation—you rely on suppliers. That’s why auditors expect to see a robust supplier evaluation and monitoring procedure. If a supplier’s materials fail, it’s your product and your patients on the line.

Real-world story: A client once failed an audit because they were buying sterile packaging from a supplier without ever performing a qualification. Their procedure just said “use approved suppliers,” but no one could show how suppliers got “approved.” The fix? A simple risk-based supplier evaluation process.

The bottom line: even if these aren’t explicitly listed in ISO 13485’s mandatory six, you should absolutely treat them as essential. Doing so not only keeps auditors happy but also strengthens your QMS against real-world risks.

FAQs – ISO 13485 Mandatory Procedures

Q1. Are the six documented procedures the only ones I need?

Not quite. ISO 13485 explicitly requires six documented procedures, but in practice, auditors will also expect to see processes for things like risk management, complaint handling, and supplier control. Think of the six as your baseline—and the others as essential for surviving a real audit.

Q2. Can I just use a template for these procedures?

You can, but be careful. Templates are a great starting point, but they often fail audits when they don’t reflect how your company actually works. In my experience, auditors are quick to flag copy-paste procedures that don’t match real practices. Always customize templates to your processes.

Q3. What happens if a mandatory procedure is missing during the audit?

That’s almost always a major nonconformity. Best case, you’ll be scrambling to fix it under tight deadlines. Worst case, it could delay or block your certification. The good news? If you know the list and prepare properly, it’s one of the easiest areas to get right.

Conclusion: Making ISO 13485 Procedures Work for You

So, here’s the bottom line—ISO 13485 isn’t about paperwork for paperwork’s sake. The mandatory procedures are there because they keep your system consistent, traceable, and ultimately safe for patients. Skip them, and you’re setting yourself up for findings, delays, and frustration. Nail them, and suddenly your audit feels a whole lot smoother.

In my experience, the companies that succeed with ISO 13485 don’t just “write procedures.” They actually use them—day in, day out—so when the auditor shows up, everything feels natural and credible. That’s where the real confidence comes from.

If you take one thing away from this guide, it’s this: focus on the essentials (document control, records, internal audits, nonconforming product, and CAPA), and don’t neglect the “practically mandatory” ones like risk management and complaints. Done right, these procedures aren’t just compliance—they’re tools that protect your business and your customers.

And if you’re feeling stuck? Don’t reinvent the wheel. I’ve helped dozens of companies build and streamline these procedures, and I’ve seen how a clear checklist or tailored support can save months of stress.

Next step: Download the free ISO 13485 Mandatory Procedures Checklist to make sure your QMS covers everything auditors expect.