Why ISO 27001 and SOC 2 Are Not Enough for FDA Medical Device Cybersecurity

Here’s a pattern Blue Goat Cyber sees regularly: a medical device manufacturer arrives at premarket submission with an ISO 27001 certificate in hand, convinced their cybersecurity story is complete. Weeks later, a deficiency letter arrives. The FDA isn’t questioning their information security posture. It’s asking for a Secure Product Development Framework, a threat model tied to multi-patient harm scenarios, and a Software Bill of Materials. None of those exist in ISO 27001.

This is one of the most predictable failure modes in the FDA submission process, and it stems from a structural mismatch that’s easy to miss until it’s costly. Based on Blue Goat Cyber’s experience across 510(k), De Novo, and PMA submissions, this gap between enterprise IT certification and FDA cybersecurity compliance isn’t a documentation formatting issue. It’s a fundamental difference in what problem each framework was built to solve. Understanding why standard IT security frameworks fall short for FDA medical devices is the first step toward building a submission that actually clears review.

What ISO 27001 and SOC 2 Were Actually Built to Do

ISO 27001 was designed to protect organizational information assets: servers, databases, customer data, and business processes. It gives organizations a structured Information Security Management System built around 93 controls, risk treatment plans, and annual certification audits. SOC 2 gives service organizations a way to demonstrate trustworthiness to enterprise clients through five trust service criteria, security, availability, confidentiality, processing integrity, and privacy.

Both frameworks treat security as an organizational posture question. They ask: does this company manage risk responsibly? The FDA asks an entirely different question: does this specific device protect patients from harm caused by a cybersecurity failure? The unit of analysis is the device, not the organization. The risk frame is patient safety, not data confidentiality or business continuity. That distinction changes everything about what documentation is required.

Holding an ISO 27001 certificate tells the FDA nothing about whether a device’s firmware handles authentication securely, whether the SBOM has been catalogued, or whether a vulnerability disclosure process exists for cleared products. The certificate proves the company has a well-managed information security program. It says nothing about the clinical risks embedded in the device itself. That’s the core limitation of ISO 27001 for FDA medical devices, and it cannot be papered over with addenda or mapping exercises.

What the FDA’s Cybersecurity Submission Actually Requires

Under section 524B of the FD&C Act, sponsors of 510(k), PMA, De Novo, and other premarket submissions for “cyber devices” must include documented evidence of secure-by-design architecture, lifecycle vulnerability management plans, and postmarket monitoring processes. The FDA’s 2026 final guidance on premarket cybersecurity, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, supersedes earlier versions and raises the evidentiary bar significantly, specifying approximately 12 standardized documents submitted through the eSTAR format.

The specific documentation FDA reviewers look for includes a Security Product Development Framework integrated into the Quality Management System, a threat model addressing multi-patient harm scenarios and supply chain vulnerabilities, an SBOM covering all software components with version information and End of Support dates, and labeling disclosures about connectivity and device support lifetime.

These are not checkbox items. FDA reviewers evaluate whether the threat model reflects the actual device architecture and whether mitigations trace back to identified risks. A detailed narrative without a traceability matrix fails to meet FDA standards, even if it covers the right topics. Every cybersecurity control must connect back to patient safety impact, a vulnerability that could cause an infusion pump to deliver the wrong dose is categorically different from a data breach risk. FDA submissions must reflect that distinction, with hazard analysis tied to clinical outcomes rather than generic security control language borrowed from enterprise frameworks.

Why Standard IT Security Frameworks Fail for FDA Medical Devices

ISO 27001 risk assessments evaluate threats to information assets. They don’t evaluate threats to a patient whose infusion pump communicates over an unencrypted channel. The FDA’s risk framework, aligned with ISO 14971, requires harm analysis tied to clinical outcomes. Enterprise frameworks have no equivalent construct, which means even a thorough ISO 27001 risk assessment produces documentation that FDA reviewers cannot use to evaluate patient safety risk.

The lifecycle evidence problem is equally significant. FDA submissions require documented evidence across the entire device lifecycle, from initial design through postmarket surveillance. ISO 27001’s ISMS covers ongoing organizational operations, not the structured premarket-to-postmarket regulatory lifecycle evidence the FDA expects. SOC 2 reports are point-in-time attestations, not living development lifecycle records with traceability to design controls.

Device-specific technical constraints make the mismatch even more pronounced. Real-time operation requirements, limited CPU and memory in embedded systems, legacy firmware without update mechanisms, and constrained connectivity patterns make many standard IT security controls technically unworkable on medical devices. Controls like real-time antivirus scanning, SIEM logging, and continuous patching assume abundant computing resources and flexible architectures, assumptions that don’t hold for a cardiac monitor running safety-critical firmware on a constrained embedded processor. An ISO 27001 control set designed for enterprise servers cannot be applied without substantial adaptation to that kind of environment.

For software-based medical devices, the limitations of standard IT frameworks are equally acute. SaMD security requirements under FDA guidance demand software lifecycle documentation, including IEC 62304-aligned development processes, that neither ISO 27001 nor SOC 2 was structured to produce. The clinical context of software execution changes what “secure” means in ways enterprise frameworks simply don’t account for.

The Specialized Frameworks the FDA Actually Recognizes

AAMI TIR57 provides principles for medical device security risk management that directly align with ISO 14971. It bridges clinical safety risk management with cybersecurity risk analysis in a way ISO 27001 cannot. The FDA recognizes AAMI TIR57 as an accepted approach to security risk management in premarket submissions, and the 2026 final guidance names it as a core standard alongside ANSI/AAMI SW96. Manufacturers should build their security risk management processes on this foundation, not on enterprise risk frameworks that lack any clinical harm analysis component.

IEC 62443-4-1 defines a secure product development lifecycle for industrial and embedded systems. Its focus on security requirements for product developers maps directly to what the FDA expects in an SPDF. The standard addresses security requirements definition, secure design, secure implementation, verification and validation, defect management, patch management, and end-of-life, a scope that aligns tightly with FDA premarket expectations. For health software, IEC 81001-5-1 builds on IEC 62443-4-1 with lifecycle requirements tailored to clinical context. Together, these two standards give manufacturers a defensible, internationally recognized basis for their development process documentation.

UL 2900-1 and UL 2900-2-1 establish testable cybersecurity requirements for network-connectable products, including medical devices. UL 2900-2-1 adds healthcare-specific requirements covering PHI and PII protection, threat modeling by intended use, defense-in-depth architecture, and incident response for healthcare contexts. The FDA recognized both standards in 2017 and 2018 as consensus standards, meaning manufacturers can reference UL 2900 compliance directly in premarket submissions as objective evidence of cybersecurity risk management. That kind of testable, device-specific evidence is something ISO 27001 was never designed to provide. For details on the FDA recognition of these consensus standards, see the FDA standards database entries for UL 2900‑1 and UL 2900‑2‑1.

Real Consequences of Using the Wrong Framework

When a submission arrives with ISO 27001 documentation as the primary cybersecurity basis, FDA reviewers issue Additional Information requests. These deficiency letters require manufacturers to produce the SPDF, threat model, and risk assessment evidence that should have been in the original package. The most commonly cited deficiencies involve incomplete threat modeling, absent traceability between identified risks and mitigations, missing cybersecurity views of device architecture, and weak postmarket vulnerability management plans. Each round of responses adds months to the review timeline, delays that carry real cost in delayed market entry and diverted engineering resources.

Device recalls demonstrate what happens when device-specific cybersecurity is treated as an afterthought. The 2025 recall of the Abiomed Automated Impella Controller was triggered by network and physical access vulnerabilities in the operating system, creating risk of device control loss in a cardiac support device. The FDA classified it as the most serious recall category, indicating potential for serious injury or death. Abbott pacemaker vulnerabilities led to recalls involving hundreds of thousands of units. These cases reflect what happens when connected devices ship without rigorous, device-specific security architecture, not inadequate organizational security programs.

Cleared devices with weak security become compounding postmarket liabilities. FDA’s postmarket guidance expects ongoing vulnerability monitoring, patch procedures, and exploit response plans, all of which require device-specific infrastructure that enterprise frameworks were never designed to create. For additional context on what the FDA expects for postmarket cybersecurity activities, see the agency’s cybersecurity FAQs for medical devices. A company that relied on ISO 27001 documentation to support a cleared submission may find itself structurally unprepared for postmarket surveillance obligations, creating ongoing regulatory exposure long after the device reaches market.

Building a Submission-Ready Security Posture from the Right Foundation

The practical path forward starts with choosing the right framework stack rather than retrofitting enterprise controls. Build on AAMI TIR57 for security risk management, IEC 62443-4-1 for the development process and SPDF foundation, and UL 2900 for testable security requirements. Layer ISO 14971-aligned hazard analysis on top to connect cybersecurity risks to clinical harm. These frameworks were designed for the problem the FDA is trying to solve. Mapping ISO 27001 controls onto this structure produces documentation with a structural gap, the clinical harm linkage that FDA reviewers look for simply isn’t there. For the full list of the FDA’s expectations in premarket submissions, consult the agency’s final premarket cybersecurity guidance.

Complete submissions require a full SPDF cybersecurity documentation aligned with FDA expectations, a threat model built from the device’s actual architecture using a recognized methodology like STRIDE, an SBOM cataloging every software component with version and support lifecycle data, penetration testing and vulnerability scanning results with documented mitigation traceability, and a vulnerability management plan covering both premarket and postmarket phases. Each element must trace back to patient safety mitigations. Based on current reviewer patterns, incomplete SBOMs, particularly those missing End of Support dates, and unresolved penetration testing findings without documented acceptance criteria are among the most frequently flagged issues.

This is the documentation stack Blue Goat Cyber builds for medical device manufacturers preparing premarket submissions. The team’s experience spans 510(k), De Novo, and PMA pathways, with deep familiarity with what FDA reviewers scrutinize most closely at each stage. For manufacturers who need to get it right the first time, working with a team that understands FDA device cybersecurity requirements, such as described in Securing Medical Devices: The Key to Faster FDA Clearance and Investor Confidence, is the clearest path to clearance.

The Right Framework from the Start

ISO 27001 and SOC 2 are rigorous, valuable frameworks for what they were designed to do. They were not designed for FDA medical device cybersecurity submissions. Understanding why standard IT security frameworks fail for FDA medical devices isn’t a criticism of those frameworks, it’s a recognition that regulated devices require a different evidentiary foundation entirely. The FDA is looking for SPDF documentation, AAMI TIR57-aligned risk management, threat models tied to clinical harm, SBOMs, and testable security evidence from frameworks like UL 2900. Using enterprise IT frameworks as a substitute creates gaps that generate deficiency letters, extend timelines, and in the worst cases, contribute to device vulnerabilities that reach patients.

The fix is to build on the right foundation before the submission package is assembled, and ideally before design freeze. Every month spent correcting framework mismatches during submission review is a month that could have been spent getting the device to patients who need it.

Blue Goat Cyber works with medical device manufacturers at every stage of the FDA submission lifecycle, from early design consulting through postmarket compliance. If your next submission is approaching and your cybersecurity documentation isn’t built on the frameworks FDA reviewers actually expect, navigating the cybersecurity landscape for MedTech innovators with experienced advisors can close the gap. Contact our team for a consultation. We’ll identify exactly what’s missing and build the complete package to close the gap.

Related: Medical Device Cybersecurity: A Complete Lifecycle Guide

Book Strategy Session

The Med Device Cyber Podcast

Follow Blue Goat Cyber on Social

LinkedinYoutubeInstagramTwitter