How Long Does ISO 13485 Certification Take? A Realistic Timeline for Medical Device Companies

The most common question quality directors ask before starting an ISO 13485 certification project is how long it will take. The answer depends heavily on where you are starting from, how much of a quality system you have in place, and whether you are building from scratch or formalizing processes that already exist in some form.

For a medical device company with no prior quality management infrastructure, expect 12 to 18 months from project kickoff to a successful certification audit. For a company with an existing quality system that needs to be updated and formalized, the timeline can compress to 6 to 9 months. Companies with a mature, documented QMS that are simply transferring to a different certification body sometimes complete the process in 4 to 6 months.

This article breaks down each phase of the certification timeline, identifies the variables that compress or extend it, and explains what you can do to avoid the delays that push most first-time certifications past their original deadline.

What ISO 13485 certification actually involves

ISO 13485 is a quality management standard published by the International Organization for Standardization (ISO). It specifies requirements for organizations involved in the design, development, production, installation, or servicing of medical devices and related services. Certification means a notified body or accredited certification body has audited your quality management system and confirmed it meets the standard’s requirements.

Certification is not a product approval. It is a certification of your quality system. A company can hold ISO 13485 certification and still have individual product submissions or regulatory approvals pending. Under FDA’s Quality Management System Regulation (QMSR), which aligns with ISO 13485, FDA accepts a certificate of conformance to ISO 13485 as evidence of QMS compliance, making ISO 13485 certification directly relevant to FDA market access as well (FDA, 2026).

Phase 1: Gap analysis (4 to 8 weeks)

The first phase is a structured comparison of your current quality practices against every clause of ISO 13485:2016. The goal is to identify which requirements you already satisfy, which you partially satisfy, and which you do not address at all.

A gap analysis covers all seven sections of the standard: the quality management system itself (Section 4), management responsibility (Section 5), resource management (Section 6), product realization (Section 7), and measurement, analysis, and improvement (Section 8). Each subsection maps to specific documented procedures, records, and activities that the auditor will expect to find during certification.

The output of a gap analysis is a prioritized remediation plan. Every gap becomes a project task with an owner and a target completion date. Without this step, organizations often discover late in the process that a foundational element, such as a management review procedure or a design controls framework, is missing or too informal to satisfy an auditor.

Phase 2: QMS documentation development (8 to 16 weeks)

Documentation is the most time-consuming phase, and it is where most timelines slip. ISO 13485 requires a quality manual, a documented quality policy, quality objectives, and documented procedures for a defined set of core processes including document control, record control, internal audit, CAPA, nonconformance management, and management review.

Beyond those mandatory documents, most regulated medical device companies need documented procedures for design controls, risk management (ISO 14971), validation, supplier qualification, and complaint handling. Each procedure needs to be written, reviewed by subject matter experts, approved through a formal document control process, and trained to the affected employees before the certification audit.

The time required for this phase depends almost entirely on how much documentation already exists. A company that has been operating informally can adapt existing practices into documented procedures in eight to ten weeks. A company building from a completely blank page may need four months.

One variable that compresses this phase significantly is the quality management platform you use. A pre-validated eQMS like Cloudtheapp includes ready-to-deploy document templates, workflow-based approval routing, and built-in electronic signature capabilities that eliminate the manual coordination normally required to write, review, approve, and distribute controlled documents. The 60+ applications in the Cloudtheapp Store include dedicated modules for document control, CAPA, and risk management that are already configured to the ISO 13485 process structure, which shortens development time considerably.

Phase 3: Implementation and records generation (8 to 12 weeks)

Once documentation exists, the organization needs to actually run its quality system long enough to generate the records an auditor will review. This is a critical timeline driver that many companies underestimate. An auditor conducting a Stage 2 certification audit expects to see evidence that the QMS has been operating, not just documented.

At minimum, the auditor will look for completed internal audits covering the full scope of the QMS, at least one management review with documented inputs and outputs, active CAPA records showing how the organization identifies and responds to quality problems, and training records showing that employees have been trained to the procedures they are expected to follow.

Most certification bodies recommend running the QMS for a minimum of three months before the Stage 2 audit. This does not mean three months of perfect compliance. It means three months of documented activity, including records of issues found and addressed. Auditors are more comfortable with a company that identified nonconformances and corrected them than with a company whose records show no quality problems whatsoever.

Phase 4: Stage 1 audit (1 to 2 weeks)

The Stage 1 audit is a document review and readiness assessment conducted by the certification body before the full audit. The auditor reviews your quality manual, key procedures, and the overall structure of your QMS to determine whether you are ready for the Stage 2 audit.

Stage 1 findings typically take the form of observations or minor nonconformances rather than major findings that stop the certification process. Companies that complete a thorough gap analysis and follow through on all remediation tasks before Stage 1 rarely receive findings that require more than two to four weeks of correction. The Stage 1 report also gives you specific guidance on what the Stage 2 auditor will focus on, which is useful for preparation.

The gap between Stage 1 and Stage 2 is typically four to eight weeks, depending on the certification body’s scheduling and the number of Stage 1 findings that need to be addressed.

Phase 5: Stage 2 audit (2 to 5 days on-site)

The Stage 2 audit is the certification audit. The auditor visits your facility (or conducts a remote audit for specific scope elements), reviews your records, interviews employees, and assesses whether your quality system is both documented and effective in practice.

Minor nonconformances found during Stage 2 typically require a corrective action plan submitted within 30 to 60 days of the audit. Major nonconformances can delay certification until the root cause is resolved and the correction verified. Most organizations that complete Phase 1 through Phase 3 thoroughly receive only minor findings at Stage 2.

After the Stage 2 audit, the certification body’s technical review committee assesses the auditor’s report. Certificate issuance typically follows within two to four weeks of the audit.

What extends the timeline

Several factors reliably push ISO 13485 certifications past their original target dates.

Design controls complexity is the most common. Companies with active product development pipelines face the challenge of documenting design control procedures that satisfy ISO 13485 Clause 7.3 while managing ongoing design activities. Design history files, design input and output documentation, and design verification and validation records all need to be in order before a Stage 2 audit.

Supplier qualification depth is the second most common delay factor. ISO 13485 Clause 7.4 requires a defined process for evaluating and re-evaluating suppliers based on their ability to meet specified requirements. Companies with large or complex supply chains sometimes discover during gap analysis that their supplier files are incomplete and need significant work before an audit.

Management availability for approvals and the management review is a recurring bottleneck in smaller companies where senior leaders wear multiple hats. The management review procedure, the quality policy approval, and key procedure sign-offs all require executive involvement, and those activities tend to get scheduled around other priorities until they create a timeline problem.

What compresses the timeline

Using a pre-validated, ISO 13485-aligned eQMS from the start of the project removes the validation work from the certification project itself. Cloudtheapp provides a complete validation package with each platform release, which means the system is ready for use in your quality system from Day 1 without a separate computer system validation project running in parallel.

Working with a certification body early also compresses the timeline. Certification body schedules are often booked three to four months in advance. Selecting your certification body and booking the Stage 1 audit date during Phase 2 of documentation development ensures the audit schedule aligns with your readiness rather than creating a delay at the end of the project.

Prior ISO 9001 certification, while not equivalent to ISO 13485, provides a quality management foundation that reduces the documentation development effort. Companies with ISO 9001 typically find that Sections 4, 5, 6, 7.1, and 8 of ISO 13485 require modest adaptation rather than complete development.

Maintenance after certification

ISO 13485 certification requires ongoing surveillance audits. Certification bodies conduct annual surveillance audits in years one and two after initial certification, with a full re-certification audit in year three. Surveillance audits typically take one to two days and focus on a rotating set of QMS elements rather than a comprehensive review of everything.

The quality system needs to stay active between audits. Management reviews, internal audit findings, CAPA records, and training records all need to continue accumulating at planned intervals. A quality system that operates well enough to achieve certification but then goes quiet until the next audit will fail its first surveillance audit.

Starting your ISO 13485 certification project

Cloudtheapp supports medical device companies at every stage of the ISO 13485 certification process, from initial gap analysis through ongoing surveillance audit maintenance. The platform’s document control, CAPA, internal audit, training management, and supplier qualification modules are aligned to ISO 13485 requirements, and the pre-validated compliance package means your eQMS does not add to your certification project scope.

To see how Cloudtheapp accelerates ISO 13485 certification for medical device companies at your stage of development, request a demo with a quality systems specialist.

]]>

Please complete the form to access the Case Study

Please complete the form to access the Case Study

You will receive the webinar link via email once your request has been approved

Sign Up for Cloudtheapp

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study