ISO 13485 certification pathway: what it really takes to get certified a step-by-step guide for medical device companies
Getting ISO 13485 certified sounds like a structured process.
In reality, most companies realise it’s not about following steps it’s about building a system that actually works.
What ISO 13485 certification actually means
Before going into the steps, it’s important to clarify one thing.
ISO 13485 certification does not prove that your system is perfect and supports the ways of working. It proves that your system is defined, controlled, and acceptable to an external auditor.
In practice, it means that your processes are documented, responsibilities are clear, risks are considered, and decisions are traceable.
‼️ But it does not mean that your system works well in everyday work and in practise.
That distinction becomes critical later.
QMS in real life vs. on paper
A QMS in real life needs to survive the messy reality of daily work urgent changes, human error, and shifting priorities.
The difference between QMS on paper vs. real life is often known as the “Implementation Gap.” Understanding this “gap” is the first step toward closing it and building a truly resilient organization.
To make this more concrete, the difference between a QMS “on paper” and in real life often looks like this:
| QMS on Paper | QMS in Real Life (The Practice) | |
|---|---|---|
| Focus | Compliance and Structure | Operational Behavior and Results |
| State | Static, ideal, organized | Dynamic, messy, reactive |
| Ownership | Quality Manager / Consultants | Everyone in the organization |
| Primary Goal | To get certified (checkbox) | To improve consistency, safety, and efficiency |
| Audit Experience | A showcase of documents | A reveal of daily work habits |
If your QMS only exists in documents, it doesn’t exist in practice. An organization where the QMS in real life matches the QMS on Paper has developed a true Quality Culture.
Step-by-step: the ISO 13485 certification pathway
Step 1: Define your scope and regulatory strategy
This is where everything starts.
Before building a quality management system, the company needs clarity on what it (QMS) is actually trying to support whether that is an existing product, a planned product, or a specific role in the medical device value chain.
This includes understanding the applicable regulations (such as EU MDR or FDA requirements) and the company’s role, whether as a manufacturer, legal manufacturer, subcontractor, or distributor.
Crucial mistake is starting to build a QMS before this is clear.
👉 In that case, the system is built without a clear purpose and that will show later.
Step 2: Build a QMS that reflects how you actually work
Many teams start with existing templates and pre-built processes, as it is often the easiest way to begin.
And templates are not the problem. The problem is what happens next.
Processes are copied, slightly modified, and approved without really asking whether they match how the company actually works.
This usually looks fine on paper until it’s tested, preferably in your internal audit rather than by the external auditor.
A working QMS should reflect how easy it is to follow in daily work how naturally it fits into everyday operations, and whether it’s something people actually use or something that gets bypassed.
👉 If it’s easy to ignore, it will be ignored.
If the QMS and daily work are not aligned, the gap will show.
Maybe not during certification but later, and you will notice it.
Step 3: Implement, not just document
This is where many certification pathways start to break down.
Having procedures and QMS is not enough.
You need to show that they are actually used.
In practice, this means that CAPAs are investigated and justified, changes are evaluated in a structured way, work follows defined processes, and responsibilities are clearly understood.
Auditors don’t just read documents they want to see records and how those documents have actually been put into practice in everyday work..
👉 And inconsistencies are easy to spot.
Step 4: Test and run your system before the audit
Before certification (and ideally already before full implementation), your system should have evidence across key processes: internal audits completed, management review conducted, CAPAs opened and closed, and records showing how decisions have been made over time.
If a process is not yet fully in use for example, if there is no customer feedback yet, it should still be run in practice.
This can be done through a simulated case, a mock process, or a dry run.
👉 The point is not whether the input is real, but whether the process actually works.
This is what creates traceability. Without it, everything looks theoretical and theoretical systems don’t hold up in audits.
Step 5: Prepare for audits
ISO 13485 certification is typically carried out in two stages.
Stage 1 focuses on structure and readiness.
The auditor reviews your documentation and identifies major gaps.
Stage 2 is where the real assessment happens.
The auditor follows records (note: they really want to see records!), interviews the team, and evaluates whether system actually works in practice.
This is where most findings come from.
👉 Good documentation might get you through Stage 1.
👉 Real implementation is what gets you through Stage 2.
Step 6: Address findings and move forward
Findings are part of the process what matters is how you handle them.
In most cases, you will receive minor nonconformities, observations, and suggestions for improvement.
What matters is not avoiding findings completely but how you respond to them.
Are root causes identified?
Are corrections meaningful?
Does the system actually improve?
But just as importantly:
Are the corrections actually implemented in daily work?
Are processes updated so the same issue does not repeat?
Does the team understand what has changed and why?
And are the changes made with the team, not just by quality?
👉 Findings only create value when they are turned into part of how the company actually works. Otherwise, they remain as documentation fixes.
This is already a signal of how QMS will perform in the long run.
What usually goes wrong
The biggest issue is rarely missing documentation. Documents are easy to generate or copy especially today, when AI can produce them almost like magic.
A QMS that works in real life does not happen by accident.
The gap between what is written and what is done usually comes from a few recurring patterns.
Why the gap exists:
- Certification is treated as the end goal → the system is built to pass an audit, not to support the work
- Processes become too complex → when SOPs are heavy and hard to follow, people will find ways around them
- Quality is not truly owned → if leadership ignores the processes, everyone else will too.
Final thought
ISO 13485 certification is often treated as a milestone.
It’s not.
👉 It’s the point where your system needs to show that it works not just in theory, but in real life.
Because in the end:
Certification shows that your system exists.
What matters is whether it actually works.
And while this article focuses on ISO 13485, the same applies to any quality management system regardless of the standard.
👉 A system that is not used in daily work will not hold up over time.
Need help with QMS and certification?
If your QMS looks good on paper but feels difficult to follow in practice that’s usually where we come in.
At Nometech Oy, we help teams turn their quality systems into something that actually works in everyday operations.
Want to know if your QMS really works?
Certification, re-certification, or surveillance audit coming up?
We provide internal audits to help you see where you really stand before the auditor does.
👉 It’s better to find the gaps yourself than have an auditor find them for you.
Lets talk: Contact us