How to Prepare for an ISO 13485 Stage 1 Audit

What the Stage 1 Audit Actually Is (and What It Is Not)

Before you start pulling together documents and briefing your team, it helps to understand exactly what the Stage 1 audit is designed to do. A lot of businesses treat it like a mini version of the full certification audit, and that misunderstanding causes unnecessary stress and wasted preparation effort.

The Stage 1 audit for ISO 13485 is a documentation and readiness review. Your auditor is not there to certify you. They are there to confirm that your Quality Management System is sufficiently developed and documented to proceed to the Stage 2 certification audit. Think of it as a checkpoint, not the finish line.

For ISO 13485 specifically, the stakes are higher than they are for a general quality standard like ISO 9001. ISO 13485 governs quality management systems for medical device manufacturers and related organisations. Regulators, hospitals, procurement teams, and international distributors all rely on it as evidence that your processes meet the rigorous demands of the medical device industry. A poorly prepared Stage 1 audit does not just delay your certificate. It can signal to your certification body that your system is not ready, which can affect audit scheduling, costs, and the confidence your auditor carries into Stage 2.

So let us walk through exactly what you need to have in place, what auditors are actually looking for, and where most organisations fall short.

Understanding the ISO 13485 Framework Before Your Audit

ISO 13485 is structured around the concept of a documented quality management system that controls the design, manufacture, and post-market activities of medical devices. It shares some structural similarities with ISO 9001, but the requirements are considerably more prescriptive, particularly around documentation, risk management, and regulatory compliance.

Before your Stage 1 audit, your auditor will want to see evidence that your organisation understands these key areas of the standard:

• The scope of your QMS and the medical device products or services it covers
• Your documented procedures and how they map to the standard's requirements
• Your risk management approach, typically aligned with ISO 14971
• Your regulatory requirements and how you have identified and addressed them
• Your management commitment and quality policy
• Your internal audit programme and whether it has been initiated
• Your corrective and preventive action processes

The auditor is not expecting perfection at Stage 1. They are expecting evidence of a functioning system that is ready to be tested in practice at Stage 2. The distinction matters because many businesses over-invest in cosmetic preparation and under-invest in the substance of their system.

The Documentation Your Auditor Will Review

Documentation is the backbone of any ISO 13485 audit. The standard requires a specific set of documented procedures and records, and your Stage 1 auditor will check whether these exist, whether they are controlled properly, and whether they reflect how your business actually operates.

Mandatory Documented Procedures

ISO 13485 requires documented procedures in several areas that go beyond what other management system standards demand. You need documented procedures for:

• Document control (Clause 4.2.4)
• Record control (Clause 4.2.5)
• Internal audits (Clause 8.2.4)
• Corrective action (Clause 8.5.2)
• Preventive action (Clause 8.5.3)
• Feedback and complaint handling (Clause 8.2.1 and 8.2.2)
• Advisory notices and reporting to regulatory authorities (Clause 8.3.3 and 8.3.4)

These are non-negotiable. If any of these are missing or clearly incomplete at Stage 1, your auditor will raise a concern that could delay your Stage 2 audit. Understanding how to manage controlled documents is essential preparation for this part of the audit.

The Quality Manual

ISO 13485 still requires a quality manual, unlike the 2015 revision of ISO 9001 which made it optional. Your quality manual needs to describe the scope of your QMS, any exclusions and the justification for them, the documented procedures or references to them, and a description of the interaction between your processes.

At Stage 1, your auditor will read this document carefully. It sets the frame for everything else. If your quality manual describes a business that does not match the one your auditor is reviewing, that is a problem.

Scope Statement and Regulatory Coverage

Your scope statement needs to clearly identify the products and services covered by your QMS, the applicable regulatory requirements, and any justified exclusions from the standard. This is particularly important for medical device organisations because your scope directly affects which regulatory frameworks apply, whether that is the Australian Therapeutic Goods Administration, the US FDA, the EU MDR, or other jurisdictions.

Be specific. A vague scope like “manufacture of medical devices” will prompt questions. A well-defined scope like “design, manufacture, and distribution of Class IIa diagnostic imaging accessories” tells your auditor exactly what they are assessing.

Risk Management: The Area Most Organisations Underestimate

If there is one area where Stage 1 preparation tends to fall short in ISO 13485 audits, it is risk management. The standard requires that risk management be applied throughout the product lifecycle, and it expects you to reference ISO 14971 as the framework for managing risks associated with medical devices.

At Stage 1, your auditor will want to see that you have a documented risk management procedure, that it references ISO 14971, and that you have begun applying it to your products or processes. You do not need completed risk files for every product at Stage 1, but you do need to demonstrate that the framework exists and is being used.

Common gaps include organisations that have a risk register for business risks but nothing specific to product safety, or businesses that have copied a generic risk management procedure without tailoring it to their device types. Auditors with medical device experience will spot this immediately.

If your organisation is also pursuing or maintaining other certifications, understanding how risk management integrates across your systems can save significant effort. The principles discussed in ISO 31000 for risk management provide a useful foundation, though ISO 14971 remains the specific requirement for medical device risk.

Regulatory Requirements: Know Your Obligations Before the Auditor Asks

One of the defining characteristics of ISO 13485 compared to other management system standards is its explicit focus on regulatory requirements. Clause 4.1 requires your organisation to document the regulatory requirements applicable to your quality management activities, and your auditor will test whether you have done this properly.

In Australia, this means understanding your obligations under the Therapeutic Goods Act 1989 and the requirements of the Therapeutic Goods Administration for medical device manufacturers. If you supply into other markets, you need to identify and document those requirements too.

Prepare a regulatory requirements register or matrix that maps each applicable regulation to the relevant clauses of your QMS. This does not need to be a complex document, but it does need to be current, specific, and owned by someone in your organisation.

Your auditor will ask who is responsible for monitoring regulatory changes and how your QMS is updated when requirements change. Have a clear answer ready, and make sure the person responsible actually understands their role.

Internal Audits: You Need Evidence They Have Started

Many organisations arrive at their Stage 1 audit with a beautifully written internal audit procedure but zero evidence that any internal audits have actually been conducted. This is a significant gap.

Your certification body wants to see that your QMS is operational, not just documented. Conducting at least one full cycle of internal audits before your Stage 1 audit demonstrates that your system is live, that staff understand their responsibilities, and that your organisation is capable of identifying and addressing nonconformities.

If you have not run internal audits yet, prioritise them immediately. Focus on the high-risk areas of your QMS first: document control, complaint handling, corrective action, and any processes directly related to product safety. Learning how to run internal audits that actually find problems will serve you well both before and after certification.

Keep your audit records. Your auditor will want to see the audit schedule, the audit reports, any nonconformities raised, and evidence of corrective actions taken or in progress.

Management Review: Demonstrate Leadership Engagement

ISO 13485 requires top management to conduct reviews of the QMS at planned intervals. Before your Stage 1 audit, you should have conducted at least one management review and documented it properly.

The management review record needs to show that leadership has reviewed inputs including audit results, customer feedback, regulatory changes, process performance, and corrective actions. It also needs to show outputs including decisions and actions taken as a result of the review.

A one-page meeting note that says “QMS reviewed, all good” will not satisfy your auditor. The record needs to demonstrate genuine engagement with the data and clear decisions made by leadership. If your management team is not engaged with the QMS at this stage, that is a problem you need to address before the audit, not after.

Preparing Your Team for the Stage 1 Audit

Your auditor will speak with people across your organisation during the Stage 1 audit. They will ask staff about their roles, their understanding of quality procedures, and how they handle specific situations. The answers your team gives matter.

Brief Key Personnel

Before the audit, brief every person who is likely to be interviewed. This does not mean coaching them to give scripted answers. It means making sure they understand the purpose of the audit, know where to find relevant procedures, and can speak honestly about their work. Auditors are experienced at spotting coached responses, and an overly rehearsed team can actually raise more questions than a team that speaks naturally.

Assign a Management Representative

ISO 13485 requires you to designate a management representative with specific responsibilities for the QMS. This person needs to be clearly identified, genuinely knowledgeable about the system, and available throughout the audit. If your management representative is the person who built the QMS but is not a day-to-day leader in your organisation, make sure they are present and prepared to answer detailed questions.

Prepare Your Facility

If your Stage 1 audit includes a site visit, make sure your facility reflects your documented procedures. If your document control procedure says all controlled documents are stored in a specific location, they should be. If your training records procedure says records are maintained in a particular format, they should be. Inconsistencies between your documents and your actual practices are one of the most common findings at Stage 1.

Common Stage 1 Findings in ISO 13485 Audits

Based on practical experience across medical device audits, the following gaps appear repeatedly at Stage 1:

• Scope statements that are too vague or do not align with the products being reviewed
• Quality manuals that reference procedures which do not exist or are not controlled
• Risk management procedures that are generic and not tailored to medical device requirements
• No evidence of internal audits having been conducted
• Regulatory requirements not documented or assigned to a responsible person
• Complaint handling procedures that do not address regulatory reporting obligations
• Training records that are incomplete or not linked to specific competency requirements
• Management review records that are superficial or missing entirely

Working through this list before your audit and addressing each gap honestly will put you in a much stronger position. You do not need to be perfect, but you do need to be credible.

Choosing the Right Certification Body for ISO 13485

The certification body you choose for ISO 13485 matters more than it does for some other standards. Medical device certification requires auditors with genuine industry experience. An auditor who primarily audits food businesses or IT companies will not bring the same depth of understanding to a medical device QMS review.

When selecting your certification body, ask specifically about the auditor's experience in the medical device sector, their familiarity with relevant regulatory frameworks like the TGA or EU MDR, and whether they have experience auditing organisations of your size and product type. Understanding how to select the best ISO certification body will help you ask the right questions before you commit.

Also confirm that your certification body is accredited by a recognised accreditation body. In Australia, that means accreditation through JAS-ANZ or an IAF mutual recognition arrangement partner. An accredited certificate carries weight with regulators and customers. An unaccredited one does not.

What Happens After Stage 1

After your Stage 1 audit, your certification body will issue a Stage 1 audit report. This report will identify any areas where your QMS does not meet the requirements of ISO 13485, and it will confirm whether you are ready to proceed to Stage 2.

If there are findings, you will typically have an agreed timeframe to address them before Stage 2 is scheduled. Take these findings seriously. They are not bureaucratic hurdles. They are genuine gaps in your system that, if left unaddressed, will become major nonconformities at Stage 2 or, worse, real quality failures in your medical device processes.

Use the period between Stage 1 and Stage 2 to close out every finding, conduct additional internal audits if needed, and make sure your team is ready for the deeper operational review that Stage 2 involves. If you want to understand what that deeper review looks like, reviewing what to do before an ISO Stage 2 certification audit is a practical next step.

Getting Expert Help Without Wasting Money

ISO 13485 is not a standard you want to approach without some level of expert guidance, particularly if this is your first time through the certification process. The regulatory complexity, the documentation requirements, and the medical device-specific risk management obligations make it more demanding than most other management system standards.

A good ISO consultant with genuine medical device experience can help you identify gaps in your system, prepare your documentation correctly, and coach your team through the audit process. The key word is genuine. There are consultants who will sell you a generic template pack and call it a QMS. That approach will not get you through a rigorous Stage 1 audit with a credible certification body.

If you are looking for vetted ISO consultants and certification bodies with specific ISO 13485 experience, CertBetter makes it straightforward. You submit one form describing your business and certification needs, and you receive up to three competing quotes from verified providers. The service is completely free for businesses, and it removes the guesswork from finding someone who actually knows the medical device sector.