Skip to main content

ISO 9001

ISO 9001 is a Quality Management System (QMS) standard. This page describes how the standard maps to Medplum's processes. You can read more about ISO 9001 on Wikipedia. The standard follows the plan-do-check-act (PCDA) methodology.

Because Medplum is open source, a large number of the resources and practices are visible in our repositories or on our documentation pages.

Standards Mapping

The materials below map Medplum's processes to existing ISO 9001 standards.

NumberISO ClauseRequirementIn Practice
15.2 Customer focusEnsure that customer requirements are met with the aim of enhancing customer satisfactionProduct backlog creation and grooming
25.5.1 Responsibility and AuthorityDefined responsibilities and authoritiesDistinct roles in the scrum team - product owner, scrum master and scrum team RACI
35.5.3 Internal communicationEnsure that appropriate communication processes are establishedRegular standup meeting, product backlog grooming, sprint review, sprint retrospective
47.1 Planning of product realizationPlanning and development of productProduct backlog creation, sprint planning, sprint backlog creation and user stories
57.2.1 Determination of requirementsEnsure Requirements are captured properlyIssues stories with acceptance criteria
67.2.2 Review of RequirementsEnsure that review of requirements is doneTriage, architectural and business review of issues before acceptance
77.2.3 Customer CommunicationCustomer communication regarding requirements, bugs etcRegular standup meeting and triage
87.3.1 Design and development planningPlan and control the design and development of productSprint planning
97.3.2 Design and development inputsInputs relating to product requirements shall be determined and records should be maintainedGithub issues filed by developers, with feedback and acceptance criteria
107.3.3 Design and development inputsOutputs of design and development shall be in a form suitable for verification against the design and development input shall be approved prior to releasePull requests require review, sprint review
117.3.4 Design and development reviewAt suitable stages, systematic reviews of design and development shall be performed in accordance with planned arrangementsSprint retrospectives, quarterly security and compliance review, annual SOC 2 review
127.3.5 Design and development verificationVerification shall be performed in accordance with planned arrangements to ensure that the design and development outputs have met the design and development input requirementsTesting, automated code scanning tools, linting tools, automated tools like Inferno
137.3.7 Control of design and development changesDesign and development changes should be defined and records and logs should always be maintainedIssue tracking, backlog grooming and sprint review
148.2.1 Customer satisfactionTeam should monitor information relating to customer perception as to whether they have met customer requirementsCustomer submitted issue tracking, sprint review
158.2.4 Monitoring and measurement of productTeam monitors and measures the characteristics of the built product to verify that the requirements have been metSprint review, stand up, sprint planning, system monitoring and logging
168.3 Control of non-conforming productTeam should ensure that the product which does not conform to product requirements is identified and controlled to prevent its unintended use or deliveryTesting, backlog grooming and sprint review
178.4 Analysis of dataTeam should determine, collect and analyze appropriate data to demonstrate the suitability and effectiveness of the quality management system and evaluate where continual improvement of the effectiveness of the quality management system can be madeQuarterly security and compliance review, sprint retrospective
188.5.2 Corrective actionTeam should take action to eliminate the causes of nonconformities in order to prevent recurrenceQuarterly security and compliance review, incident root cause analysis, sprint retrospective
198.5.3 Preventative actionTeam should determine action to eliminate the causes of potential nonconformities in order to prevent their occurrenceQuarterly security and compliance review, root cause analysis, sprint retrospective, product backlog grooming, static analysis tools in build