ISO Compliance Matrix Complete mapping of NUP practices to ISO 13485 and ISO 27001 requirements
NUP is a comprehensive Quality Management System (QMS) that serves as a superset of ISO 13485 and ISO 27001 requirements. This matrix provides complete traceability from regulatory requirements to NUP practices.
NUP was designed from the ground up to fulfill and extend the requirements of major regulatory frameworks:
Framework Relationship NUP Advantage ISO 13485:2016 NUP fulfills all applicable clauses Adds modern agile practices while maintaining compliance ISO 27001:2022 NUP fulfills all Annex A controls for SDLC Integrates security throughout development lifecycle FDA QSR 820 NUP addresses design control requirements Provides audit-ready templates and traceability HIPAA NUP security controls address technical safeguards Includes PHI handling guidance
Clause Requirement NUP Coverage Reference 4.1 QMS general requirements NUP defines processes, documentation, and controls across the SDLC Core Concepts 4.1.5 Software validation Code reviews and automated testing verify software meets requirements Code Reviews , Automated Testing 4.2 Documentation requirements Templates, artifacts, and version-controlled documentation Templates , Guidelines 4.2.4 Control of records PR descriptions, comments, and approvals create auditable records Code Reviews 4.2.5 Control of documents Version control and merge strategies manage document revisions Practices
Clause Requirement NUP Coverage Reference 5.4.2 QMS planning Six-phase lifecycle with defined phases, milestones, and deliverables Core Concepts 5.5.1 Responsibility and authority 46+ defined roles with responsibilities and competencies Roles 5.6 Management review Retrospectives, metrics, and continuous improvement practices Agile Development
Clause Requirement NUP Coverage Reference 6.2 Human resources Defined roles with responsibilities, skills, and competencies Roles 6.3 Infrastructure Tool recommendations and infrastructure practices Tools , CI/CD & DevOps 6.4 Work environment Team agreements and collaboration practices Agile Development
Clause Requirement NUP Coverage Reference 7.1 Planning of product realization Iterative planning with phases, disciplines, and quality gates Core Concepts 7.2 Customer-related processes Requirements management and stakeholder engagement Templates 7.3 Design and development Complete design controls with inputs, outputs, reviews, V&V Design 7.3.2 Design and development inputs Requirements templates and traceability Templates 7.3.3 Design and development outputs Architecture decisions, design documents Design 7.3.4 Design and development review Design reviews with documented outcomes Design 7.3.5 Design and development verification Code reviews and automated testing Code Reviews , Automated Testing 7.3.6 Design and development validation E2E testing and user acceptance Automated Testing 7.3.7 Control of design changes PR workflow controls all changes with review and approval gates Code Reviews 7.4 Purchasing Third-party resource evaluation Third-Party Resources 7.5 Production and service provision CI/CD, deployment controls, and operational procedures CI/CD & DevOps 7.5.3 Identification and traceability Conventional commits and issue linking enable full traceability Code Reviews
Clause Requirement NUP Coverage Reference 8.2 Monitoring and measurement Observability, metrics, automated testing, and reviews Observability 8.2.4 Monitoring and measurement of product Automated testing and quality gates Automated Testing 8.3 Control of nonconforming product Defect tracking and remediation processes Checklists 8.4 Analysis of data Metrics, dashboards, and data-driven improvement Observability 8.5 Improvement Retrospectives and continuous improvement practices Agile Development 8.5.2 Corrective action PR feedback loop addresses defects before production Code Reviews 8.5.3 Preventive action Security scanning and proactive quality measures Security
Control Requirement NUP Coverage Reference A.5.1 Policies for information security Guidelines and security practices establish policy framework Guidelines , Security A.5.2 Information security roles Security Advisor, Security Tester, and compliance roles defined Roles A.5.8 Information security in project management Security integrated into all phases and disciplines Security A.5.15 Access control Access management practices and controls Security A.5.23 Information security for cloud services Cloud security practices Practices
Control Requirement NUP Coverage Reference A.8.4 Access to source code PR process restricts direct commits; changes require approval Code Reviews A.8.9 Configuration management Merge strategies and version control maintain configuration integrity CI/CD & DevOps A.8.25 Secure development lifecycle Security embedded in design, development, testing, and deployment Security A.8.26 Application security requirements Security requirements captured in templates and checklists Checklists A.8.27 Secure system architecture principles Architecture practices include threat modeling and secure design Design , Security A.8.28 Secure coding Code reviews with security checklists and OWASP alignment Code Reviews A.8.29 Security testing Automated security testing in CI/CD pipelines Automated Testing , Security A.8.31 Separation of environments Infrastructure as code and environment management CI/CD & DevOps A.8.32 Change management Version control, code reviews, and deployment controls Code Reviews , CI/CD & DevOps
This table shows which ISO requirements each NUP section fulfills:
NUP Section ISO 13485 Clauses ISO 27001 Controls Core Concepts 4.1, 5.4.2, 7.1 - Roles 5.5.1, 6.2 A.5.2 Agile Development 5.6, 6.4, 8.5 - Code Reviews 4.1.5, 4.2.4, 7.3.5, 7.3.6, 7.3.7, 7.5.3, 8.5.2 A.8.4, A.8.28, A.8.32 Automated Testing 7.3.5, 7.3.6, 8.2.4 A.8.29 Design 7.3, 7.3.2, 7.3.3, 7.3.4 A.8.27 Observability 8.2, 8.4 - CI/CD & DevOps 6.3, 7.5 A.8.9, A.8.31, A.8.32 Security 8.5.3 A.5.1, A.5.8, A.5.15, A.8.25, A.8.27, A.8.29 Guidelines 4.2 A.5.1 Checklists 8.3 A.8.26 Templates 4.2, 7.2, 7.3.2 - Practices 4.2.5 A.5.23 Tools 6.3 - Third-Party Resources 7.4 - Examples - -
Process Documentation : All SDLC processes are documented in NUP sectionsDesign Controls : Design review, verification, and validation procedures in Design and Automated Testing Traceability : Requirements to code to test traceability through templates and version controlRecords : All reviews, approvals, and changes maintained in version control systems
Security Integration : Security practices embedded throughout the SDLCAccess Control : Code review requirements ensure no unauthorized changesChange Management : All changes go through documented PR processSecurity Testing : Automated security scanning in CI/CD pipelines
How is this guide?
