00109 Cybersecurity in Medical Devices- Security Risk Management Documentation

00109 Cybersecurity in Medical Devices-  Security Risk Management Documentation

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

4. Security Risk Management Documentation515
   516
   To help demonstrate the safety and effectiveness of the device, manufacturers should provide the517
   outputs of their security risk management processes in their premarket submissions, including518
   their security risk man as those described in AAMI TIR57,36 inclusive of the system threat modeling, SBOM and520
   associated documentation, and unresolved anomaly assessment(s) described above, should be521
   sufficient to support the security risk management process aspect of demonstrating a reasonable522
   assurance of safety and effectiveness.37
   523
   524
   The security risk management report should:525
   · summarize the risk evaluation methods and processes, detail the security risk assessment,526
   and detail the risk mitigation activities undertaken as part of a manufacturer’s risk527
   management processes; and528
   · provide traceability between the security risks, controls and the testing reports that529
   ensure the device is reasonably secureagement plan and security risk management report. A plan and report such