ISO 9001:2015, 8.4

Previous newsletter articles have described the ISO/DIS 9001:2015 planned requirements and changes for clause 4 (Context of the Organization), clause 5 (Leadership), clause 6 (Planning for the Quality Management System), and Clause 7 (Support).

Clause 8, Operation, has seven sub-clauses:

8.1 Operational Planning and Control
8.2 Determination of Requirements for Products and Services
8.3 Design and Development of Products and Services
8.4 Control of Externally Provided Products and Services
8.5 Production and Service Provision
8.6 Release of Products and Services
8.7 Control of Nonconforming Process Outputs, Products, and Services

This article is on 8.4 Control of Externally Provided Products and Services.

8.4.1 General


Ensure that externally provided processes, products, and services conform to specified requirements.

Apply the specified requirements for control of externally provided products and services when:

a) products and services are provided by external providers for incorporation into organization’s own products and services;

b) products and services are provided directly to the customer by external providers on behalf of the organization;

c) a process or part of a process is provided by an external provider as a result of a decision by organization to outsource a process or function.

Establish and apply criteria for evaluation, selection, monitoring of performance, and re-evaluation of external providers based on their ability to provide processes or products and services in accordance with specified requirements.

Retain appropriate documented information of:

  • results of the evaluations,
  • monitoring of the performance, and
  • re-evaluations of the external providers.


  • Replaces most of 7.4.1 on purchasing process
  • Moves control of outsourcing from old clause 4.1
  • External provider is outside scope of system:
    • purchasing from a supplier,
    • through arrangement with an associate company,
    • Through “outsourcing” of processes and functions,
    • or by any other means.
  • Adds monitoring of external provider “performance”
  • Adds keeping documented information on performance
  • See Annex A.8 on “Control of Externally Provided Products and Services”

8.4.2 Type and Extent of Control


In determining type and extent of controls to be applied to external provision of processes, products and services, organization must consider:

a) potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable legal requirements;

b) perceived effectiveness of the controls applied by the external provider.

Establish and implement verification or other activities necessary to ensure the externally provided processes, products, and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.

Processes or functions of organization which have been outsourced to an external provider remain within scope of organization’s quality management system; accordingly, the organization must consider a) and b) above and define both the controls it intends to apply to the external provider and those it intends to apply to the resulting process output.


  • Expands upon old clause 7.4.1 requirement on type and extent of control
  • Old 4.1 NOTE 3 now auditable as requirement
  • Includes verification from old clause 7.4.3 on verification of purchased product
  • Consider potential impact of externally provided processes, products, and services
  • Clarifies outsourced processes remain within scope
  • Requires outsourcing controls on both external provider and resulting process output

8.4.3 Information on External Providers


Communicate to external providers applicable requirements for the following:

a) products and services to be provided or the processes to be performed on behalf of the organization;

b) approval or release of products and services, methods, processes or equipment;

c) competence of personnel, including necessary qualification;

d) their interactions with the organization’s quality management system;

e) control and monitoring of the external provider’s performance to be applied by the organization;

f) verification activities that the organization, or its customer, intends to perform at the external provider’s premises.

Ensure the adequacy of specified requirements prior to their communication to external providers.


  • Includes requirements from clauses 7.4.2 and 7.4.3
  • Clarifies their requirements for interacting with your quality management system
  • Adds control and monitoring of external provider’s performance

Competence is defined in 3.10 as the ability to apply knowledge and skills to achieve intended results.

Demonstrated competence is sometimes referred to as qualification.