Citation hook: Under ISO 9001:2015, outsourcing a process does not transfer quality responsibility — the certified organization remains fully accountable for the conformity of outsourced processes, products, and services as explicitly stated in clause 8.4.
If you've ever assumed that handing a process off to a supplier, subcontractor, or third-party service provider also hands off your quality obligations — you're in good company. It's one of the most common and costly misunderstandings I encounter across my 200+ client engagements at Certify Consulting. And it's one that routinely triggers nonconformances during audits.
The reality under ISO 9001:2015 is unambiguous: outsourcing is a procurement decision, not a liability transfer. The moment you subcontract a process that affects the quality of your product or service, you become responsible for controlling it. The standard doesn't care whose logo is on the building where the work is done.
This article breaks down exactly what ISO 9001 requires for outsourced process control, how to build a control framework that satisfies auditors, and the specific documentation and oversight mechanisms you need in place before your next surveillance audit.
What ISO 9001:2015 Actually Says About Outsourced Processes
The governing clause is ISO 9001:2015, clause 8.4 — Control of Externally Provided Processes, Products and Services. It's worth reading carefully because its scope is broader than most practitioners realize.
Clause 8.4.1 opens with a flat requirement: the organization shall ensure that externally provided processes, products, and services conform to requirements. This applies in three scenarios:
- Products and services from external providers incorporated into your own products/services
- Products and services provided directly to your customer by external providers on your behalf
- A process (or part of a process) conducted by an external provider as a result of a decision by the organization
That third scenario — the full outsourcing of a process — is where most QMS gaps live. Examples include: - Outsourced calibration - Third-party warehousing and logistics - Contract manufacturing or assembly - Outsourced software testing or validation - Subcontracted installation or field services - External sterilization or finishing processes
Citation hook: ISO 9001:2015 clause 8.4.1 requires organizations to apply risk-based thinking when determining the type and extent of controls over external providers — meaning a one-size-fits-all supplier approval process is explicitly insufficient.
The Risk-Based Control Principle: Not All Outsourcing Is Equal
One of the hallmarks of ISO 9001:2015 versus its 2008 predecessor is the explicit integration of risk-based thinking (clause 6.1) into outsourced process control. Clause 8.4.1 states that the type and extent of controls shall be based on the effect the external provider can have on the organization's ability to consistently meet customer and regulatory requirements.
This means your control intensity should scale with the criticality of the outsourced process. Here's a practical way to think about it:
| Risk Level | Example Outsourced Process | Minimum Control Expectation |
|---|---|---|
| Low | Office cleaning, catering | Basic supplier agreement, periodic review |
| Medium | IT support, non-critical subassembly | Approved supplier list, defined specs, performance monitoring |
| High | Contract manufacturing, calibration | Documented procedures, incoming inspection, on-site audits |
| Critical | Regulatory-critical testing, sterilization | Full process validation, real-time data access, embedded oversight |
A common audit finding I see is organizations applying "medium" controls to what are objectively "critical" outsourced processes — simply because the supplier relationship is comfortable and longstanding. Familiarity is not a control.
Clause 8.4.2: What Your Controls Must Actually Include
Once you've determined the risk level, clause 8.4.2 tells you what your controls must accomplish. Specifically, you must ensure that externally provided processes remain within the control of your QMS. The standard requires you to:
- Define the controls you will apply to the external provider
- Define the controls you intend to apply to the resulting output
- Take into account the potential impact on the organization's ability to meet requirements
- Consider the effectiveness of the controls applied by the external provider
- Determine the verification or other activities necessary to ensure conformity
This is not a passive checklist. It requires active, documented, ongoing control — not a one-time supplier qualification event followed by years of silence.
Practical Control Mechanisms
Here are the mechanisms I recommend organizations implement, scaled to risk:
1. Defined Requirements Documentation Before any outsourced process begins, your organization must communicate requirements clearly. This includes specifications, acceptance criteria, applicable regulatory requirements, and any customer-specific requirements (CSRs). Vague purchase orders are not a control.
2. Approved Supplier List (ASL) Maintain a current, documented list of approved external providers. Qualification criteria should be defined and applied consistently. Re-evaluation periods should be risk-tiered — annual for critical suppliers, biennial for medium-risk.
3. Supplier Performance Monitoring Track on-time delivery, defect rates, corrective action responsiveness, and audit findings. This data feeds your management review (clause 9.3) and supports evidence-based re-qualification decisions.
4. Incoming Inspection or Verification Clause 8.6 requires that products and services are verified as meeting requirements before release. For outsourced processes, this may mean receiving inspection, certificates of conformance review, or first-article inspection protocols.
5. Supplier Audits For high and critical-risk suppliers, periodic on-site or remote audits are best practice and, in some regulated industries, a requirement. These audits should use a documented checklist tied to your QMS requirements and the supplier's process controls.
6. Contractual Controls Your supplier agreements should explicitly state your quality requirements, right-to-audit clauses, notification of changes requirements, and consequence of nonconformance. A handshake deal or a generic purchase order is a liability.
Clause 8.4.3: What You Must Communicate to External Providers
Clause 8.4.3 is the "say what you mean" clause. It requires that before you hand a process off, you communicate to the external provider:
- The processes, products, and services to be provided
- Requirements for approval of products, services, methods, processes, and equipment
- Requirements for competence, including any required qualifications of personnel
- The external provider's interactions with your organization's QMS
- The controls your organization and its customers intend to apply
- Performance and output requirements
- Requirements for the external provider to notify you of changes
This last point is critical and frequently missed: your supplier must tell you when something changes. Process changes, personnel changes, sub-tier supplier changes, facility relocations — all of these can affect the conformity of the outsourced process, and your QMS must capture that information.
Citation hook: ISO 9001:2015 clause 8.4.3 explicitly requires organizations to communicate to external providers that they must notify the organization of changes that could affect the ability to meet specified requirements — making change notification a contractual and QMS obligation simultaneously.
The "Outsourcing" Note in ISO 9001: A Critical Clarification
The standard includes a note in clause 8.4.1 that is often overlooked: "Outsourced processes are considered to be within the scope of the organization's QMS."
This single sentence has enormous implications. It means:
- Outsourced processes must appear in your QMS scope documentation
- Your QMS must define how those processes are controlled
- Internal audits (clause 9.2) may need to extend into outsourced processes or verify their outputs
- Management review must consider performance data from those processes
- Nonconformances in outsourced processes are your nonconformances
I've reviewed dozens of QMS scopes that explicitly list outsourced processes as exclusions. Unless the process genuinely falls outside the scope of ISO 9001 (which is rare), this approach will generate a major nonconformance during certification or surveillance audits.
Common Audit Findings Related to Outsourced Process Control
Based on 8+ years and 200+ client engagements, here are the outsourced process control failures I see most often:
| Finding Type | Root Cause | Clause |
|---|---|---|
| No defined criteria for supplier selection | ASL exists, but qualification process is undocumented | 8.4.1 |
| Supplier performance not tracked | Data collected but not analyzed or acted upon | 8.4.1, 9.1.3 |
| Outsourced process excluded from QMS scope | Misinterpretation of scope boundaries | 4.3, 8.4.1 |
| No incoming verification for outsourced outputs | Assumed supplier QC is sufficient | 8.4.2, 8.6 |
| Supplier change notification not required | Contracts don't include QMS change flow-down | 8.4.3 |
| Sub-tier suppliers not evaluated | Only first-tier approved, but sub-tiers unmanaged | 8.4.1 |
That last finding — sub-tier supplier control — is increasingly scrutinized by auditors. If your contract manufacturer sources critical components from sub-tier suppliers, and you have no visibility into those sub-tier relationships, you have a control gap. Several regulatory frameworks (FDA, IATF 16949, AS9100) have made this explicit. ISO 9001 leaves it to your risk assessment, but auditors will probe it.
Sub-Tier Supplier Visibility: The Emerging Control Frontier
As supply chains have become more complex and more global, the question of sub-tier supplier control has moved from "nice to have" to "audit focus." According to the Business Continuity Institute's Supply Chain Resilience Report, over 70% of supply chain disruptions originate below the first-tier supplier level — yet most organizations' control frameworks stop at tier one.
Under ISO 9001, you are not explicitly required to audit every sub-tier supplier. But you are required to ensure outsourced processes conform to requirements. If your first-tier supplier's ability to meet your requirements depends on their sub-tier suppliers, then by extension, you need some mechanism for assurance at that level. Options include:
- Flow-down requirements: Require your first-tier supplier to impose your quality requirements on their own suppliers
- Sub-tier disclosure requirements: Require first-tier suppliers to disclose and obtain approval for critical sub-tier sources
- Third-party audit leveraging: Accept first-tier supplier's own audit results for sub-tier suppliers, subject to your review
Building an Outsourced Process Control Framework: A Practical Roadmap
Here is the implementation sequence I use with clients to build a compliant, audit-ready outsourced process control framework:
Step 1: Identify All Outsourced Processes
Map every process that affects product/service quality and determine whether it is performed internally or externally. Be honest — if a third party does it, it's outsourced, regardless of how embedded they feel in your operation.
Step 2: Classify by Risk
Apply your risk-based thinking framework. Use the impact on customer requirements and regulatory obligations as your primary axes. Document the classification rationale.
Step 3: Define Controls for Each Risk Level
Create tiered control requirements (as in the table above). These should be documented in your QMS — either in a supplier quality manual, supplier control procedure, or equivalent document.
Step 4: Qualify Suppliers Against Defined Criteria
Run every active external provider through your qualification criteria. Document the results. Add them to your ASL. Schedule re-evaluations.
Step 5: Execute and Document Agreements
Ensure contracts, purchase orders, or supplier quality agreements include all clause 8.4.3 communication requirements — especially change notification.
Step 6: Monitor, Measure, and Feed Management Review
Collect supplier performance data continuously. Analyze it at defined intervals. Feed findings into management review. Close the loop.
Step 7: Include in Internal Audit Schedule
Your internal audit program (clause 9.2) must include outsourced process verification. This may mean auditing the supplier directly, or auditing how your organization controls and verifies the supplier's output.
What Regulators and Sector-Specific Schemes Add on Top
ISO 9001 sets the baseline. Sector-specific schemes raise the bar significantly:
- IATF 16949 (automotive): Requires customer-specific requirements to flow down through the supply chain, and mandates second-party supplier audits for high-risk external providers
- AS9100 Rev D (aerospace): Requires "key characteristics" flow-down and mandatory first-article inspection for outsourced processes
- FDA 21 CFR Part 820 / ISO 13485 (medical devices): Requires supplier controls commensurate with risk, incoming acceptance activities, and quality agreements with suppliers of critical services
- GMP regulations (pharma/food): Require formal quality technical agreements with contract manufacturers and service providers
If your organization operates under any of these frameworks, your outsourced process controls must satisfy both ISO 9001 and the sector overlay. In my experience, organizations that build their controls to the stricter sector standard universally pass ISO 9001 audits without issue — the converse is not always true.
The Bottom Line: Outsourcing Is a Procurement Decision, Not a Quality Escape Hatch
The most important mindset shift I work to instill in every client: your certification is a statement about your QMS, and your QMS includes every outsourced process within your scope. When a customer receives a nonconforming product and traces it back to a contract manufacturer, they don't hold the contractor accountable — they hold you accountable.
ISO 9001:2015 was written with this reality in mind. The standard demands that you think like a quality owner, not a quality delegator.
According to the International Trade Administration, companies with robust supply chain quality management programs experience up to 50% fewer supplier-related quality escapes compared to those relying solely on incoming inspection. The investment in outsourced process control isn't a compliance burden — it's a business risk reduction strategy.
If you're unsure whether your current outsourced process controls would withstand a surveillance audit, a gap assessment against ISO 9001 clause 8.4 is the fastest way to find out. For organizations building supplier quality programs from scratch, our ISO 9001 implementation guide provides a step-by-step framework aligned with the requirements covered in this article.
At Certify Consulting, our 100% first-time audit pass rate is built, in part, on getting outsourced process controls right before the auditor arrives — not after.
Frequently Asked Questions: Outsourced Process Control Under ISO 9001
Does outsourcing a process remove it from my QMS scope?
No. ISO 9001:2015 clause 8.4.1 explicitly states that outsourced processes are within the scope of the organization's QMS. Outsourcing changes who performs the process, not who is responsible for its conformity.
What's the difference between a supplier and an outsourced process provider?
A supplier provides materials or components you incorporate into your product. An outsourced process provider performs a process that would otherwise be within your QMS — such as calibration, testing, or contract manufacturing. Both fall under clause 8.4, but outsourced process providers typically require more extensive controls because they are performing a step in your value chain.
Do I need to audit my suppliers to satisfy ISO 9001?
Not necessarily for all suppliers, but for high and critical-risk external providers, on-site or remote audits are strongly recommended and may be required depending on the risk assessment. The standard requires you to apply controls "based on the effect the external provider can have" — for critical processes, passive monitoring alone rarely satisfies this requirement.
What documentation does ISO 9001 require for outsourced process control?
At minimum: an approved supplier list with qualification criteria, documented control requirements per risk tier, evidence of supplier communication (purchase orders, quality agreements), performance monitoring records, and verification/inspection records for outsourced outputs. These support clauses 8.4.1, 8.4.2, and 8.4.3.
Can I use a supplier's ISO 9001 certification as my only control?
No. A supplier's ISO 9001 certificate is a useful input to your supplier qualification process, but it does not eliminate your obligation to define requirements, monitor performance, and verify outputs. Certificates confirm the supplier has a QMS — they do not guarantee the supplier will meet your specific requirements.
Last updated: 2026-03-30
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the Principal Consultant at Certify Consulting, where he has guided 200+ organizations to ISO certification with a 100% first-time audit pass rate.
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.