Outsourced Process Control Under ISO 9001: What You're Still Responsible For

Q: What is the difference between an outsourced process and a purchased product or service under ISO 9001?

ISO 9001:2015 Clause 8.4 covers all three: outsourced processes (where an external party performs a function that would otherwise be part of your QMS), products you purchase and incorporate into your output, and services you procure to support your operations. An outsourced process has the closest integration with your QMS — it is, in effect, your process performed by someone else.

Q: Do all suppliers require the same level of control under Clause 8.4?

No. ISO 9001:2015 requires you to determine the 'type and extent of controls' based on the potential impact of the externally provided process on your ability to consistently deliver conforming products and services. A supplier whose output goes directly to your customer without further verification requires tighter control than a supplier whose output you inspect before use.

A manufacturer outsources component testing to a third-party lab. The lab misses a critical dimensional failure. Parts ship. The customer finds the defect. During the subsequent ISO 9001 surveillance audit, the quality manager points at the lab and says, "That's their mistake." The auditor writes a nonconformance — against the manufacturer, not the lab.

This scenario plays out constantly across industries, and it reflects a misunderstanding that causes real damage: the belief that outsourcing a process transfers your quality accountability along with the work. It does not. Under ISO 9001:2015, when you hand a process to an external party, you remain fully responsible for ensuring that process produces conforming results. The execution moves. The ownership stays.

This article unpacks exactly what that means — what ISO 9001 requires under Clause 8.4, how to determine the right level of control for each supplier, and what auditors will examine to verify your system is actually working.

What ISO 9001 Actually Says About Outsourced Processes

The primary clause governing outsourced processes in ISO 9001:2015 is Clause 8.4: Control of Externally Provided Processes, Products, and Services. It opens with a direct and unambiguous statement: the organization shall ensure that externally provided processes, products, and services conform to specified requirements.

Note the word "ensure." The standard does not say "request," "hope for," or "verify when convenient." It says ensure — a word that places active, ongoing responsibility on your organization.

Clause 8.4.1 goes further, stating explicitly that these controls apply when an external provider performs a process "as a result of a decision by the organization to outsource." That language matters. Choosing to outsource is a management decision, and ISO 9001 treats the consequences of that decision as yours to manage. The fact that someone else is doing the work does not diminish the requirement; it changes the method by which you fulfill it.

This principle is anchored in the broader QMS framework. Clause 4.1 requires you to understand your organization and its context, which includes recognizing that external parties can affect your ability to achieve intended results. Clause 4.2 requires you to identify the needs and expectations of interested parties — including customers who expect conforming products regardless of who made them. And Clause 6.1 requires you to address risks to conformity, which absolutely includes risks introduced by your supply chain.

Together, these clauses make the same point from several angles: your QMS boundary does not stop at your own walls.

What Counts as an Outsourced Process

Clause 8.4 covers three types of external provision, and distinguishing them helps you apply the right controls:

Outsourced processes — functions that would otherwise be part of your QMS but are performed by an external party. Examples: a subcontractor who assembles sub-components to your specifications; a contract manufacturing organization that produces your product; a design firm that develops engineering drawings under your direction.
Products — items you purchase and incorporate into your products or services. Examples: raw materials, purchased components, sub-assemblies.
Services — activities performed by external parties that support your operations or delivery. Examples: calibration services, testing laboratories, IT support, logistics providers, legal review, translation services.

The line between "outsourced process" and "purchased service" can blur in practice. A calibration laboratory is performing a service, but it is also performing what would otherwise be an in-house quality function — and the results of that function directly affect your product conformity. A logistics company is providing a service, but if product is damaged in transit because the provider lacks adequate handling controls, the customer complaint lands on your desk, not theirs.

The practical rule: if an external party's output or activity can affect your ability to consistently deliver conforming products and services to customers, Clause 8.4 applies. Cast that net broadly.

Common Examples Across Industries

The range of outsourced processes that fall under Clause 8.4 is wider than many organizations initially recognize:

Manufacturing subcontractors performing machining, fabrication, welding, painting, or assembly to your specifications
Testing and inspection laboratories conducting product testing, dimensional inspection, or environmental testing
Calibration service providers maintaining the traceability of your measurement equipment
Design and engineering services developing drawings, specifications, or software under your direction
Logistics and distribution providers handling, storing, and shipping your product
IT service providers managing systems that support production, document control, or customer service
Training providers delivering competency-critical training to your staff
Sterilization and special-process providers for regulated industries

The Responsibility Principle: You Own the Output

The most important concept in Clause 8.4 is this: when you outsource a process, you remain accountable for the output of that process as if you had performed it yourself. Your customer does not know or care whether component X was machined in-house or by a subcontractor 200 miles away. When it fails, they call you.

This is not a procedural technicality — it is a design principle of the standard. ISO 9001 is built on the process approach, and the process approach treats your value chain as an interconnected system of processes, regardless of who performs them. An outsourced process is still a process in your system. It has inputs, outputs, controls, and performance criteria that you are responsible for defining, communicating, and verifying.

The certification body that audits your organization operates on this principle explicitly. They are not auditing your suppliers. They are auditing your control over your suppliers. An auditor will not travel to your subcontractor's facility to verify their welds. They will examine your welding qualification requirements, your purchase order or quality agreement with that subcontractor, your incoming inspection or surveillance records, and your process for handling nonconforming parts when that subcontractor sends bad material. If any of those controls are absent or inadequate, the nonconformance is yours.

Outsourcing transfers execution. It does not transfer accountability. The certification body audits your control of suppliers, not the suppliers themselves.

Risk-Based Thinking Applied to Your Supply Chain

One of the strongest features of Clause 8.4 is its explicit connection to risk-based thinking, the overarching requirement of Clause 6.1. Rather than requiring uniform, maximum control over every external provider, the standard requires you to determine the "type and extent of controls" based on risk — specifically, based on the potential impact of an external provider on your ability to consistently meet customer and regulatory requirements.

This means not all suppliers require the same oversight. A single-source supplier who provides a critical component that goes directly into a safety-relevant system requires rigorous control: formal qualification, on-site audits, first-article inspection, statistical process monitoring, and a quality agreement. A commodity stationery supplier for the office does not.

The standard gives you three criteria to guide how much control to apply:

The potential impact of the externally provided process, product, or service on your organization's ability to consistently meet requirements
The extent to which control is shared with, or applied entirely by, the external provider
The capability of the external provider to meet your requirements

Running these criteria through a risk lens produces a tiered approach to supplier control. Tier your suppliers honestly — not based on spend or relationship longevity, but on what actually happens to your customers if that supplier fails. That exercise alone often surfaces blind spots that organizations have been comfortable ignoring.

The Risk of Over-Reliance on Supplier Certifications

A common mistake in supplier qualification is treating a supplier's ISO 9001 certificate as a substitute for your own oversight. It is not. A certificate confirms that a certification body assessed the supplier's QMS at a point in time. It does not guarantee that their process will consistently meet your specific requirements. Surveillance audits between registration cycles can miss significant deterioration. Certificate status should inform your risk assessment — it should not replace it.

How to Establish Control Over Outsourced Processes

Supplier Evaluation and Selection

Clause 8.4.1 requires you to evaluate, select, and re-evaluate external providers based on their ability to provide processes, products, and services in accordance with your requirements. This is not a one-time event — it is a lifecycle requirement.

Supplier evaluation should be risk-proportionate. For critical suppliers, this may mean:

Reviewing quality history and references
Conducting an on-site capability assessment or audit
Requesting process documentation or control plans
Running sample production and evaluating first-article results
Verifying that their measurement system is adequate for your product's tolerances

For lower-risk suppliers, a simpler evaluation — reviewing certifications, requesting a quality questionnaire, or assessing prior performance history — may be sufficient. The key is that your process for evaluating each tier is defined and documented, and that the level of evaluation is defensible given the supplier's risk profile.

Maintain an approved supplier list (or equivalent) as documented information. Auditors will ask to see it.

Contracts and Quality Agreements

Clause 8.4.3 requires you to communicate to external providers your requirements — and that communication must cover a specific list of items, including the processes to be performed, products to be provided, applicable product and service requirements, approval requirements for products or methods, competence requirements, QMS requirements where applicable, and your intention to conduct verification activities at the supplier's premises.

In practice, this means your purchase orders, contracts, or quality agreements must be substantive enough to actually transmit your requirements. A purchase order that says "100 units, Part #12345" is not sufficient if Part #12345 has dimensional tolerances, material specifications, cleanliness requirements, and packaging standards that the supplier needs to meet. Those requirements must be communicated in writing — and you need records showing they were communicated.

For critical outsourced processes, a standalone quality agreement (sometimes called a supply chain quality agreement or SCQA) is the right tool. A quality agreement defines:

Specific product and process requirements
Inspection, testing, and acceptance criteria
Nonconformance notification and disposition requirements
Record retention obligations on both sides
Right-of-access provisions for audits
Change notification requirements (including process changes)

A well-drafted quality agreement closes the loop between your QMS requirements and what the supplier is contractually obligated to deliver. It also gives you the foundation you need to take corrective action when things go wrong.

Monitoring and Measurement

Establishing requirements is necessary but not sufficient. Clause 8.4 requires you to monitor the performance of your external providers — not just define what you want, but verify that you are getting it.

Monitoring can take several forms depending on the risk level of the supplier:

Incoming inspection — physical or dimensional checks on received product before it enters your process
First-article inspection (FAI) — detailed verification of the first production lot against all requirements before ongoing production proceeds
Statistical sampling — using acceptance sampling plans (such as ANSI/ASQ Z1.4) to assess incoming lots
Supplier-provided certificates of conformance or test reports — reviewed and retained for traceability
Periodic supplier audits — on-site or remote assessments of the supplier's process and quality controls
KPI tracking — monitoring on-time delivery, defect rates, and nonconformance frequency over time

The monitoring method should match both the risk and the nature of the outsourced process. A testing laboratory you use for product release decisions warrants more rigorous oversight than a cleaning service provider. The point is to have evidence — objective, documented evidence — that you are verifying conformance and that the evidence is current.

Handling Nonconforming Outputs from Suppliers

When an external provider sends you something that does not conform to your requirements, Clause 8.7 (Control of Nonconforming Outputs) applies. You must identify the nonconforming output, segregate or contain it to prevent unintended use, make a disposition decision (use-as-is with concession, rework, return, scrap), and document what happened.

Critically, nonconformances from suppliers should also feed your Clause 8.4 monitoring process. A one-off defect may be an isolated event. A pattern of nonconformances from the same supplier is a signal that your controls are insufficient, that the supplier is incapable, or both. That pattern should trigger a formal re-evaluation of the supplier and likely a corrective action request — directed at the supplier, tracked by you, with verification of effectiveness before the issue is closed.

What Auditors Look For — and the Gaps Organizations Miss

Having guided organizations through hundreds of ISO 9001 certification and surveillance audits at Certify Consulting, I can tell you exactly how auditors approach Clause 8.4, and where the weaknesses almost always appear.

Auditors will typically start by asking you to walk them through your process for managing external providers. They want to see:

An approved supplier list that is current, maintained, and connected to your evaluation process — not a static spreadsheet that was created during initial certification and never touched again
Evaluation records showing how each critical supplier was selected and what criteria were used
Documented requirements — purchase orders, quality agreements, or specifications — that actually communicate your quality requirements to the supplier
Monitoring records — incoming inspection logs, supplier scorecards, audit reports, or test reports showing ongoing verification of supplier performance
Nonconformance records showing how supplier failures were handled and what corrective actions were taken or requested

The gaps I see most consistently are:

Gap 1: Supplier lists with no evaluation backing them. An organization has a list of approved suppliers, but when asked for the evaluation records that put those suppliers on the list, they do not exist. The list was created, never validated.

Gap 2: Purchase orders that are silent on quality requirements. Procurement negotiates price and delivery. Quality requirements never make it onto the PO. The supplier has no documented obligation to meet tolerances they were never told about.

Gap 3: Calibration providers treated as invisible infrastructure. Calibration laboratories are external providers performing a process that directly affects your ability to verify product conformity. They require evaluation, documented requirements, and monitoring — yet organizations often have no quality agreement with their calibration provider and cannot produce evidence that they verified the lab's accreditation scope covers the equipment being calibrated.

Gap 4: No re-evaluation on any schedule. Clause 8.4 requires re-evaluation of external providers. A supplier that was excellent five years ago may have changed ownership, reduced staffing, or shifted processes. Re-evaluation frequency should be risk-based, but it must exist.

Gap 5: Outsourced design services not in scope at all. Organizations that outsource engineering or design services sometimes treat those providers as entirely outside their QMS. They are not. The design output is part of your product realization process, and the design process is subject to Clause 8.4 controls.

A Note on Documented Information Requirements

ISO 9001:2015 requires you to retain documented information as evidence of your Clause 8.4 activities. Specifically, the standard requires records of evaluating, selecting, monitoring, and re-evaluating external providers. This is one of the explicit "retain documented information" requirements in the standard — meaning it is not optional based on your assessment of risk or complexity.

What that documentation looks like in practice will vary by organization. A small manufacturer with ten key suppliers might maintain a simple supplier evaluation matrix with supporting evidence files. A large organization with hundreds of suppliers might run a formal supplier quality management system with automated scorecards. The standard does not prescribe the format — it requires the evidence.

At minimum, your documented information for Clause 8.4 should allow someone who was not present during any given audit or evaluation to reconstruct the answers to these questions:

Why was this supplier approved?
What requirements were communicated to them and when?
How have we been monitoring their performance?
When were they last re-evaluated, and what did we find?
How have we handled nonconformances from this supplier?

If your records can answer all five questions for each critical supplier, you are in a strong position. If they cannot answer even one, you have a documented information gap that an auditor will find.

Building a Culture of Accountability That Extends Beyond Your Walls

The procedural requirements of Clause 8.4 — approved supplier lists, quality agreements, monitoring records — are necessary, but they are not sufficient on their own. The organizations that consistently pass audits and, more importantly, consistently deliver conforming products and services to customers are the ones that have built supplier accountability into the way they operate, not just the way they document.

That means quality managers who are involved in supplier selection, not just brought in after procurement has already signed a contract. It means engineering and quality teams who communicate requirements to suppliers together, not sequentially. It means supplier performance reviews that drive real decisions — about sourcing, about audits, about whether to re-qualify or exit a relationship — rather than existing solely as records for auditors.

It also means being honest about what you can actually control. If a critical process is outsourced and you have no visibility into how the supplier performs it, no inspection capability to verify their output, and no contractual leverage to require improvement, that is a supply chain risk that your Clause 6.1 risk process should surface. Either you invest in control, or you bring the process back in-house, or you accept a risk that you have consciously identified and decided to carry. What you cannot do — under ISO 9001, under your customer contracts, and under any reasonable definition of quality management — is outsource accountability itself.

Suppliers are an extension of your operations. Treat them as such. Define what you need from them with the same precision you bring to your own internal processes. Measure their performance with the same rigor you apply to your internal KPIs. Respond to their failures with the same urgency you bring to internal nonconformances. When you do that consistently, Clause 8.4 stops feeling like a compliance requirement and starts functioning as the risk management tool it was designed to be.

FAQ: Outsourced Process Control Under ISO 9001

Q: Does outsourcing a process remove it from the scope of our ISO 9001 QMS?
A: No. ISO 9001:2015 Clause 8.4 explicitly states that outsourced processes remain within the scope of your QMS. You are responsible for ensuring that externally provided processes, products, and services conform to your requirements. Outsourcing transfers execution, not accountability.

Q: What is the difference between an outsourced process and a purchased product or service under ISO 9001?
A: Clause 8.4 covers all three types. An outsourced process is one that would otherwise be part of your QMS but is performed by an external party — it has the closest integration with your quality system. Purchased products and services are also covered, with the level of control scaled to their potential impact on your conformance to requirements.

Q: Do all suppliers require the same level of control?
A: No. The standard requires you to determine the "type and extent of controls" based on the potential impact of the externally provided process on your ability to consistently deliver conforming products and services. A supplier whose output goes directly to your customer without further verification requires tighter control than one whose output you fully inspect before use.

Q: What documented information does Clause 8.4 require?
A: You must retain documented information as evidence of evaluating, selecting, monitoring, and re-evaluating external providers. This typically includes evaluation records, approved supplier lists, quality agreements or purchase orders with quality requirements, monitoring results, and nonconformance records from suppliers.

Q: Will the certification body audit my suppliers during an ISO 9001 audit?
A: No. Your certification body audits your organization's controls over suppliers, not the suppliers themselves. The auditor will review your supplier evaluation records, quality agreements, monitoring data, and nonconformance handling to verify that you have effective oversight in place.

Working with a Consultant on Clause 8.4 Implementation

Clause 8.4 is one of the areas where I consistently see organizations underinvest — both in their initial QMS build and in ongoing compliance. Building an effective supplier control system requires clear thinking about risk, practical documentation that survives an audit, and supplier communication that actually works. Getting it right the first time is considerably less painful than receiving a major nonconformance during a certification audit because your approved supplier list was a spreadsheet no one had updated in three years.

At Certify Consulting, my team helps organizations build Clause 8.4 systems that are proportionate, practical, and audit-ready — whether that means developing your supplier evaluation process from scratch, drafting quality agreements for critical suppliers, or preparing for an upcoming surveillance audit where supply chain controls are likely to be scrutinized. If your outsourced process controls are a gap you know exists, I am happy to help you close it.

For related reading, see our guide on ISO 9001 Clause 8.5.1: Control of Production and Service Provision and our overview of nonconformity and corrective action under Clause 10.2.

Last updated: March 30, 2026