Clause 8.4 Compliance
ISO 9001 clause 8.4 requires you to control externally provided processes, products, and services that affect your QMS. This means evaluating, selecting, and monitoring suppliers — then taking action when performance falls short. A well-managed supplier quality program protects your product quality and your certification.
Understanding the Requirement
ISO 9001:2015 clause 8.4 — Control of Externally Provided Processes, Products and Services — applies whenever your organization purchases materials, outsources processes, or relies on external providers for any part of your product or service delivery. The clause covers three distinct scenarios: products and services from external providers intended for incorporation into your own products; products and services provided directly to customers on your behalf; and processes or parts of processes provided by an external provider based on your decision to outsource.
The standard requires you to determine the controls to apply to external providers and their outputs. These controls must be based on the potential impact the externally provided processes, products, and services have on your organization’s ability to consistently deliver conforming products and services to customers. In practice, this means a raw material supplier that provides a critical component requires more rigorous controls than an office supply vendor.
Organizations must also retain documented information describing the results of evaluations, monitoring of performance, and re-evaluations of external providers. This is not optional — registrars verify this documented information during every certification and surveillance audit.
Getting Started Right
A systematic evaluation process ensures you select suppliers who can consistently meet your quality, delivery, and cost requirements.
Before evaluating any supplier, establish the criteria against which they will be judged. Common criteria include quality system certification (ISO 9001, AS9100, IATF 16949), production capability and capacity, financial stability, delivery performance history, technical competence, and geographic proximity. Weight these criteria based on their importance to your specific needs — a supplier of safety-critical components warrants heavier weighting on quality metrics than a supplier of non-critical packaging materials.
Document your evaluation criteria in a supplier management procedure. This ensures consistent application across all procurement decisions and provides the objective basis that ISO 9001 requires for supplier selection.
Supplier evaluations can range from a simple questionnaire for low-risk suppliers to full on-site audits for critical suppliers. The evaluation method should be proportional to the risk. A typical evaluation includes reviewing the supplier’s quality management system documentation, verifying certifications, assessing production capabilities, checking references from other customers, and evaluating sample products or first articles.
For critical suppliers, we recommend conducting an on-site supplier audit using a standardized audit checklist. This gives you direct visibility into their operations, equipment condition, housekeeping, training practices, and overall quality culture — things that cannot be assessed through paperwork alone.
After evaluation, make a formal approval decision. Approved suppliers are added to your Approved Supplier List (ASL) with documentation of the evaluation results, approval date, scope of approval (what they are approved to supply), and any conditions or limitations. Rejected suppliers are documented with the reasons for rejection.
The ASL should be a controlled document within your QMS, accessible to purchasing personnel, and reviewed periodically. Purchasing from unapproved suppliers must be explicitly prohibited or controlled through a formal deviation process that includes quality approval.
Verification at Receipt
Incoming inspection is your first line of defense against nonconforming supplier material entering your production processes. While ISO 9001 does not prescribe a specific inspection method, clause 8.6 requires that products and services meet requirements before being released for use. The type and extent of incoming inspection should be proportional to risk.
A risk-based approach means critical materials that directly affect product safety or performance receive thorough inspection and testing, while low-risk commodity items may require only visual verification against the purchase order. The key is documenting your inspection criteria, maintaining inspection records, and having a clear process for handling nonconforming material when it is identified.
As supplier performance improves and trust builds, you may consider reduced inspection levels for proven suppliers. However, any changes to inspection frequency should be formally approved and documented, with a mechanism to revert to full inspection if quality problems resurface.
Verify quantity, packaging condition, labeling accuracy, and obvious defects. Compare against purchase order and packing slip. Suitable for low-risk items and initial screening of all receipts.
Measure critical dimensions using calibrated instruments. Verify compliance with engineering drawings and specifications. Required for precision-machined parts, fabricated components, and assemblies.
Verify material composition, hardness, tensile strength, or other physical/chemical properties. May include review of mill certifications, certificates of conformance, or independent laboratory testing.
Comprehensive inspection of the first production sample from a new supplier, new part, or after a process change. Verifies all drawing requirements before full production proceeds.
Ongoing Monitoring
Effective supplier management requires ongoing performance tracking. Scorecards provide objective data for re-evaluation decisions and drive supplier improvement.
A supplier scorecard tracks key performance indicators (KPIs) over time, providing a data-driven basis for re-evaluation, corrective action, and strategic sourcing decisions. The most common metrics are quality (incoming rejection rate, nonconformance frequency), delivery (on-time delivery percentage, lead time adherence), responsiveness (corrective action turnaround, communication quality), and cost (price competitiveness, total cost of quality). Scorecards should be reviewed at defined intervals — typically quarterly or semi-annually — and shared with suppliers to drive transparency and improvement.
Track incoming rejection rate, nonconformance reports per delivery, warranty claims, and corrective action closure rates. Target <1% rejection rate for critical suppliers.
Measure on-time delivery percentage, early/late delivery frequency, quantity accuracy, and lead time consistency. Target >95% on-time delivery for all suppliers.
Evaluate corrective action response time, communication clarity, willingness to collaborate on quality issues, and flexibility to accommodate urgent requirements.
Consider total cost of quality — not just unit price. Factor in inspection costs, rework from supplier defects, expediting charges, and administrative burden of managing quality issues.
Scorecards should define clear performance thresholds. Suppliers consistently meeting all targets may qualify for reduced inspection or preferred status. Suppliers falling below minimum thresholds should be placed on a corrective action program, with defined timelines for improvement. Suppliers who fail to improve after formal corrective action should be considered for removal from the approved supplier list.
Deeper Verification
While supplier scorecards track output metrics, supplier audits examine the systems and processes behind those metrics. On-site audits are the most effective way to assess a supplier’s true quality capability, verify that their QMS is functioning as claimed, and identify risks that performance data alone may not reveal.
ISO 9001 does not require supplier audits, but clause 8.4 gives you the right to verify externally provided processes at the supplier’s premises. For critical suppliers — those providing materials or services that directly affect product safety, performance, or regulatory compliance — periodic on-site audits are considered an industry best practice.
Audit findings should be formally communicated to the supplier with expected corrective actions and timelines. Follow-up verification ensures the supplier has effectively addressed the identified issues. Strong suppliers view audits as improvement opportunities; suppliers who resist audit access should be treated as higher risk in your overall supplier management strategy.
Conducted before approving a new critical supplier. Evaluates QMS maturity, production capability, process controls, calibration program, and overall readiness to meet your requirements.
Scheduled audits of approved suppliers to verify continued compliance. Frequency based on risk and past performance. Typically annual for critical suppliers, biennial for standard suppliers.
Triggered by quality escapes, recurring nonconformities, customer complaints traced to supplier material, or significant changes at the supplier’s facility. Focuses on the specific area of concern.
When Things Go Wrong
A clear, documented process for managing nonconforming supplier material protects your product quality and maintains supply chain integrity.
Identify & Segregate
Immediately identify and segregate nonconforming material to prevent unintended use. Tag or label clearly as “HOLD — Nonconforming.” Move to a designated quarantine area if physical segregation is practical.
Document the Nonconformity
Create a Supplier Nonconformance Report (SNCR) or equivalent record. Include the supplier name, part number, quantity affected, description of the nonconformity, inspection method used, and objective evidence (photos, measurements, test results).
Notify the Supplier
Formally notify the supplier of the nonconformity, provide the objective evidence, and request a corrective action response. Set a deadline for response — typically 10 business days for the initial response and 30 days for full corrective action implementation.
Make a Disposition Decision
Determine the appropriate disposition: return to supplier for replacement or credit, rework in-house (if feasible and approved), use-as-is with engineering concession and customer approval if required, or scrap. Document the decision and authorization.
Track & Trend
Record the nonconformity in the supplier’s scorecard. Track trends by supplier, part number, and defect type. Use this data in supplier re-evaluation decisions and management review. Recurring nonconformities from the same supplier indicate a systemic problem that may warrant escalated action.
Expert Guidance
Supplier quality management is one of the most complex elements of ISO 9001 — and one of the areas where organizations most frequently struggle during certification audits. Common audit findings include undefined supplier evaluation criteria, incomplete approved supplier lists, missing re-evaluation records, and inadequate incoming inspection procedures.
We build supplier quality programs that are fully integrated into your broader QMS. Every procedure, form, and process we develop connects to your existing ISO 9001 implementation — from purchasing controls to internal audits to management review. The result is a cohesive system that registrars approve and your team can actually use.
Every engagement is led personally by Jared Clark, CMQ-OE, JD, MBA, PMP. With extensive experience across manufacturing, defense, renewable energy, and professional services supply chains, we bring practical supplier management expertise that goes far beyond template-filling.
Complete documented procedures for supplier evaluation, selection, monitoring, and re-evaluation. Tailored to your industry and supply chain complexity.
Ready-to-use supplier evaluation questionnaires, audit checklists, performance scorecards, and approved supplier list templates customized to your requirements.
Risk-based incoming inspection procedures, acceptance criteria, and sampling plans. Including nonconforming material handling processes and supplier corrective action request forms.
Common Questions
ISO 9001:2015 clause 8.4 requires organizations to ensure that externally provided processes, products, and services conform to requirements. This means you must determine the controls to apply to external providers, define criteria for evaluating, selecting, monitoring performance, and re-evaluating suppliers. You must also retain documented information of these activities and any resulting actions. The level of control depends on the potential impact the supplier’s output has on your product or service quality.
While ISO 9001:2015 does not explicitly require an “approved supplier list” by name, the standard does require you to evaluate and select suppliers based on their ability to meet your requirements, and to retain documented information of evaluation results. In practice, maintaining an approved supplier list is the most straightforward way to demonstrate compliance with these requirements. Registrars will expect to see documented evidence of how you evaluate and approve your suppliers.
ISO 9001:2015 requires monitoring and re-evaluation of external providers but does not specify a frequency. Best practice is to conduct formal re-evaluations annually, with ongoing performance monitoring through scorecards or metrics tracked monthly or quarterly. Critical suppliers — those providing materials or services that directly affect product quality — may warrant more frequent evaluation. The re-evaluation frequency should be documented in your supplier management procedure.
ISO 9001:2015 clause 8.6 requires verification that product and service requirements have been met before delivery to the customer, which includes verifying purchased materials. However, the type and extent of incoming inspection should be based on risk — the potential impact of the purchased item on your final product or service. High-risk materials may require 100% inspection or testing, while low-risk commodity items may only need visual verification against the purchase order. Your inspection approach should be documented and consistently applied.
When nonconforming supplier material is identified, you must follow your control of nonconforming outputs procedure under clause 8.7. This typically involves segregating the material to prevent unintended use, notifying the supplier, documenting the nonconformity, and making a disposition decision — return to supplier, rework, use-as-is with concession, or scrap. The nonconformity should be tracked in your supplier scorecard and factored into the supplier’s next re-evaluation. Recurring issues should trigger corrective action requests to the supplier.
Schedule a free 30-minute consultation. We’ll review your current supplier management practices, identify compliance gaps, and outline a practical path to clause 8.4 compliance — no obligation.
Or email us at [email protected]