ISO 9001:2015 requires organisations to ensure that externally provided (supplied / subcontracted) processes, products and services conform to requirements. Controls must be applied to externally provided processes, products and services when:
Organisations are also required to determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. Documented information of these activities and any necessary actions arising from the evaluations must also be retained. IE Records!
Comment:
The standard is quite explicit regarding when an organisation must apply controls over external providers. IE: Businesses must not only establish criteria to monitor the performance of external providers but also have documented information (records) on the results of the evaluation and any necessary actions required to be taken.
Note: External providers could be a supplier, subcontractor or another part of the organisations group (if outside of the businesses declared scope –see article 4.3), or even a customer. Examples of externally provided processes, products and services might include:
The purchase of raw materials, components or subassemblies,
Care should be taken when excluding an externally provided service or product from the requirements of clause 8.4.1. EG: Whilst stationary may not be considered to be “…intended for incorporation into the organisation’s own products and services” in many businesses, in some, the type and quality of the paper and envelopes used for direct to consumer communication may be deemed to be a key constituent of the product and hence requiring careful control.
Audit Check:
The process to determine and apply criteria for evaluation and selection is commonly addressed in many organisations in the form of a supplier / subcontractor selection and approval process (Questionnaires / Audits) and resultant output in the form of an Approved Supplier List. (ASL’s may be manually administered or embedded in a commercial database / software purchasing package.)
In manufacturing orientated businesses, audit trails from dispatched or ready to dispatch products, (depending on level of traceability required by the management system - see article 8.5.2) are often followed back to purchased goods or services included in the finished product and hence to the provider and the approval and selection process employed prior to the placement of a purchase order. Similar audits may be conducted with service providers via comparable documentation trails.
As performance monitoring of supplied goods and services is specifically referenced, it may be targeted for review in the audit as documented information (records) should be available of monitoring activities and any subsequent actions. (See the requirements for determining appropriate monitoring and controls in article 8.4.2 Type and extent of control.)
Note on ISO 9001:2015 clause 7.2 Competence and 8.4.3 Information for external providers.
As we noted in article 7.2, the updated standard requires the competence of persons doing work under the organisations control to be addressed. It is logical then, that outsourced human resource competency to be reviewed for evaluation and subsequent required actions when looking at “control of externally provided processes, products and services.” IE when auditing purchasing activities. In addition we will see in article 8.4.3 – information for external providers, that before assessment and control, competency requirements must first be communicated to the relevant provider.
This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!
David Barker CQP MCQI