IS0 9001:2015

Clause 8.4.2 External Providers - Type and extent of control

Organisations are required under ISO 9001:2015 to ensure that externally provided processes, products and services do not adversely affect their ability to deliver conforming products and services to their customers by:

  1. Ensuring that externally provided processes remain within the control of its management system,
  2. Defining both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output,
  3. Taking into consideration the potential impact (IE risk) of the externally provided processes, products and services on the organisation’s ability to consistently meet customer and applicable statutory and regulatory requirements and the effectiveness of controls applied by the external provider,
  4. Determining the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.


We can see that organisations are now required to take a risk-based approach when determining the type and extent of controls to apply to external providers of processes, products and services. IE They should be planned, appropriate and proportionate.

Note that defining the controls to apply to an external provider and to the resulting output requires both the suppliers / subcontractors / outsourced activity providers to be controlled and the products or services they provide. Focus should always be on prevention through appropriate selection and control of providers wherever possible, but if subsequent inspection and test is required, these activities must also be defined and controlled. IE through Control / Sampling Plans.

Examples of Selection Criteria:

International Standards certification (EG: ISO 9001:2015!) financial Reports (EG: Dun & Bradstreet,) technical and manufacturing capability (Statistical Capability Studies) demonstrated capacity, delivery performance records, cost.

Data can typically be acquired via remote correspondence (questionnaire / copies of certifications) on site visits (audit reports) group approval processes and in some instances, references from other customers for example.

Examples of Monitoring and Control

Performance trend analysis such as PPM defects / Non conforming products received and timeliness of corrective actions, concessions requested, delivery to plan / time slot performance, service level agreement compliance and timely / comprehensive subsequent investigations / corrective and preventive actions.

Audit Check:

Whilst documented evidence is not expressly required under clause 8.4.2 in the 2015 update, organisations will still need to demonstrate that controls are in place, are monitored and reviewed and are effective. IE: Evidence of management review. (See Article 9.3.2) and planning activities for (See Article 8.4.1)

auditors may also wish to verify that risk based thinking has been applied when determining appropriate controls for external providers. One size may not (and in most cases, should not,) fit all providers to an organisation, and a planned methodology should be applied in determining the most suitable methods for both selection and approval and monitoring and control.

This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!

David Barker CQP MCQI

ISO 9001:2015

Arrange an obligation-free consultation

get in touch