Organisations are required by ISO 9001:2015 to ensure the adequacy of requirements before communicating to the external provider.

The following requirements must be communicated:

1. The specific processes, products and services to be provided,
2. The approval of: Products and services, methods, processes and equipment and the release of products and services,
3. Any competency requirements, including any required qualification of personnel,
4. Required interactions with the organisation by the external provider,
5. Control and monitoring of the external providers’ performance to be applied by the organisation;
6. Any verification and validation activities that the organisation, or its customer, intends to perform on the premises of the external provider.

Comment:

Note that required communication with the provider specifically references how the provider will interact with the organisation, how their performance will be monitored and controlled and the competency (not just qualification) of personnel.

Audit Check:

Evidence that communications have been verified for adequacy prior to communication and that all required elements are covered, may be requested in an audit trail as discussed in article 8.4.1, through the examination of documented review activities, enquiries, purchase orders and other communications. IE emails / meeting minutes.

The clarifications /specific references noted in the comments above may be targeted for compliance verification including the additional requirement that organisations must communicate to external providers any competency requirements that apply to their personnel. (See also notes under articles 7.2 Competence.)