ISO 9001:2015 – Newsletter – Issue 57



Issue 57 – Clause 8.4:  Control of Externally Provided Processes, Products and Services


ISO 9001:2015…

Clause 8.4:  Control of Externally Provided Processes, Products and Services


What’s the intent of Clause 8.4?… In our last Newsletter (ISO 9001:2015 Newsletter Issue 56) we discussed the topic of “design and development”, and now here in Clause 8.4 we address the area of “acquiring goods and services”.  The intent of this Clause is to build on “design” that was done in Clause 8.3 and now acquire those goods and services needed to make those designs a reality, based on what the Customer has ordered.

Note A:  This Clause DOES include requirements for “documented information”.
Note B:  As I’ve mentioned in the past, the content for these Newsletters comes from working in the field with my Clients, and with their ISO Certification Bodies. I gain a lot of hands-on experience from conducting training workshops, gap audits and internal audits, where the requirements of the Standard have to be interpreted and applied to each unique situation.  A popular training request is our on-site Internal Process Auditor Training for ISO 9001:2015 since you will need to do a complete round of internal audits to the new Standard prior to your external upgrade audit.  On that note, some organizations are opting to use an outside resource to assist with their internal audits in order to meet deadlines (…more details on this service, as well as the training sessions we offer, can be found below).


The new numbering format… 

Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement


Clause 8.4  Control of Externally Provided Processes, Products and Services consists of three (3) Sub-Clauses as listed below:

8.4.1  General

8.4.2  Type and Extent of Control

8.4.3  Information for External Providers


Sub-Clause 8.4.1  General – I’ll start this off by saying that for many organizations, Clause 8.4 now covers a lot more territory than what the old “purchasing section” covered back in 2008… let me explain.  The use of the words “and services” is the first hit since that means that now outside (or outsourced) services need to be addressed.  You probably should start by making a list of what externally provided services that includes.  Begin with those externally provided services that have a direct impact on the conformity of your outbound products, and a direct impact on your outbound services.  Then expand that list to now include any externally provided services that have an indirect impact.

The second way Clause 8.4 gets expanded is with the term “externally provided processes”, which can be interpreted as being those activities provided by: another Department outside the scope of the QMS (like Legal); or another sister plant/facility; or your head office/corporate.  If it helps you to distinguish, think of the common denominator here being that “no money is changing hands, nor are purchase orders being issued”.  I would once again build a list of the externally provided processes that affect your QMS, and I would use the same approach (direct impact – and indirect impact – on the conformity of your outbound products and outbound services).  The challenge here is that most of the things on your list will not be covered by a Purchase Order (PO), or by a Contract, which makes applying controls difficult.  With regard to “control of these externally provided processes” my recommendation is to look at what activities you perform WITHIN your circle of responsibility, that interact with those external providers, and at the very least document (and report on) the performance of those interactions.

Let’s now get back to discussing sub-clause 8.4.1, specifically a) b) and c), all of which are asking you to decide what controls you will put in place in the three scenarios listed… a) when what is being externally provided goes into or around your outbound products/services; b) when the external provider does the last step before the Customer sees it; and c) when you make a business decision to outsource a process instead of doing it yourself.  In these cases you will need to decide what controls you will put in place on these external providers to ensure requirements are met.


Sub-Clause 8.4.2  Type and extent of Control – This sub-clause is drilling down further into the “controls” you implement, with a new requirement found in 8.4.2 a) which asks organizations to ensure that externally provided processes remain within the control of its QMS.  The challenge again is when there are no contracts, PO’s or agreements in place for externally provided processes.  As an example, the only control you may have with your corporate office being an external provider (say of IT services), is the ability to document and report on any adverse performance issues being experienced, and identifying what impact that may be having on your business performance or any impact on your Customer’s level of satisfaction.  Another new requirement is found in 8.4.2 c2) which wants you to take into consideration how strong (or weak) the controls are that are being applied by the external provider on themselves.


Sub-Clause 8.4.3  Information for External Providers – This sub-clause is very similar to those old requirements found back in 2008.  Some additional requirements are found in 8.4.3 c) asking you to define any “competency” requirements for the external provider; 8.4.3 d) which wants you to specify how you will interact with your external provider; and 8.4.3 e) dealing with how you intend to control and monitor the external provider’s performance.  This is easily addressed when you have a PO or Contract between yourself and the external provider, because that is where these details can be covered.  In some instances, organizations have implemented Service Level Agreements (SLA’s) for those departments that support the business operations, and this is where these requirements can be communicated.

However this is not so easily done with other external providers where there is no written agreement in place.  One way of handling this is to look carefully at the wording used to start the 2nd paragraph in sub-clause 8.4.3, which reads: “The organization shall communicate to external providers its requirements for: …”.  One could logically interpret the words “its requirements” as being the situation where the organization has NO requirements in this regard for its external provider.  For example, when purchasing raw materials, your company has NO requirements for the competency of the people producing those raw materials, and therefore competency requirements do NOT need to be communicated to the external provider (8.4.3c) within the PO or Contract.


Be sure to watch for our next Newsletter issue where we will cover another section of ISO 9001:2015…


PS: Don’t forget to look at the Q&A section below for some final thoughts…


To view all of our past Newsletters or to sign up to receive them… click here



Need Help?

ISO 9001:2015 Internal Audit Outsourcing (we can do it for you OR with you!)

For cost effectiveness, the Internal Audit function can be outsourced to an external experienced auditor on a periodic basis. This will provide an independent and objective assessment to management, of where process issues may exist, along with identifying opportunities for improvement.  It will also provide the evidence needed to satisfy the Internal Audit requirements in the ISO Standards.  We have used two different approaches with this service: a) We conduct the entire audit ourselves, or b) We act as the lead auditor, and along with your Team of internal auditors, we complete the entire audit together.  This latter approach allows your people to receive guidance and direction from an experienced lead auditor while at the same time maintaining significant involvement in the internal audit process.


Documentation Development Training Workshop for ISO 9001:2015

This Documentation Development Training Workshop for ISO 9001:2015 Session is intended to be a very interactive, hands-on session (hence the name Workshop) where your QMS documentation will be created/revised, with guidance from an experienced facilitator.  This type of session can help launch your transition efforts by getting a lot accomplished within a compressed time-frame.  If your organization has already begun the re-write then this session can be used to validate what you’ve accomplished so far, or if you haven’t yet begun, it can be the catalyst to get things started (…which is usually the hardest part).  Deciding how to move from your current QMS structure into a new one can be a daunting task and this session can help you navigate through it.  A copy of a sample Quality Manual (re-iterating the “shall” requirements found within the ISO 9001:2015 Standard) will be provided to each participant.  As always, our focus will be on how to develop a simplified and streamlined quality management system, that helps to drive improvement in your business.


Internal Process Auditor Training for ISO 9001:2015

The two (2) day Internal Process Auditing for ISO 9001:2015 Training Session is focused on a process approach to auditing with the objective being not only to assess conformance of the quality management system, but also to uncover process improvements during an audit. This goes hand in hand with the process auditing requirements found within ISO 19011 and the process approach covered in ISO 9001:2015, which promotes continual process improvement throughout this Standard. An enhanced checklist is developed, and there will be workshops throughout, to reinforce learning, as well as a live, practice audit. If you are looking to meet the ISO 9001:2015 internal audit requirements and to “raise the bar” for your internal audit program then this is the course you should consider.


ISO 9001:2015 Essentials + Gap Audit

This combines the ISO 9001:2015 Essentials Session with a Gap Audit – This approach is used to assist organizations in launching their transition efforts for this new ISO Standard. This event accomplishes two things: a) it provides education on the new ISO 9001:2015 Standard for your key personnel (i.e. internal auditors; etc.), by highlighting the differences from the 2008 version; and b) assesses the gap from where you are today to where you need to be to achieve compliance to this new ISO Standard. Training certificates covering education on the new ISO 9001:2015 Standard, as well as issuing of a Gap Audit Report for distribution to your Top Management, are the two deliverables from this event. On a final note, a closing meeting can be arranged with key individuals so they can hear first hand the results of the Gap Audit that was performed.  PS: We’ve also done this session with just the QMS Management Rep attending, which allowed them to quickly get up to speed on this new Standard, as well as to see how much of an effort the transition will be… and of course they receive their own Training Certificate as part of this event.  This also allowed them to avoid traveling offsite to get the training they needed anyways, as evidence for their Certification Bodies.



Q:  How do you perform an audit for Clause 8.4 of ISO 9001:2015?

A:  For Clause 8.4, an Audit Checklist should cover these areas:

–  Has the organization identified its externally provided processes?  Its externally provided products?  Its externally provided services?
–  What “controls” have been implemented for each of them?
–  Does the organization have external providers who provide products and services that are intended for incorporation into the organization’s own products and services? If yes, how is control maintained?
–  Does the organization have external providers who provide products and services directly to the Customer on their behalf? If yes, how is control maintained?
–  Does the organization have external providers who provide a process, or part of a process, as a result of a decision by the organization? If yes, how is control maintained?
–  Does the organization determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements? How?
–  Does the organization retain documented information of these activities and any necessary actions arising from the evaluations? Where?
–  Does the organization ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its Customers? How?
–  Does the organization retain control of externally provided processes within its QMS?  How?
–  Does the organization define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output? How?
–  Does the organization take into consideration the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet Customer and applicable statutory and regulatory requirements? How?
–   Does the organization take into consideration the effectiveness of controls applied by external providers?  How?
–  Does the organization determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements? How?
–  Does the organization ensure the adequacy of requirements prior to their communication to the external provider? How?
–  Does the organization communicate to external providers its requirements for the processes, products and services to be provided? How?
–  Does the organization communicate to external providers its requirements for the approval of products and services? approval of methods, processes and equipment? approval of the release of products and services? How?
–  Does the organization communicate competency requirements (including any required qualification of persons) to its external providers?  How?
–  Does the organization specify how interactions will take place between themselves and the external provider?  How?
–  Does the organization communicate what control and monitoring activities they will apply to the external provider? How?
–  Does the organization communicate to external providers its requirements for the verification or validation activities that the organization, or its Customer, intends to perform at the external providers’ premises? How?

(Make sure to interview more than one person and obtain examples for the items listed above)


Until next time…

Tim Renaud

Helping Business Professionals Reduce Risk and Remove Waste!