4.3 Clause 8.4 — Control of Externally Provided Processes, Products & Services
Key Takeaways
- 8.4.1 covers three distinct types of external provision: incorporated products, products/services delivered directly to the customer on the organization's behalf, and outsourced processes.
- The organization must define documented criteria for evaluation, selection, monitoring, and re-evaluation of external providers — and apply them consistently.
- 8.4.2 requires risk-graded control: the type and extent of verification should match the criticality of the external input and the demonstrated effectiveness of the supplier's own controls.
- 8.4.3 requires specific information — requirements, approval/release criteria, competence, and verification rights — to be communicated to external providers before or at the point of engagement.
- A common finding is an approved-supplier list with no evidence of ongoing re-evaluation, or purchase orders lacking technical requirements.
Three Types of "External Provision"
ISO 9001 groups anything an organization does not do entirely itself into three categories under 8.4.1, and an auditor should be able to identify which applies to any given supplier relationship, because the required rigor of control differs across them:
- Products and services from external providers for incorporation into the organization's own products or services (raw materials, purchased components)
- Products and services provided directly to the customer by an external provider on behalf of the organization (drop-shipping arrangements, a subcontracted service delivered under the organization's own brand)
- A process, or part of a process, provided by an external provider as a result of a decision by the organization (outsourced heat-treatment, calibration, or an entire manufacturing step)
8.4.1 General
The organization must ensure that externally provided processes, products, and services conform to requirements. Controls must be applied when the products or services are intended for incorporation into the organization's own products and services, when they are provided directly to the customer by an external provider on the organization's behalf, or when a process is provided by an external party as a result of the organization's own decision.
The organization must determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes, products, or services in accordance with requirements. Documented information on these activities, and on any necessary actions arising from the evaluations, must be retained.
Auditor evidence: an approved-supplier list, evaluation scorecards, a re-evaluation schedule with corresponding records, corrective actions raised against a supplier, and a documented rationale for the criteria used - i.e., a defensible answer to "why is this supplier on the approved list."
8.4.2 Type and Extent of Control
The organization must ensure that externally provided processes, products, and services do not adversely affect its ability to consistently deliver conforming products and services to its own customers. Two distinct actions are required: ensure externally provided processes remain within the control of the quality management system, and define both the controls it intends to apply to an external provider and those it intends to apply to the resulting output.
In determining the type and extent of control, the organization must consider:
| Factor | Auditor question |
|---|---|
| Potential impact on the organization's ability to meet requirements | How critical is this input to final product or service conformity? |
| Effectiveness of the controls applied by the external provider | Does the supplier operate its own certified QMS, produce capability data, or provide statistical process control evidence? |
| Verification or other activities needed to confirm conformity | Incoming inspection, review of certificates of conformance, source inspection at the supplier's site, or statistical sampling |
This is a deliberately risk-graded requirement: a critical safety component sourced from a new, unproven supplier warrants tighter controls - source inspection, full incoming test - than a commodity item from a long-established supplier with strong historical performance data, which may justify reduced or skip-lot inspection.
8.4.3 Information for External Providers
Before entering into a relationship, the organization must communicate its requirements to external providers, covering: the processes, products, and services to be provided; the approval of products and services, methods, processes, or equipment, and the release of products and services; competence, including any required qualification of persons; the external providers' interactions with the organization; control and monitoring of the external provider's performance to be applied by the organization; and any verification or validation activities that the organization, or its customer, intends to perform at the external provider's premises.
Auditor trail: pull a purchase order or subcontract agreement and confirm it carries the technical requirements, acceptance criteria, and - where relevant - a right-of-access clause for source inspection, then check whether that access was actually exercised where the organization's own risk assessment called for it.
Common Audit Findings
- An approved-supplier list exists, but there is no evidence of periodic re-evaluation against the defined criteria.
- Purchase orders reference a part number only, with no technical requirements or acceptance criteria communicated to the supplier.
- A subcontracted process - outsourced welding, plating, or calibration - is treated as outside the QMS boundary, with no incoming verification applied to the returned output.
- Supplier nonconformances are logged individually but are never fed back into the supplier's re-evaluation score or the approved-supplier decision.
- A new supplier is added to the approved list on the strength of a certificate alone, with no assessment against the organization's own defined criteria (capacity, quality history, financial stability, or a sample evaluation).
Distinguishing 8.4 from 8.2 and 8.1 on the Exam
Candidates sometimes confuse "control of externally provided processes" (8.4) with the organization's own operational planning (8.1) or its review of customer requirements (8.2). The distinction that matters for the exam: 8.2 governs what the organization promises its own customer, 8.1 governs how the organization plans and controls its own processes (including the instruction to apply 8.4 to anything outsourced), and 8.4 governs specifically the organization's relationship with, and control over, its own external providers. A single audit trail can touch all three - a customer order (8.2) drives a production plan (8.1) that includes an outsourced plating step (8.4) - and a lead auditor should be able to name which sub-clause applies to each link in that chain rather than lumping the whole trail under one generic "process control" finding. Being precise about which clause a piece of evidence supports (or fails to support) is exactly the skill tested when writing nonconformity statements later in the audit lifecycle.
An organization outsources a safety-critical heat-treatment process to a new supplier with no prior performance history. According to Clause 8.4.2, what should determine the type and extent of control applied?
During document review, an auditor finds an approved-supplier list but no records showing suppliers have been re-evaluated since initial approval three years ago. Which requirement is most directly at risk of nonconformity?