Control of externally provided processes, products and services

“Control of externally provided processes, products and services” is the ISO 9001 requirement that prevents quality from becoming “someone else’s problem.” Clause 8.4 applies whenever a third party touches your ability to meet customer, statutory, regulatory, or internal requirements, whether that third party ships parts, hosts software, performs calibration, provides temp labor, or runs a fully outsourced process. Your job as the Compliance Officer, CCO, or GRC lead is to make control real: requirements must be explicit, selection must be defensible, and performance must be visible.

Auditors typically look for two things: (1) you consistently decide what level of control is needed for each externally provided item, and (2) you can prove the controls work through records and outcomes. This page converts the clause into a practical operating model: a risk-based third-party segmentation approach, minimum required controls, the evidence set to retain, common audit traps, and an execution plan you can run without rewriting your entire QMS. ¹

Regulatory text

ISO 9001:2015 Clause 8.4 excerpt: “The organization shall ensure that externally provided processes, products and services conform to requirements.” ¹

What the operator must do: You must put controls in place so third-party inputs do not degrade your ability to meet requirements. Practically, that means you (a) specify what “conforming” means (requirements and acceptance criteria), (b) evaluate and select third parties based on their ability to meet those requirements, (c) monitor ongoing performance, and (d) re-evaluate when risk or performance changes. ¹

Plain-English interpretation (what Clause 8.4 demands)

You are accountable for quality outcomes even when work happens outside your walls. Clause 8.4 expects a closed loop:

1. define requirements,
2. choose capable third parties,
3. control delivery through verification and oversight,
4. fix issues and prevent recurrence,
5. re-approve or exit providers that can’t meet needs. ¹

If you cannot show that loop with records, auditors often conclude control is informal, reactive, or dependent on individual heroics.

Who it applies to (entity and operational context)

Applies to: any organization operating a QMS under ISO 9001:2015 that uses third parties for processes, products, or services that can affect conformity. ¹

Common in-scope scenarios:

• Contract manufacturing, outsourcing a production step, or subcontracted special processes.
• Purchased raw materials, components, labels, packaging, or critical spares.
• Calibration, maintenance, testing, inspection, and lab services.
• Software, cloud services, hosted tooling, or external design support that affects product/service realization.
• Logistics providers where handling conditions affect quality (temperature, damage controls, chain of custody).

Operational boundary: If the third party’s output can affect your ability to meet requirements, it falls under Clause 8.4. The deeper the impact on final conformity, the stronger and more formal your controls should be. ¹

What you actually need to do (step-by-step)

Step 1: Build an “external provision” inventory

Create a list of all externally provided:

• processes (outsourced steps, services that perform part of realization),
• products (purchased materials and components),
• services (testing, calibration, logistics, consulting that impacts conformity).

Practical tip: Start from procurement/AP spend, then reconcile with operations reality. Many gaps hide in “services” spend.

Output artifact: External Provider Register (or Third-Party Register) that maps each third party to what they provide and where it touches requirements.

Step 2: Define requirements and acceptance criteria for each item

For each externally provided input, define:

• technical/spec requirements (drawings, specs, statements of work),
• acceptance criteria (inspection plan, sampling approach, test methods),
• compliance requirements (certifications, traceability, training, right-to-audit),
• change control expectations (notification, approval triggers).

Minimum bar: A buyer must be able to place an order (or sign an SOW) that is unambiguous about what “good” looks like.

Output artifacts: Purchase specs, SOW templates, approved drawings, inspection/test instructions, supplier quality clauses.

Step 3: Segment third parties by risk to conformity

You need a repeatable way to decide the intensity of control. Use a simple segmentation model that auditors can follow:

Tier	Description	Example	Control intensity
High impact	Directly affects final conformity or safety-critical attributes	contract manufacturer, special process provider, critical component supplier	strongest controls: qualification, audits/assessments, tight acceptance, frequent review
Medium impact	Affects quality but is detectable before release	packaging supplier, non-critical parts	defined acceptance checks, periodic scorecards
Low impact	Minimal effect on conformity	office supplies	basic purchasing controls

Decision inputs: criticality, ability to verify on receipt, complexity, past performance, and substitution difficulty.

Output artifacts: documented risk tiering logic and the assigned tier per third party.

Step 4: Evaluate and approve third parties before first use

For each third party, define an entry gate aligned to the tier:

• capability review (do they have the equipment, competence, capacity),
• quality history (past defects, references, certifications where relevant),
• process controls (inspection, traceability, calibration, nonconformance handling),
• information security and continuity considerations where services affect delivery.

Practical tip: Approval should be explicit. If a third party is used, but not “approved,” auditors often write a nonconformity.

Output artifacts: supplier evaluation checklist, approval record, approved provider list (APL).

Step 5: Put controls in the contract and ordering process

Your contracts and purchase orders must reflect the controls you rely on:

• specifications and revision control,
• acceptance criteria and who performs verification,
• right-to-audit or access to relevant records (where needed),
• nonconformance notification and containment timelines (your chosen timelines, stated in the contract),
• change notification/approval requirements,
• traceability and record retention expectations.

Practical tip: If requirements live only in someone’s inbox, you do not control external provision.

Output artifacts: standard quality clauses, contract addenda, PO terms, change control clauses.

Step 6: Verify incoming product/service and validate outsourced processes

Match verification to tier and detectability:

• Incoming inspection/testing for purchased products.
• Service deliverable review for externally provided services (reports, calibration certificates, test results).
• Process validation/verification for outsourced processes where output can’t be fully verified later (for example, special processes). Document how you confirm the process can consistently meet requirements.

Output artifacts: inspection records, certificates, service acceptance sign-offs, process validation/verification records.

Step 7: Monitor performance and re-evaluate

Establish routine monitoring:

• supplier scorecards (quality, delivery, responsiveness),
• nonconformance trends and corrective actions,
• periodic business reviews for higher-tier providers,
• re-approval triggers (major change, repeated defects, long inactivity, ownership change).

Practical tip: Monitoring without defined action thresholds turns into reporting theater. Decide what happens when performance drops (containment, increased inspection, probation, disqualification).

Output artifacts: scorecards, review minutes, re-evaluation records, escalation actions.

Step 8: Control changes and exits

Changes that affect requirements (spec revision, process change, sub-tier outsourcing) must trigger review and approval. If a provider is exited, ensure:

• disposition of in-flight product,
• transfer of tooling/specs,
• record retention access,
• updated APL and purchasing blocks to prevent accidental re-use.

Output artifacts: change requests/approvals, exit checklist, blocked status in purchasing system.

Required evidence and artifacts to retain (audit-ready set)

Auditors expect objective evidence that control exists and operates:

• External Provider Register / Third-Party Register
• Approved Provider List and approval criteria
• Supplier evaluations, onboarding records, and re-evaluations
• Contracts/SOWs/POs with quality and change-control clauses
• Specifications, drawings, acceptance criteria, inspection instructions
• Incoming inspection and test records, certificates (for example, calibration/test reports)
• Performance monitoring outputs (scorecards, KPIs you chose) and management reviews with supplier actions
• Nonconformance records tied to third parties, corrective actions, and effectiveness checks
• Records showing controlled changes (revision history, communicated updates, acknowledgements)

Common exam/audit questions and hangups

1. “Show me how you decide which suppliers are critical.” They want to see a method, not gut feel.
2. “Where are the requirements communicated to the third party?” A contract, PO, or controlled spec package must exist.
3. “How do you know the supplier keeps meeting requirements over time?” Monitoring, re-evaluation, and actions.
4. “What happens when a supplier has a major nonconformance?” Evidence of containment, escalation, and preventive steps.
5. “Do you control sub-tier outsourcing?” If your third party subcontracts, you still need visibility and requirements that protect conformity.

Frequent implementation mistakes (and how to avoid them)

• Mistake: treating purchasing as the only owner. Fix: define shared ownership across Quality, Procurement, and Operations with clear RACI for approval, monitoring, and corrective action.
• Mistake: one-size-fits-all supplier questionnaire. Fix: tier controls. High-impact providers need deeper evaluation and stronger ongoing oversight.
• Mistake: requirements scattered across emails and PDFs. Fix: controlled documents, revision control, and PO/SOW references to exact revision.
• Mistake: monitoring without decisions. Fix: set explicit triggers for increased inspection, probation, or disqualification.
• Mistake: “approved supplier” with no evidence of approval. Fix: require an approval record before first PO, and block purchasing for non-approved providers.

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog for this requirement. Operationally, the risk is still concrete: uncontrolled external provision increases defects, rework, delivery failures, and customer complaints. For regulated or safety-sensitive products, poor external control can also create downstream compliance exposure through traceability gaps and unapproved changes. ¹

Practical 30/60/90-day execution plan (operator-focused)

Days 1–30: Establish control points and stop the bleeding

• Build the external provision inventory from spend and operational inputs.
• Define risk tiers and assign an initial tier to each third party.
• Identify highest-impact third parties and confirm you have current specs, acceptance criteria, and contract language in place.
• Implement a basic “no PO without approval” gate for high-impact third parties (manual is fine at first).

Days 31–60: Standardize onboarding and verification

• Publish supplier evaluation and approval procedure aligned to tiering.
• Roll out standard quality clauses and a controlled SOW/PO template.
• Define incoming verification rules by tier and train receiving/quality staff.
• Stand up performance monitoring (scorecard format, review cadence, action thresholds).

Days 61–90: Make it durable and auditable

• Run re-evaluations for high-impact third parties using performance and defect data.
• Test a nonconformance escalation workflow end-to-end, from detection to corrective action and effectiveness check.
• Add change control triggers (spec changes, process changes, sub-tier changes) and a required review/approval record.
• Prepare an audit binder (or GRC workspace) that links each third party to approval, contract, verification, and monitoring evidence.

Where Daydream fits naturally: If your evidence is split across procurement tools, shared drives, and email threads, Daydream can act as the system of record for third-party due diligence and ongoing monitoring. The practical win is faster audits: one place to show tiering, approvals, documents, reviews, and corrective actions tied to each third party.

Frequently Asked Questions

Do cloud/SaaS providers fall under “externally provided services” for ISO 9001 Clause 8.4?

Yes if the service affects your ability to meet requirements, such as hosting systems used for production release, records, or customer delivery. Treat it like any other third party: define requirements, approve based on capability and risk, and monitor performance. ¹

What is the minimum evidence an auditor expects for supplier control?

An auditor typically expects documented requirements, a defined approval method, proof the provider was approved, and proof you verify/monitor performance. If any one of those is missing, Clause 8.4 is hard to defend. ¹

Can incoming inspection alone satisfy the requirement?

Sometimes, for lower-risk items where you can fully verify conformity on receipt. For higher-impact items or outsourced processes where defects may not be detectable later, you need stronger provider controls beyond incoming checks. ¹

How do I handle a third party that subcontracts work to another provider?

Require transparency and control in your contract terms: notification of sub-tier outsourcing, your approval rights for critical sub-tier changes, and flow-down of key quality requirements. Then verify through reviews or audits appropriate to risk. ¹

What triggers a re-evaluation of an external provider?

Use triggers tied to risk and observed performance: repeated nonconformances, major delivery failures, significant process changes, or changes in ownership/capability. Document the trigger, the re-evaluation performed, and the decision taken. ¹

We have many one-time contractors. Do they need to be “approved”?

If their work can affect conformity, you still need a qualification step proportional to risk, even if lightweight (competence check, agreed deliverables, acceptance criteria). Keep a record that shows the decision and the basis. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements