[This series of articles tries to emphasize the benefits of ISO 9001, and how to yield results from each major clause of the standard.]


Okay, okay, I know this clause is called “Control of Externally Provided Processes, Products and Services,” and not “Purchasing” but that simply wouldn’t fit in the article title. It’s about purchasing, trust me.

Let’s jump right in.

Clauses 8.4.1 & 8.4.2

The first two parts of Clause 8.4 each deal with coming up with levels of control over the selection and use of your suppliers, so it’s best to take them together. Now keep in mind, a “supplier” here can be a raw material supplier, an outsourced service provider, a contractor or anyone else you hire to provide a product or service for your company. You can draw limits around this (don’t worry about the bakery who sells you donuts for auditors, or the company that provides you toilet paper), but you get the idea.

Both 8.4.1 and 8.4.2 discuss applying “controls” to the suppliers and the overall process. It’ gets very murky understanding why 8.4.1’s language is different than that of 8.4.2, but the simple version is this: first, come up with a process to evaluate and select your critical suppliers. Then determine the controls you put over each of these suppliers, understanding that you can tweak these controls depending on the criticality of one supplier over another. Once the suppliers are chosen and used, you then have to come up with ways to monitor their performance over time.

The standard doesn’t require it, but you really, really need to write all this down in a procedure to ensure consistent implementation.

There’s also no requirement for an “approved supplier list” here, nor nothing whatsoever that even implies one. instead it requires records — in some form or another — for the “evaluation, selection, monitoring of performance” of suppliers. A typical ASL only shows the list of suppliers after they were selected, so don’t rely solely on it.

Bullet point (D) in 8.4.2 just says you must “determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.” This is essentially invoking some form of inspection or testing of incoming materials or services, although you’d be forgiven if you missed that. Most companies use their Receiving function for this, as incoming items are checked for conformity before released to production.

Clause 8.4.3

The last section then goes into how you communicate your requirements to the suppliers you selected. Most companies issue either a Purchase Order (PO) or a contract to the supplier, and that’s what this clause is asking for. You have to clearly communicate what you want from the supplier, otherwise if they screw it up, it’s on you.

The standard then provides a bulleted list of things you might want to put in the contract or PO, but all but one of them are optional. Only bullet point (A) — “the processes, products and services to be provided” — is mandatory. Obviously, any PO has to indicate what you are buying if you expect your supplier to provide it. The rest — (B) through (F) — are all to be invoked as needed.

This point is missed by a huge number of ISO 9001 auditors, so expect that you will probably have to explain this to them. The key is in the leading sentence before the bullets: “the organization shall communicate to external providers its requirements for….” The word “its” means that you are listing only the items from the bulleted list that apply to your company. You can’t argue out of bullet point (A), but you can argue the others. So don’t impose these on every PO to every supplier, only the ones where they matter.


When implemented properly, Clause 8.4 should result in the following tangible benefits for your company:

  1. You will have a set of trusted suppliers that you have vetted fully and can feel secure in knowing they will provide you high-quality products or services. This, then, will reduce nonconformities that your client will blame on you.
  2. You will have clearly defined requirements flowing down to your suppliers via the POs or contracts, and there will be little room for the supplier to be confused about what you want, and when  you want it. This not only helps reduce problems with the supplier’s fulfillment of your orders, but later provides some backup when things do go wrong; you just tell the supplier, “hey, we told you this on our PO.
  3. Allowing for different levels of control over different suppliers, based on their criticality, gives flexibility to the system. It means you don’t need to do on-site audits for some distributor you use once a year, but you might want to do them for a critical supplier of some outside process that you use weekly, and which is critical to the product’s quality. You get to decide that.
  4. Having good incoming inspections of received items means that nonconforming product won’t be discovered later, in production, when it might be too late to order replacement items. That risks you blowing your delivery dates, so you want to avoid that scenario as much as possible.
  5. Good supplier monitoring can (sometimes) flag declining quality before it becomes a serious problem, allowing you to work with the supplier to improve that quality ahead of time.

Click here for the full series of articles on The Benefits of ISO 9001:2015.


About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 17000 Series Consulting