External Demands

Explaining ISO 9001:2015’s requirements for external providers

by Govind Ramu

It’s difficult for organizations to ignore issues that stem from their external providers. A provider could experience challenges such as:

  • Being on the verge of bankruptcy.
  • Needing to stop production of products or services your organization requires, such as an end-of-life-cycle situation.
  • Facing ongoing litigation or product recalls.

If you don’t consider these external issues in your organization’s strategic plans, you are ignoring risks to its business, quality management system (QMS) and customers’ satisfaction.

Many people have asked, "Who exactly are external providers?" ISO 9000:2015 provides examples such as external suppliers, contractors, producers, distributors, retailers or vendors of products or services. An outsourced organization is an external organization that performs part of an organization’s function or process.

Subclause 8.4 of ISO 9001:20151 discusses the control of externally provided processes, products and services. But interactions with external providers also are mentioned and implied in other areas of the standard.

Subclause 4.1, "Understanding the organization and its context," states, "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system."

This subclause indicates an issue also can be positive. A key external provider could be consolidating, expanding its capacities or exploring new regions for its operations. This may be a positive external issue because it might help your organization’s growth and customer satisfaction.

If you’re relying on external providers for long-term technology roadmaps and revenue, you must monitor and review information about the issues you face. This is a requirement of subclause 4.1.

External providers are some of the interested parties mentioned in subclause 4.2: "The organization shall monitor and review information about these interested parties and their relevant requirements."

Some might ask, "What are the requirements for an external provider?" They could include things such as fair and transparent bidding processes and payment terms, the provider’s quality of products and services, or its life-cycle management.

Subclause 5.2.2.C requires that you make your quality policy "available to relevant interested parties." To make the policy available, most organizations have supplier agreements that encompass what they expect in the way of quality from their external providers. An organization’s quality policy could be in this documentation and also on its webpage. These are just two of the ways to address this requirement.

The requirement’s intent is to ensure an external provider understands the quality direction and intention of your organization, so if you include descriptions such as "world-class quality" or "operational excellence" in your policy, external providers should naturally understand the emphasis on quality, reliability and on-time delivery expectations in the agreement.

External provider requirements

Subclause 8.4.1 of ISO 9001:2015 says: "The organization shall ensure that externally provided processes, products and services conform to requirements." This means organizations must have comprehensive planning practices in place when they make purchasing decisions, understand the nature of the commodities they purchase or processes that are outsourced, and understand the risks and opportunities of using any external providers.

A provider’s risks and opportunities may vary depending on how its products or services are received. These could include:

  • Products and services built into an organization’s offerings, such as parts from a bill of materials for product assemblies, consulting services or third-party warehousing.
  • Products and services offered directly to a customer on behalf of the organization, such as on-site product installation, or operations or maintenance services.
  • Processes offered to the customer, such as one for collecting defective material for warranty replacements—a process of maintenance service.

Determine and apply criteria

Your list of criteria for evaluating and selecting external providers should include factors such as quality, on-time delivery, cost or the provider’s environmental sustainability focus. It is important to consider a life-cycle cost of using a provider, not just the initially incurred cost.

Consider risks and opportunities for sourcing your products and services, and ask yourself questions such as, "Which external providers require these types of controls?" "Is the risk of doing nothing acceptable?" and "Are there opportunities available in a long-term relationship, such as a roadmap to better technology or the potential for collaborative innovation?"

Assessment and selection

A cross functional team can conduct an on-site evaluation of an external provider. It will assess the provider’s ability to meet current and future needs.

Agility must be part of your future-needs evaluation. Most external providers have good scalability, but their quality of products and services can suffer immensely.

Evaluations should result in a selection or qualification status of approved, conditionally approved or not approved. The evaluation team may need to perform additional due diligence, such as a production part approval process as required by customers or due to the criticality of a commodity.

Monitoring of performance

Earlier evaluation and selection of your providers should reveal whether they have the capabilities and processes to deliver what your organization wants. Monitoring a provider’s performance ties this evaluation to actual results. Processes without results are useless, and results without processes are unsustainable.2

Periodically reviewing a provider’s performance ensures consistent performance and improvement. This shouldn’t be a mere desk review. You must engage a provider during the review and provide actionable feedback for improvements. Periodic assessments of risks and opportunities also are required to ensure they are addressed and that new emerging ones are captured and added to monitoring activities. These full-scale reviews also ensure risks are reduced, improvements are effective, and that there is no degradation to products and service from changes made from within a provider’s organization.


A number of things can change on the provider’s end. There could be a change in management, priorities, and even a change to a product or process that wasn’t communicated earlier. Depending on the performance metrics, a provider’s business maturity, and the criticality of a product or service, an organization can choose the scale of its re-evaluations and whether it needs a full or partial review focused on specific areas.

In subclause 8.4.2.D, ISO 9001:2015 requires your organization to "determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements." To do this, you could conduct periodic on-site audits; implement incoming quality controls; perform ongoing reliability testing; use a disciplined process for change approvals; and ensure there is effective, ongoing communication.

Property control

Subclause 8.5.3 extended the control of property beyond an organization’s customers and now also includes external providers.

This control can go both ways—an external provider’s control on your organization’s property and your controls on the external provider’s property. It is possible an organization could consign an external provider:

  • Raw material.
  • Shipping of proprietary tools.
  • Software that’s used for its organization’s products and services.

External provider property can be tangible—such as equipment, materials, tools, fixtures or drawing—or intangible—such as providing intellectual property information. You must define accountability and responsibility as it was agreed to in the contract, and exercise care with property belonging to external providers.

You also should define responsibilities for identifying, verifying, protecting and safeguarding external providers’ property that’s being used or incorporated into your products or services. This also includes responsibilities for periodic maintenance. Ensure you have a process for reporting any property that’s lost, damaged or otherwise found to be unsuitable for use.              

External providers also are discussed in subclauses 9.1.3, "Analysis and evaluation," and 9.3, "Management review."3 In subclause 9.1.3, your organization is required to analyze and evaluate appropriate data and information that come from your monitoring and measurement activities for a provider’s performance. Subclause 9.3.2.C.7 explains that a management review considers the performance of external providers as an input, which could include the status of risks and opportunities based on any monitoring and measurement information.4

In today’s global economy, obtaining products, services and processes from external providers is a critical aspect of ensuring your organization is competitive and economically sustainable. This is why understanding the requirements, risks and opportunities, control of externally provided processes, products and services are vital to QMSs.


  1. International Organization for Standardization (ISO), ISO 9001:2015—Quality management systems—Requirements.
  2. Govind Ramu, "Expert Answers: Keeping Score," Quality Progress, December 2012, pp. 8-9.
  3. ISO, ISO 9001:2015—Quality management systems—Requirements, Subclause 9.3—Management review.
  4. ISO, ISO 9001:2015—Quality management systems—Requirements, Subclause 9.3.2.C.7—Management review inputs.


  • International Organization for Standardization, ISO 9000:2015—Quality management systems—Requirements.
  • Ramu, Govind, "In the Know," Quality Progress, August 2008, pp. 36-43.

Govind Ramu is senior director, global quality management systems, at SunPower Corp. in San Jose, CA. He has a mechanical engineering degree from Bangalore University, India. He is the chair for U.S. Technical Advisory Group (TAG) to ISO Technical Committee (ISO/TC) 176, subcommittee 1, on ISO 9000:2015 standards. Ramu is an ASQ fellow and holds six ASQ certifications: manager of quality/organizational excellence, engineer, Six Sigma Black Belt, auditor, software quality engineer and reliability engineer. He is regular author for QP’s Expert Answers department, co-author of The Certified Six Sigma Green Belt Handbook, second edition (ASQ Quality Press, 2015) and a contributing author to The Lean Handbook (ASQ Quality Press, 2012).

Average Rating


Out of 0 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers