Clause 8.4 of ISO 9001:2015 requires organisations to control processes that are outsourced to external providers. This is one of the most practically demanding clauses in the standard because it sits at the intersection of business risk management, contractual obligation, and quality system governance. Most organisations outsource something, whether that is manufacturing, logistics, software development, accounting, or IT support. The clause doesn't say you cannot outsource. It says that if you do, you remain responsible for ensuring those outsourced processes continue to meet your quality requirements and your customer expectations. This responsibility doesn't end with signing a contract. It requires systematic oversight, clear communication of requirements, and ongoing monitoring of performance.
On this page
Understanding the Scope of Clause 8.4
Clause 8.4 applies to any process that is outsourced to an external provider but remains part of your quality management system. This includes processes that deliver directly to customers and supporting processes that enable your organisation to function. A manufacturing business outsourcing component production, a service provider outsourcing call centre operations, or a software company outsourcing cloud infrastructure all fall within this clause. The standard is explicit: if the outsourced process affects your ability to consistently provide products and services that meet customer requirements, it is in scope.
The word "outsourced" in this context means more than simply buying a product or service from a supplier. It means transferring responsibility for executing a process that is part of your documented quality management system. If you buy raw materials or components as inputs to a process you control, that is supplier management under Clause 8.4. If you contract an external organisation to run a process you would normally run yourself, and that process directly affects your output quality, that is outsourcing under Clause 8.4.
The distinction matters because it determines what controls you must apply. A manufacturing business that outsources its heat treatment process needs much tighter controls than one that simply buys steel from an approved supplier. Similarly, a consulting firm outsourcing administrative support needs different controls than one buying office stationery.
What the Clause Actually Requires
Clause 8.4 contains four substantive requirements. First, you must determine the controls to be applied to outsourced processes before those processes begin operating. Second, you must communicate your requirements to the external provider, including requirements for quality management, competence, and the authority to access the provider's facilities and records. Third, you must define the processes and criteria for monitoring, measurement, and evaluation of outsourced processes. Fourth, you must retain responsibility for ensuring that outsourced processes consistently deliver what is required.
The clause is framed around control rather than trust. Even if you work with an external provider who holds relevant certifications or has an excellent track record, your organisation remains accountable for the quality of the output. This is not delegable. You can delegate the execution of a process. You cannot delegate your responsibility for its results.
The practical implication is that you need documented evidence of three things: what you told the provider they had to do, how you monitored whether they did it, and what you did when monitoring revealed problems. This creates an audit trail that auditors will examine carefully. When a certification auditor reviews your outsourcing arrangements, they will ask for contracts or service level agreements, monitoring records, evidence of audits or assessments of the provider, and records of corrective actions taken when performance slipped.
Determining and Communicating Requirements
The first practical step is to determine what controls you need. This starts with a clear definition of what the outsourced process must do and what the consequences are if it doesn't. If you outsource manufacturing to a contract manufacturer, your requirements will be detailed: specific tolerances, materials, testing protocols, delivery schedules, and quality acceptance criteria. If you outsource IT support, your requirements might cover response times, uptime guarantees, cybersecurity standards, and change management procedures.
These requirements must address not just the technical or functional aspects of the process but also quality management aspects. This includes requirements for documenting what they do, maintaining records, handling nonconforming work, managing change, and reporting on performance. If the outsourced process generates data that affects your quality decisions, you need requirements around data integrity and traceability.
Communication happens through multiple channels. The primary mechanism is typically a contract, service level agreement, or statement of work. This document must be clear enough that the external provider understands exactly what is expected and how performance will be measured. Vague contracts lead to ambiguous performance and disputes about whether the provider has met their obligations. Specific, measurable requirements create accountability.
Beyond the written agreement, communication should include initial meetings or calls where you walk the provider through your expectations, answer questions, and ensure mutual understanding. Many organisations include representatives from the provider in their quality planning for the outsourced process. This collaborative approach typically reduces misunderstandings and creates a sense of shared responsibility.
Your communication should also address your right to audit. ISO 9001 explicitly requires that you retain the authority to access the external provider's facilities and records. This must be stated in your contract or agreement. Some providers push back on audit rights, particularly those in other countries or those working with multiple customers. Negotiating this during contract development is far easier than trying to assert audit rights after a problem emerges.
Monitoring and Measuring Outsourced Processes
Once the outsourced process is operating, monitoring and measurement must be defined and implemented. This is where many organisations fall short. They establish good requirements and documentation upfront but then fail to monitor systematically, catching problems only when a customer complains or a certification audit questions what they have been doing.
Monitoring mechanisms depend on the nature of the process and the risk. Common approaches include regular review of performance data provided by the provider, analysis of product or service quality metrics, document reviews, and periodic audits or assessments. A software development company outsourcing code testing might monitor through weekly reports on test results and defect resolution rates. A logistics company outsourcing warehousing might monitor through monthly inventory accuracy reports and customer complaint analysis. A manufacturing company outsourcing component production might conduct quarterly audits of the supplier's facility plus ongoing monitoring of incoming inspection results.
Performance criteria must be defined so that you know what success looks like. If you outsource customer service and your requirement is simply "respond to customer inquiries," what does that mean? A response within one day? Within two hours? In the customer's language? With resolution on first contact? The clearer your criteria, the easier monitoring becomes and the less room there is for disagreement about whether the provider is performing.
Many organisations use supplier performance scorecards to consolidate monitoring data. These typically track metrics like on time delivery, quality acceptance rate, responsiveness to issues, and compliance with any specific requirements unique to that supplier. Scorecards provide an objective basis for regular performance reviews and for identifying trends. A supplier whose performance is declining across multiple metrics is flagged for action before a crisis occurs.
Frequency of monitoring should reflect the risk. If the outsourced process is critical to your ability to deliver to customers and problems would have immediate consequences, you need more frequent monitoring. If the process is lower risk and problems would be caught in your own quality checks before reaching customers, less frequent monitoring might suffice. The standard requires you to define the frequency and criteria, not to monitor everything constantly.
Conducting Supplier Audits
Auditing external providers is a specific mechanism for evaluating their quality management systems and their compliance with your requirements. A supplier audit is different from a certification audit or internal audit. It is focused on whether a specific external provider is managing the outsourced process in a way that meets your requirements and maintains consistent quality.
There are different approaches to supplier audits. Some organisations conduct their own second party audits using internal resources. Others use external consultants. Some organisations rely on third party certification evidence. Most use a combination. An external provider who holds ISO 9001 certification provides assurance that they have an effective quality management system, but their certification scope might not cover the specific processes you have outsourced to them or their system might not include all of your specific requirements.
Planning a supplier audit requires the same rigour as planning any audit. You need clear objectives focused on whether the provider is meeting your requirements and managing their quality system effectively. You need an audit plan that covers the key processes and controls relevant to your requirements. You need documented criteria against which you will evaluate what you find. For detailed guidance, understanding how to conduct a supplier audit step by step will help your team develop consistent, effective audit practices.
The frequency and depth of supplier audits should reflect the risk and criticality of the outsourced process. A critical supplier might warrant an initial audit before the relationship begins and then annual audits thereafter. A lower risk supplier might be audited every two years. Some organisations use a risk matrix that incorporates factors like the criticality of the process, the supplier's track record, the complexity of the requirements, and whether they hold relevant certifications.
During a supplier audit, you will typically examine their quality system documentation, observe their processes in action, review records of their monitoring and control activities, and discuss their performance with their management and operators. You are looking for evidence that they are doing what they said they would do, that their quality system supports consistent performance, and that any issues have been managed appropriately.
Managing Performance Issues and Nonconformity
When monitoring reveals that an external provider is not meeting your requirements, you need a defined process for addressing the issue. This process should include notification to the provider, investigation to understand the root cause, agreement on corrective action, and verification that the corrective action has been implemented and is effective.
Some organisations have different escalation procedures depending on the severity of the issue. A minor deviation from a delivery schedule might warrant a phone call and a discussion about how to prevent recurrence. A significant quality defect in product delivered to your customer might warrant a formal nonconformity notice and a required corrective action plan with timelines. Major or repeated issues might trigger a decision to audit the supplier or to begin sourcing alternatives.
Your contracts or agreements should define these processes upfront. External providers are generally more receptive to performance management systems they understand and have agreed to than to processes that feel arbitrary or punitive. Transparency about what happens when performance issues occur makes it easier to have those conversations when they need to happen.
Documentation is critical here. You need records of what issue you identified, when you identified it, how you notified the provider, what they proposed as corrective action, what verification you performed, and what the outcome was. This documentation serves multiple purposes. It provides evidence for your own auditors that you are exercising appropriate oversight. It protects you if there is a dispute with the provider about whether an issue was addressed. It creates a history that helps you see trends. It supports your decisions about continuing or discontinuing the relationship.
The Role of Contracts and Service Level Agreements
Your contract or service level agreement with an external provider is the foundation document for Clause 8.4 compliance. It should be clear enough that a third party reading it would understand what you have required the provider to do and how performance will be evaluated. Ambiguous language creates ambiguity in execution and disputes later.
Key elements that should be in place include a clear description of the process or deliverable, acceptance criteria or quality standards, delivery or completion timelines, requirements for documentation and record retention, requirements for communicating changes, requirements for reporting on performance or issues, your right to audit or assess the provider's operations, requirements for ensuring competence of provider staff, requirements for managing nonconforming work or services, and provisions for addressing performance issues or termination.
Some organisations create a master supplier quality agreement that outlines general expectations for all suppliers, then create specific purchase orders or service agreements for individual engagements. This layered approach works well because it reduces repetition and ensures consistency across all suppliers while allowing for engagement specific details.
The agreement should also address what happens if the provider uses further subcontractors. Many external providers outsource part of what they do to other organisations. Your requirement to control outsourced processes extends to controlling whether and how the provider subcontracts. At minimum, you need visibility into who is doing the work and assurance that the provider is applying equivalent controls to their subcontractors.
Retaining Responsibility
One of the most important phrases in Clause 8.4 is that the organisation "remains responsible for ensuring the conformity of products and services provided." This is unambiguous. You cannot outsource your accountability. No matter how much you delegate to an external provider, if a customer receives a nonconforming product or service, it is still your problem to resolve.
This means you cannot simply accept the external provider's word that everything is fine. You need your own systems to verify that outsourced processes are delivering acceptable results. For a manufacturing company outsourcing components, this means receiving inspection and testing of incoming goods. For a service company outsourcing customer support, this means monitoring customer satisfaction and complaints. For any outsourced process, this means being alert to signals that something is wrong.
When something does go wrong with an outsourced process, your quality management system needs to respond as if the problem occurred internally. You investigate root cause, implement corrective action, and verify effectiveness. If the problem originated with the external provider, the corrective action might be directed at them. But you retain responsibility for ensuring it gets fixed and for verifying that the fix works.
This is particularly important when it comes to customer communication. If a customer identifies an issue with a product or service that resulted from an outsourced process, you communicate with the customer, manage their complaint, and resolve their concern. You then communicate with the external provider to ensure they understand what happened and why it happened. You cannot tell the customer "contact our supplier directly," even if technically the supplier created the problem.
Real World Examples of Clause 8.4 Application
Consider a medical device manufacturer that outsources the sterilisation of finished products to a specialist sterilisation service provider. Sterilisation is critical to the safety of the product and is directly regulated. Before outsourcing, the manufacturer must define precisely what sterilisation process is required, what validation data is needed, what records the sterilisation provider must maintain, and what testing or verification the manufacturer will conduct to confirm successful sterilisation. The contract will specify these requirements. The manufacturer will receive batch records and sterilisation validation data from the provider. The manufacturer might conduct periodic audits of the sterilisation provider to verify their equipment is properly maintained and their staff are properly trained. If a batch fails the manufacturer's final sterility test, the manufacturer investigates with the sterilisation provider to determine root cause and ensure corrective action. The manufacturer remains accountable to regulators for the safety of the product even though sterilisation was performed by an external provider.
Or consider a software company that outsources data centre operations to a cloud service provider. The company has outsourced a process that is critical to their ability to deliver software to customers. Before outsourcing, the company defines requirements for uptime, backup procedures, security controls, incident response, and regular reporting. The contract specifies service level agreements around availability and response times. The company monitors the provider's reported uptime metrics and conducts periodic security assessments. The company has contractual rights to audit the provider's data centre or hire auditors to do so on their behalf. If the provider experiences an outage that impacts the company's ability to serve customers, the company investigates with the provider to determine what happened and what will be done to prevent recurrence. The company remains responsible to its customers even though the data centre is operated by an external provider.
Or consider a logistics company that outsources warehousing to a contract logistics provider. The logistics company remains responsible for the accuracy, timeliness, and safety of inventory in the warehouse even though the warehouse is operated by the external provider. Before outsourcing, the logistics company defines requirements for inventory accuracy, product handling, order fulfillment speed, and safety standards. The contract specifies these requirements and defines how performance will be measured. The logistics company reviews monthly inventory accuracy reports and customer feedback about order fulfillment. The logistics company conducts audits of the warehouse to verify that procedures are being followed and staff are properly trained. If inventory accuracy drops or customer complaints about order errors increase, the logistics company works with the warehouse operator to identify and correct the root cause. The logistics company's customers hold them responsible for warehouse performance even though the warehouse is not operated by them directly.
Common Audit Findings Related to Clause 8.4
Certification auditors and internal auditors regularly find problems with Clause 8.4 compliance. These fall into several categories. First, some organisations do not have clearly documented outsourced processes. They know they work with external providers but have not formally identified which processes are outsourced as part of their quality management system. This creates a gap in control.
Second, some organisations have contracts with external providers but the contracts do not clearly specify quality requirements. The contracts focus on commercial terms like price and delivery timing but leave quality undefined. When auditors ask what quality standard the external provider must meet, the answer is vague.
Third, some organisations do not systematically monitor outsourced processes. They establish requirements and monitoring procedures upfront but then monitoring slips as day to day business pressures mount. When auditors request evidence of monitoring records for the past year, only a few records are available. This suggests monitoring is not actually happening systematically.
Fourth, some organisations do not conduct audits or assessments of external providers. They rely on third party certification or on informal conversations but have no documented audit or assessment activity. If a problem occurs, they have little insight into why.
Fifth, some organisations do not consistently address performance issues when external providers fail to meet requirements. They might identify a problem but then fail to follow up when the provider's promised corrective action is not completed on time. This suggests they have not retained responsibility for the outsourced process.
Sixth, some organisations do not properly document the link between quality issues that originated with an outsourced process and their investigation and corrective action. A customer complaint might have originated with an external provider, but the investigation and response are not clearly documented. This makes it hard to demonstrate that responsibility was retained for the quality of the output.
Building Your Clause 8.4 System
If your organisation has outsourced processes, you need a systematic approach to managing them. Start by identifying all outsourced processes. These are processes that are part of your documented quality management system but are performed by external providers. Document each one and describe what the process does and why it is important to product or service quality.
For each outsourced process, document the requirements you have established for the external provider. These requirements should cover what the process must accomplish, any quality standards or acceptance criteria, any documentation or record keeping requirements, and any specific requirements around competence, training, or certification of staff. Include requirements for your right to audit or assess the provider.
Document the monitoring activities you conduct for each outsourced process. Define what you measure, how often you measure it, what the acceptance criteria are, and what you do if monitoring shows a problem. Create a schedule or calendar that shows when monitoring will occur.
Document your auditing or assessment approach for each external provider. Define whether you will conduct periodic audits of the provider, whether you will rely on the provider's third party certification, or what combination of approaches you will use. If you will conduct audits, plan the frequency based on risk and criticality.
Create a process for identifying and addressing performance issues with external providers. This should specify how problems get escalated, how root cause is investigated, how corrective action is defined and tracked, and how effectiveness is verified. Ensure this process is documented and that relevant staff understand it.
Create templates for key documents such as supplier quality agreements, service level agreements, audit reports for external providers, performance scorecards, and corrective action tracking. These templates should reflect your organisation's specific requirements and approach and should be used consistently across all external providers.
When training your internal audit team, ensure they understand how to audit outsourced processes. This is different from auditing internal processes because you are assessing how well a process is being managed by someone else and how well you are overseeing that external management. For more information on internal audit fundamentals, understanding how to plan an internal audit programme is an important starting point for building your audit capability.
Audit Workshop offers accredited ISO training across ISO 9001, ISO 14001, and ISO 45001 at Foundation, Internal Auditor, and Lead Auditor levels. Our courses are Exemplar Global recognised and designed for professionals who want both standard knowledge and practical audit skills.
