ISO 9001 Outsourced Processes
What is the ISO 9001:2000 requirement for outsourced
This article provides guidance on the
intent of ISO 9001:2008 clause 4.1 on the control of outsourced processes. ISO 9001:2008 clause 4.1
Where an organization chooses to outsource any process that affects
product conformity to requirements, the organization shall ensure control over such processes. The type
and extent of control to be applied to these outsourced processes shall be defined within the quality
NOTE 2: An “outsourced process” is a process that the organization needs
for its quality management system and which the organization chooses to have performed by an external
NOTE 3: Ensuring control over outsourced processes does not absolve the
organization of the responsibility of conformity to all customer’, statutory and regulatory
requirements. The type and extent of control to be applied to the outsourced process can be influenced
by factors such as:
a) the potential impact of the outsourced process on the organization's
capability to provide product that conforms to requirements,
b) the degree to which the control for the process is shared,
c) the capability of achieving the necessary control through the
application of 7.4.
What is the definition of an
An “outsourced process” is a process that the organization has identified
as being needed for its operations and quality management system (QMS), but one which it has chosen to be
carried out by an external party outside the managerial control of your facility and may not be subject to the
same QMS as your organization.
An outsourced process may be performed by a supplier that is totally independent from
the organization, or which is owned by the same parent organization (e.g., a separate department or division not
subject to the same QMS). It may be provided on-site within the physical premises or work environment of the
organization or off-site at an independent site.
Examples of such processes include: - strategic planning done at
head office; purchasing or design done at head office or another location; heat treating; painting; welding,
calibration; testing; sort; human resources; information technology; etc., peformed by an outside
organization. A manufacturing company may outsource welding, heat treatment or painting of product. A
software company may outsource software development. A bank may outsource check clearing
How should outsourced processes be
The intent of Clause 4.1 is to emphasize that when an organization chooses to outsource
(permanently or temporarily) a process that affects product conformity with requirements, it cannot simply ignore
this process or exclude it from the QMS. The organization has to demonstrate it exercises sufficient control to
ensure the process is performed according to the relevant ISO 9001:2000 requirements, as well as, the requirements
of the organizations QMS.
The nature of control will depend on the importance of the outsourced process, the
risk involved, and the competence of the supplier. Also, the outsourced process will interact with other processes
(either carried out by the organization or outsourced). These interactions must be managed as required by ISO
9001:2000 clauses 4.1.a and 4.1.b.
The outsourcing of a needed process will normally be subject to the requirements of
both ISO 9001:2008 clause 7.4 (Purchasing) and clause 4.1 (General Requirements). In some situations, the
organization might not actually “purchase” the outsourced process. It might receive the service from head
office or from another division, without a monetary transaction taking place. Regardless of these
circumstances, ISO 9001:2008 Clauses 7.4 and 4.1 are still applicable.
An organization will typically face two situations that frequently must be considered
when deciding the appropriate level of control of an outsourced process:
1. Where an organization has the competence and ability to carry out a process, but
chooses to outsource that process (for commercial or other reasons), the process control criteria should already
have been defined and can be transposed into requirements for the supplier to comply with, if
necessary. Evidence of compliance to such defined requirements should be obtained
from the organization providing the outsourced activity.
2. Where the organization does not have the competence to carry out the process
itself, and chooses to outsource it, the organization has to ensure the controls proposed by the supplier of the
outsourced process are clearly defined and are adequate. In some cases, it may be necessary to involve external
specialists in making this evaluation. Evidence of compliance to such defined requirements should be obtained from
the organization providing the outsourced activity.
It may be
convenient, or even necessary, to define some or all of the methods to be used for control of the outsourced
processes in a contract between the organization and the supplier. Care should be taken, however, not to inhibit
the supplier from proposing innovations to the outsourced process.
In some situations, it might not be possible to verify the output from the outsourced
process by subsequent monitoring or measurement. In these cases, the organization needs to ensure that the control
over the outsourced process includes process validation in accordance with ISO 9001:2000 clause
1.Make sure you include all outsourced processes affecting
product quality, in the scope of your QMS. You must be able to identify, define and demonstrate evidence of
sufficient controls over outsourced processes to ensure that such processes are performed according to the relevant
requirements of ISO 9001:2008. The nature and scope of such control will depend on the nature of the outsourced or
subcontracted process and the risk involved.
2.Outsourced processesmay be controlled in any
number of ways, e.g., providing the outsourcer with product specifications; your supplier quality manual that they
must meet; asking for inspection and test results or certificates of compliance; validation of outsourced process;
conducting product and QMS audits of your outsourcer; providing drawings, checklists and forms, etc. The
expectation here is that you flow down to your
supplier, the relevant ISO 9001requirements that you would have to implement had the process been performed in your
own facility under your QMS control.