Externally provided processes, products & services — general
Plain-language summary
Everything you buy that ends up in or affects your product must conform — so evaluate, select, monitor and re-evaluate providers against defined criteria, and keep the records.
What the clause is really asking
Applies when supplier product is incorporated into yours, delivered direct to your customer, or a process is outsourced. Determine controls, set criteria for evaluation/selection/performance monitoring/re-evaluation, retain records of all of it and of resulting actions.
What auditors look for
Auditors ask for the approved supplier list and the criteria behind it, then sample: how did this supplier get approved? Latest performance review? What happened to the chronic underperformer? Outsourced processes get the same questions.
Typical evidence
Supplier evaluation criteria and records; approved supplier list; performance monitoring data; re-evaluation/exit records.
How to comply — recommendations
Risk-grade your suppliers (product impact x performance) and scale effort accordingly — heavy controls on the critical few, light touch on commodity. Review the list at management review.
Common nonconformities
Buying from unapproved suppliers; evaluations done once at onboarding then never again; poor performers tolerated without development or consequence.
Related clauses
IATF 16949: extended by 8.4.1.1-8.4.1.3; ISO 14001 8.1 outsourcing
Qlause provides interpretive guidance only and is not a substitute for the standard. Refer to your licensed copy of ISO 9001 / IATF 16949 for the authoritative text.