top of page

Clause 8 Operation

8.4.2 Type and extent of control

Clause Criteria

The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.
The organization shall:
a) ensure that externally provided processes remain within the control of its quality management system;
b) define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;
c) take into consideration:
1) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;
2) the effectiveness of the controls applied by the external provider; d) determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.


The primary objective of the criteria of this clause is to ensure that the organization has determined the necessary controls required to manage its supply chain effectively.

Typically, verifications upon delivery of products and services are adequate to meet the initial requirements of most organizations at that point.
Note that validations and testing of externally provided inputs into operations should be documented appropriately to support conformance to this Standard.
The extent of control exerted over external providers should be proportionate to the nature of the relationships with those interested parties.
Supply chain security is important to all organizations to main continuity of operations, integrity of information security provisions, etc.
Enable ISO customers who are familiar with the Interested Parties Register will have a good understanding of how to determine the issues relevant to external providers which need to be kept under formal review.

Chief Explainer:

Phil Byrne

bottom of page