Understanding Section 8.4

By Jared Clark | September 1, 2025

Control of externally provided processes, products, and services

This is an educational article on Section 8.4 of ISO 9001, entitled “Control of externally provided processes, products, and services”.

The purpose of this article is to give you an understanding of what Section 8.4 requires.

This article is directed towards:

  • Those responsible for compliance to section 8.4.
  • Those responsible for controlling external providers.
  • Others interested in understanding the requirements of section 8.4.

Section 8.4 is entitled “Control of externally provided processes, products, and services”.

This section requires you to ensure conformance of externally provided processes, products, and services with your requirements. Externally provided processes, products, and services must remain within the control of your quality management system.

Who is an external provider?

  • Any external party providing products, services, materials, or processes that contribute to your provision of products and services.
  • E.g. suppliers, contractors, producers, distributors, retailers, vendors, consultants, and so forth.

Control is required where:

  • External products and services are being incorporated into your own products and services (e.g. parts and materials)
  • External products and services are provided directly to the customer on your behalf (e.g. dropshipping)
  • A process, or part of a process, is provided by an external provider (e.g. subcontracting)

You are required to determine and apply criteria:

  • For the evaluation of external providers (i.e. what you need to know about them to assess their abilities)
  • For the selection of external providers (i.e. how you will choose between them based on your performance priorities and values)
  • For the monitoring of performance of external providers (i.e. how you will measure their performance against expectations)
  • For the re-evaluation of external providers (i.e. did they perform as you expected and what to do about it)

You are required to keep records of these control activities and any resulting actions.

Section 8.4.2 is entitled “Type and Extent of Control”.

In determining the type and extent of control of external providers, you are required to consider:

  • Their potential impact on your ability to consistently deliver conforming products and services, and
  • The effectiveness of the controls already applied by the external provider.

Consider what controls you will apply against the external provider and what controls you will apply on the external provider’s output, such as verification, for example.

Section 8.4.3 is entitled “Information for external providers”, and it requires you to communicate to external providers the following:

  • The processes, products and services to be provided
  • The requirements for the approval of said processes, products and services
  • Any competence requirement
  • Communication and interaction requirements
  • How the external providers’ performance will be monitored and controlled, and
  • Any verification or validation activities are to be performed at the external providers’ premises

For more information on how to implement this section, watch our implementation videos for section 8.4, and review our template library for examples.

Posted in Understanding ISO 9001 and tagged , ,