What Is Clause 8.5 and Why Does It Matter?
If you run a business that makes products or delivers services, Clause 8.5 of ISO 9001 is the clause that governs how you actually do the work. Not how you plan it, not how you measure it afterwards, but the actual execution of your core operations. It sits within Section 8 of the standard, which covers Operation, and it is arguably the most practically relevant section for day-to-day business activity.
On this page
ISO 9001 Clause 8.5 is titled Production and Service Provision and it breaks down into six sub-clauses, each addressing a specific aspect of how you control, manage, and deliver your outputs. Whether you are a manufacturer assembling components, a consulting firm delivering advisory services, or a construction company building infrastructure, this clause applies to you.
Many businesses treat Clause 8.5 as a documentation exercise. They write procedures, tick the boxes, and move on. That is a mistake. The requirements here are designed to prevent real problems: products shipped without proper identification, services delivered without agreed specifications, equipment used without verification, and work handed over without proper records. When these things go wrong, they generate customer complaints, rework costs, and in some industries, serious safety or legal consequences.
This guide walks through each sub-clause in plain language, with practical examples and advice on what auditors actually look for.
The Six Sub-Clauses of Clause 8.5 Explained
Clause 8.5.1: Control of Production and Service Provision
This is the foundation of the entire clause. It requires that your organisation carry out production and service delivery under controlled conditions. The standard lists several things that must be available or implemented as applicable to your context:
- Documented information that defines the characteristics of the products or services to be produced
- Documented information that defines the results to be achieved
- Monitoring and measuring resources at appropriate stages
- Use of suitable infrastructure and process environment
- Appointment of competent persons
- Validation and periodic revalidation of processes where the output cannot be verified by monitoring or measurement
- Implementation of actions to prevent human error
- Implementation of release, delivery, and post-delivery activities
The phrase “as applicable” appears throughout, which means you need to think critically about which of these elements apply to your specific operations. A software development firm may not need physical infrastructure controls, but it absolutely needs defined process outputs and competent personnel. A food manufacturer needs all of them.
In practical terms, this sub-clause is asking you to answer: do your people know what they are supposed to produce, how they are supposed to produce it, and with what equipment and skills? If the answer is yes, and you can demonstrate that through documented procedures, work instructions, and records, you are on solid ground.
A common gap I see during audits is that businesses have high-level procedures but no work-level instructions for critical tasks. A procedure might say “inspect product before dispatch” but there is no instruction telling the person doing the inspection what to actually check, what tolerances are acceptable, or what to do if something fails. That is a nonconformance waiting to happen.
Clause 8.5.2: Identification and Traceability
This sub-clause requires that your organisation identify outputs throughout production and service delivery. You also need to identify the status of outputs with respect to monitoring and measurement requirements. And where traceability is a requirement, you must control and retain documented information that enables traceability.
There are two distinct concepts here. Identification means being able to distinguish one product, batch, or service output from another. Traceability means being able to trace the history, application, or location of an output. Traceability is only mandatory where it is a specified requirement, either from the customer, a regulatory body, or your own quality system. Identification, however, is always required.
Think about a workshop that repairs industrial equipment. Each item coming in needs to be tagged so it does not get mixed up with other items. The repair record needs to identify what was done, by whom, and using what parts. If a failure occurs six months later, you need to be able to trace back to the specific job, the technician, and the components used. That is traceability in practice.
For service businesses, identification often comes in the form of job numbers, project codes, or client reference numbers that tie all work and records back to a specific engagement. The important thing is that the system is consistent and actually used, not just described in a procedure.
Clause 8.5.3: Property Belonging to Customers or External Providers
This sub-clause addresses how you handle property that belongs to someone else. It covers physical items, intellectual property, personal data, and any other asset that a customer or external provider has entrusted to you for use or incorporation into your product or service.
The requirements are straightforward. You must identify, verify, protect, and safeguard this property. If it is lost, damaged, or found to be unsuitable, you must report this to the owner and retain documented information about what happened.
Examples of customer property include raw materials supplied by the customer for you to process, tooling or equipment loaned to you for a project, design files or specifications provided for a manufacturing job, and personal data submitted as part of a service engagement. For a law firm, client documents are customer property. For a contract manufacturer, customer-supplied components are customer property.
The gap I most often see here is that businesses have no formal process for receiving, logging, and checking customer-supplied items. A pallet of materials arrives, gets put on a shelf, and nobody has recorded its condition at the time of receipt. When something goes wrong later, there is no evidence of what state it was in when it arrived. That creates disputes and erodes trust.
Clause 8.5.4: Preservation
Clause 8.5.4 requires that your organisation preserve outputs during production and service delivery to ensure conformity to requirements. Preservation includes identification, handling, contamination control, packaging, storage, transmission or transportation, and protection.
This sub-clause is often overlooked by service businesses who assume it only applies to physical products. But preservation applies to any output. A digital deliverable needs to be protected from corruption or unauthorised modification. A report needs to be stored securely and transmitted in a format that preserves its integrity. A sample needs to be kept in conditions that prevent degradation before it reaches the laboratory.
For manufacturers, preservation failures are often obvious: products stored in incorrect conditions, packaging that allows moisture ingress, or handling practices that cause damage before dispatch. For service businesses, the risks are less visible but equally real: files stored without version control, deliverables emailed without encryption, or work-in-progress accessible to unauthorised staff.
Your preservation controls need to be proportionate to the risk. A business shipping precision instruments has very different preservation requirements to a business delivering consulting reports. The standard does not prescribe what you must do, only that you must identify and address the relevant preservation risks for your specific outputs.
Clause 8.5.5: Post-Delivery Activities
This sub-clause requires that your organisation meet requirements for post-delivery activities associated with your products and services. The extent of post-delivery activities required is determined by considering statutory and regulatory requirements, potential unwanted consequences, the nature, use, and intended lifetime of the product or service, and customer requirements and feedback.
Post-delivery activities can include warranty obligations, maintenance services, recycling or disposal requirements, and any contractual obligations that extend beyond the point of delivery. For a software company, this might mean ongoing support and bug fixing. For an equipment supplier, it might mean installation, commissioning, and scheduled servicing. For a construction company, it might mean defect liability periods and rectification work.
The key point is that your quality management system needs to extend to these activities. You cannot simply deliver a product or service and consider your obligations under the QMS to be finished. If something goes wrong post-delivery and you have no documented process for handling it, that is a gap in your system.
One area where businesses often fall short is in capturing and using post-delivery feedback. Customer complaints and warranty claims are a rich source of quality improvement data. If your system treats them purely as customer service issues rather than quality data, you are missing an opportunity and potentially missing a requirement under Clause 9.1.2 on customer satisfaction monitoring.
Clause 8.5.6: Control of Changes
The final sub-clause requires that your organisation review and control changes for production or service provision to ensure continuing conformity with requirements. You must retain documented information describing the results of the review of changes, the persons authorising the change, and any necessary actions arising from the review.
Changes happen constantly in real businesses. A supplier changes a component. A customer requests a modification mid-project. A new piece of equipment replaces an old one. A process step is modified to improve efficiency. Each of these changes has the potential to affect product or service conformity, and Clause 8.5.6 requires that you manage them in a controlled way.
This does not mean you need a bureaucratic change management system that slows everything down. It means you need a defined process for evaluating proposed changes, getting appropriate sign-off, communicating changes to affected parties, and recording what was changed, why, and by whom. The level of formality should be proportionate to the risk associated with the change.
A common audit finding in this area is that businesses make process changes informally and then update their documentation later, sometimes much later, or not at all. The result is that the documented procedure no longer reflects what actually happens. That is a nonconformance under both Clause 8.5.6 and the documented information requirements of Clause 7.5.
How Clause 8.5 Connects to Other Parts of the Standard
Clause 8.5 does not operate in isolation. It connects directly to several other clauses, and understanding those connections helps you build a more coherent system rather than treating each clause as a separate box to tick.
The requirements in Clause 8.5.1 for competent persons link back to Clause 7.2 on competence. The monitoring and measuring resources referenced in Clause 8.5.1 connect to Clause 7.1.5 on monitoring and measuring resources. The control of changes in Clause 8.5.6 connects to the broader planning and risk management requirements in Clause 6.
If you are working through the standard clause by clause, our beginner's guide to ISO 9001:2015 provides a solid overview of how the standard is structured and how the sections fit together. And if you want to understand how the operational clauses feed into performance monitoring, our guide to Clause 9 Performance Evaluation is a useful companion to this article.
The connection between Clause 8.5 and your customer requirements is also critical. The requirements you are controlling production and service provision against need to come from somewhere, and that somewhere is primarily Clause 8.2, which covers customer communication and the determination of requirements related to products and services. If you have not clearly captured what the customer actually needs, your Clause 8.5 controls are built on a shaky foundation.
What Auditors Actually Look For in Clause 8.5
Having conducted ISO 9001 audits across a wide range of industries, I can tell you that the most common issues under Clause 8.5 are not complex. They tend to be straightforward gaps between what the documented system says and what actually happens on the floor or in the office.
Common Nonconformances Under Clause 8.5
- Work instructions missing or not followed: Procedures exist at a high level but there are no task-level instructions for critical activities. Or instructions exist but staff are not following them and there is no evidence of monitoring.
- No identification on products or batches: Products moving through production with no labelling or tagging, making it impossible to determine their status or history.
- Customer property not logged: Materials or equipment supplied by customers received without any incoming inspection record or condition report.
- Changes made without formal review: Process or product changes implemented without documented review, approval, or communication to affected parties.
- Post-delivery activities not defined: No documented process for handling warranty claims, defect rectification, or customer-reported issues after delivery.
- Preservation controls not considered for service outputs: Service businesses that have not thought about how their deliverables are protected, stored, or transmitted.
Auditors will typically walk through your production or service delivery process from start to finish, asking to see evidence at each stage. They will look at actual records, not just procedures. They will talk to the people doing the work to see if they understand what they are supposed to do and why. If there is a gap between the procedure and the practice, it will usually surface during this kind of process walkthrough.
Practical Steps to Implement Clause 8.5 Effectively
If you are implementing ISO 9001 for the first time, or reviewing your existing system against Clause 8.5, here is a practical approach that works in real businesses.
Map Your Core Processes First
Before you write a single procedure, map out what actually happens in your business from the point of receiving an order or engagement to the point of final delivery and beyond. Include every significant step, the inputs and outputs at each step, the people involved, the equipment used, and the records generated. This process map becomes the backbone of your Clause 8.5 implementation.
Identify the Critical Control Points
Not every step in your process carries the same level of risk. Identify the steps where a failure would have a significant impact on product or service conformity, customer satisfaction, or regulatory compliance. These are the points where you need robust controls, clear instructions, and reliable records. Focus your effort here rather than trying to document everything at the same level of detail.
Build Your Documented Information Proportionately
ISO 9001 does not require you to have a procedure for everything. It requires you to have documented information to the extent necessary to support the operation of your processes and to have confidence that your processes are being carried out as planned. For low-risk, simple tasks performed by experienced staff, a brief checklist may be sufficient. For complex, high-risk processes or tasks performed by less experienced staff, more detailed work instructions are appropriate.
Understanding what constitutes good documented information is a topic worth exploring in depth. Our article on controlled documents and how to implement them covers this in practical detail.
Train Your People and Verify Understanding
Documented procedures only add value if the people doing the work understand and follow them. Train your staff on the relevant procedures and work instructions, and verify their understanding. Keep records of training. Periodically check that work is being carried out in accordance with the documented process. If you find deviations, treat them as improvement opportunities rather than disciplinary issues, and update your system accordingly.
Review Your Change Control Process
Establish a simple, practical process for managing changes to production or service delivery. It does not need to be complicated. A change request form, a brief review and sign-off step, and a record of the outcome is often sufficient for smaller businesses. The important thing is that changes do not happen informally and that your documented system stays current.
Clause 8.5 in the Context of the Upcoming ISO 9001:2026 Revision
It is worth noting that ISO 9001 is currently under revision. The ISO 9001:2026 update is expected to introduce changes that affect how operational clauses like 8.5 are interpreted and applied, particularly around topics like digital processes, climate change considerations, and knowledge management. While the core requirements of Clause 8.5 are unlikely to change dramatically, businesses should be aware that the context in which those requirements are applied may broaden.
The ISO 9001:2015 standard published by ISO.org remains the current reference document, and all current certification audits are conducted against this version. Any transition requirements will be communicated once the revised standard is formally published.
Getting Help With Your ISO 9001 Implementation
Clause 8.5 covers a lot of ground, and getting it right requires a genuine understanding of your own operations as well as the standard's requirements. Many businesses find it helpful to work with an experienced ISO consultant, particularly for the initial implementation or when preparing for a certification audit.
If you are looking for qualified ISO 9001 consultants or accredited certification bodies, CertBetter makes the process straightforward. Submit one form and receive up to three competing quotes from vetted providers, at no cost to your business. The platform was built specifically to connect businesses with trustworthy, experienced ISO professionals, so you can make an informed decision without spending weeks on research.
