Does ISO 9001 require me to audit all of my suppliers?

No, ISO 9001 does not require you to audit every supplier. Clause 8.4 requires you to apply controls that are proportionate to the risk and impact of the externally provided process, product or service. For most businesses, this means formal supplier audits are reserved for critical suppliers where the risk of failure is high and other monitoring methods are insufficient. Lower-risk suppliers can be managed through performance data, incoming inspection, and periodic reviews without ever conducting a formal on-site audit.

What is the difference between an approved supplier list and a supplier register?

In practice, the terms are often used interchangeably, but there is a meaningful distinction. An approved supplier list is simply a record of which suppliers you have evaluated and approved to use. A supplier register is a more complete document that typically includes the supplier's category or risk tier, the basis for their approval, their certification status, and their current performance rating. A supplier register gives you and your auditors a much clearer picture of how your supplier control system actually functions.

Can I rely on a supplier's ISO 9001 certificate instead of doing my own evaluation?

A supplier's ISO 9001 certificate from an accredited certification body is a useful input to your evaluation, but it cannot fully replace your own assessment. The certificate confirms the supplier has a quality management system that met the standard's requirements at the time of their last audit. It does not confirm that the specific products or services they provide to you meet your particular requirements. You still need to define your requirements clearly and verify that the supplier is meeting them, even if the depth of your evaluation can be reduced for certified suppliers.

What should I do when a supplier repeatedly fails to meet my requirements?

Start by ensuring the requirements were communicated clearly and that the supplier understands what is expected. If the requirements were clear and failures are recurring, raise a formal corrective action request and ask the supplier to investigate the root cause and provide a corrective action plan with a defined timeline. Document the issue and the supplier's response. If performance does not improve after a reasonable period, you may need to consider alternative suppliers. Under ISO 9001, you are required to take action proportionate to the risk, and continuing to use a supplier who consistently fails to meet your requirements without documented action is a finding waiting to happen.

How do I handle outsourced processes that my customer has specified the supplier for?

This is a specific scenario addressed in ISO 9001 Clause 8.4. When your customer directs you to use a particular external provider, you still need to document that arrangement and communicate any applicable requirements to that supplier. However, your control obligations are somewhat different because you have limited ability to select or replace the supplier. The key is to document the customer-specified arrangement clearly, pass on your quality requirements in writing, and record any issues that arise. If the customer-specified supplier causes a quality problem, your documented communication of requirements is what demonstrates you fulfilled your obligations under the standard.

How often should I review my approved supplier list?

There is no fixed frequency prescribed by ISO 9001, but annual review is the most common and generally defensible approach for most businesses. Critical suppliers should be reviewed at least annually, with performance data reviewed more frequently, quarterly being typical. The review should confirm that each supplier remains capable of meeting your requirements, that their approval status is still valid, and that any changes in their circumstances or performance have been considered. An approved supplier list that has not been formally reviewed in more than twelve months will typically attract scrutiny from an auditor, even if your day-to-day monitoring has been consistent.

Control Outsourced Processes Without Micromanaging

Why Outsourced Process Control Is One of the Trickiest Parts of ISO 9001

If you run a business that relies on external suppliers to deliver any part of your product or service, you already know the tension. You need to maintain control over those processes to satisfy your ISO 9001 requirements, but you also cannot afford to alienate the suppliers you depend on by treating them like employees who need constant supervision.

On this page

This is one of the most common challenges I see businesses struggle with after certification. They either go too far in one direction, creating mountains of paperwork and supplier questionnaires that nobody reads, or they go too far in the other direction and essentially trust suppliers blindly until something goes wrong and an auditor raises a nonconformity.

The good news is that there is a sensible middle ground. Controlling outsourced processes effectively is about designing smart oversight mechanisms, not about hovering over every step. This article walks you through exactly how to do that in a way that satisfies your ISO 9001 quality management system requirements and keeps your supplier relationships intact.

What ISO 9001 Actually Requires for Outsourced Processes

Before we get into the practical side, it is worth being clear about what the standard actually demands. Clause 8.4 of ISO 9001:2015 covers the control of externally provided processes, products and services. The core requirement is straightforward: you cannot outsource a process and then wash your hands of it. If that process affects your product or service quality, you remain responsible for it.

The standard does not tell you exactly how to control outsourced processes. That is intentional. It gives you flexibility to apply controls that are proportionate to the risk involved. A low-risk supplier providing office stationery needs very different oversight compared to a subcontractor delivering a critical manufacturing step on your behalf.

What auditors are looking for is evidence that you have thought about the risk, defined what good performance looks like, and put something in place to verify that performance. The form that takes is largely up to you.

The Three Types of External Provision

ISO 9001 distinguishes between three scenarios, and understanding which one applies to your situation shapes how you approach control.

Products and services incorporated into your output: For example, a component you buy and assemble into your finished product, or a subcontracted service that forms part of what you deliver to your customer.
Products and services provided directly to your customer on your behalf: For example, a logistics partner who delivers to your customers under your brand, or an IT subcontractor who installs your software at a client site.
Processes outsourced as a result of a decision by your organisation: For example, your accounts payable function, your calibration services, or your cleaning and facilities management.

The closer the outsourced process sits to your customer and your core output, the more scrutiny it typically warrants. This risk-based thinking is the foundation of everything that follows.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Step One: Categorise Your Suppliers by Risk

The single most effective thing you can do to avoid both under-control and over-control is to segment your supplier base. Not every supplier deserves the same level of attention, and pretending otherwise wastes everyone's time.

A simple three-tier approach works well for most businesses.

Tier One: Critical Suppliers

These are suppliers whose failure would directly affect your product quality, customer satisfaction, or regulatory compliance. Examples include a raw material supplier for a food manufacturer, a subcontractor performing a certified process like welding or non-destructive testing, or a cloud platform provider for a software business. These suppliers get the most rigorous oversight.

Tier Two: Important Suppliers

These suppliers have a meaningful impact on your operations but a degree of substitutability. If they underperform, you can manage the situation without a crisis. Examples include a packaging supplier, a specialist freight company, or a training provider. These suppliers get moderate oversight, typically focused on periodic performance reviews.

Tier Three: Routine Suppliers

These are commodity or low-impact suppliers where the risk of quality failure is minimal or easily detected before it affects your customer. Office supplies, general consumables, and non-specialised services typically fall here. Basic purchasing controls are sufficient.

Document this categorisation in your supplier register. It does not need to be complex. A simple spreadsheet with supplier name, category, and the rationale for the category is sufficient for most auditors. This segmentation then drives every other decision you make about oversight intensity.

Step Two: Define What Good Looks Like Before You Engage

One of the most common reasons supplier relationships go wrong is that expectations were never clearly defined upfront. A supplier cannot consistently meet a standard they were never told about.

Before engaging a new supplier, particularly a Tier One or Tier Two supplier, define your requirements in writing. This does not need to be a fifty-page contract. It needs to cover the following.

Quality specifications: What does the product or service need to conform to? Tolerances, grades, certifications, test results, whatever is relevant to your context.
Delivery and timing requirements: When do you need it, and what happens if there are delays?
Communication expectations: Who is the contact, how quickly should they respond, and what events require immediate notification?
Nonconformity handling: What happens when something does not meet specification? Who is responsible for rework, replacement, or cost recovery?
Change notification: The supplier must tell you before they change materials, processes, subcontractors, or locations that affect your requirements.

That last point about change notification is critical and often overlooked. Many quality failures trace back to a supplier quietly changing something without telling their customer. Make it a contractual or documented requirement that they notify you before making changes that could affect what you receive.

Step Three: Build a Supplier Evaluation Process That Is Actually Useful

Most ISO systems include some form of supplier evaluation, but many of them are performative rather than functional. Sending a questionnaire once and filing the response does not constitute meaningful control.

A useful supplier evaluation process has two components: initial evaluation before you engage, and ongoing performance monitoring once the relationship is active.

Initial Evaluation

For Tier One suppliers, initial evaluation might include a site visit, a review of their own quality certifications, reference checks with other customers, or a sample approval process. For Tier Two suppliers, reviewing their certifications and conducting a structured questionnaire is usually sufficient. For Tier Three suppliers, confirming they can meet your basic requirements and checking their trading history is typically enough.

If a supplier holds current ISO 9001 certification from an accredited certification body, that is a meaningful indicator of baseline quality management capability. It does not eliminate the need for your own oversight, but it does reduce the amount of initial scrutiny required. You can verify a company's ISO 9001 certification through the certification body's public register before you rely on it.

Ongoing Performance Monitoring

This is where most businesses either over-engineer or under-deliver. The goal is to collect meaningful data about supplier performance without creating a bureaucratic burden for either party.

Pick two to four metrics that actually tell you something useful. Delivery on-time rate, defect or rejection rate, responsiveness to issues, and cost stability are common choices. Review these on a regular schedule, quarterly for Tier One suppliers and annually for Tier Two, and document the outcome. If performance is consistently strong, you have evidence of effective control. If it is deteriorating, you have an early warning signal before it becomes a customer complaint.

Step Four: Use Incoming Inspection Intelligently

Incoming inspection is one of the most direct controls you have over externally provided products, but it needs to be calibrated to be useful rather than just time-consuming.

For a new supplier or one with a recent quality issue, 100 percent inspection of incoming goods makes sense until confidence is established. For a long-standing supplier with a strong track record, reduced inspection or statistical sampling is appropriate. For a supplier with current third-party certification and consistent performance data, you might rely primarily on their own test certificates with only occasional verification checks.

The key is that your inspection approach is documented and justified. An auditor does not expect you to inspect everything exhaustively. They do expect you to have a rational basis for the level of inspection you apply. Document your inspection criteria in a procedure or work instruction, and keep records of what was checked and what the outcome was.

When you find a nonconformity in incoming goods, handle it formally. Quarantine the affected material, notify the supplier, and record the event. These records are valuable both for your own quality improvement and as evidence during your ISO surveillance audits. Understanding how to run internal audits that actually find problems can help you identify where your incoming inspection process might have gaps before an external auditor does.

Step Five: Conduct Supplier Audits Without Being Heavy-Handed

For your most critical suppliers, periodic audits of their operations are a legitimate and effective control. The word audit often makes suppliers nervous, but framed correctly, a supplier audit is a collaborative exercise that benefits both parties.

You do not need to audit every supplier every year. A risk-based schedule is appropriate. A Tier One supplier with a history of issues might warrant an annual on-site audit. A Tier One supplier with consistently strong performance might only need an audit every two to three years. Tier Two suppliers rarely need formal audits unless a specific concern arises.

When you conduct a supplier audit, be clear about its purpose. You are verifying that the processes producing your inputs are capable and controlled, not looking for reasons to terminate the relationship. Share your findings constructively. If you identify a weakness, work with the supplier on a corrective action plan rather than simply issuing a formal nonconformity and walking away. Suppliers who feel supported by their customers tend to perform better than those who feel policed.

ISO 19011 provides useful guidance on auditing management systems and can inform how you structure your supplier audit approach, even if you are not formally applying the standard.

Step Six: Manage Supplier Performance Through Dialogue, Not Just Data

Data tells you what happened. Conversations tell you why, and more importantly, what is about to happen. The businesses that manage outsourced processes most effectively are those that treat their key suppliers as partners in quality rather than vendors to be monitored.

This means regular communication beyond the transactional. A quarterly call with your Tier One suppliers to review performance, discuss upcoming changes, and share any quality concerns from your end costs very little time and prevents a significant number of problems. It also means your suppliers are more likely to tell you proactively when something on their end is changing or under pressure, giving you time to respond rather than react.

When performance issues do arise, address them promptly and specifically. Vague feedback like “quality has been poor lately” is not actionable. Specific feedback like “three of the last five deliveries contained components outside the dimensional tolerance specified in your purchase order” gives the supplier something concrete to investigate and fix.

Documenting Your Outsourced Process Controls for ISO Compliance

Your ISO 9001 system needs to demonstrate that you have determined the controls to apply to your externally provided processes, products and services. This does not require a separate procedure for every supplier, but it does require some documented evidence of your approach.

At a minimum, your quality management system should contain the following.

A supplier register that lists your approved suppliers, their category or risk tier, and the basis for their approval.
Documented purchasing or procurement requirements that specify how you communicate quality requirements to suppliers.
Records of supplier evaluations, both initial and ongoing performance reviews.
Incoming inspection records or a documented approach to how inspection decisions are made.
Records of any supplier nonconformities and how they were resolved.

If you are unsure how to structure this documentation within your quality management system, the guidance in Clause 4.4 of ISO 9001 on defining your processes and their controls is a useful starting point. Your outsourced processes are an extension of your process map, and the controls you apply to them should be visible within that framework.

The ISO 9001:2015 standard itself provides the normative requirements for Clause 8.4, and reviewing the actual clause language alongside your documented approach is the most reliable way to confirm you have covered everything an auditor will look for.

Common Mistakes to Avoid

Having audited and consulted across a wide range of industries, the same patterns of failure come up repeatedly when it comes to outsourced process control.

Approving suppliers once and never reviewing them again: An approved supplier list that has not been reviewed in three years is not evidence of control. It is evidence of a system that has been set up and forgotten.
Relying entirely on supplier certifications without any independent verification: A supplier's ISO certificate tells you they had a functioning management system at the time of their last audit. It does not guarantee the specific products or services they provide to you meet your requirements.
Failing to communicate changes in your own requirements: If your product specifications change, your suppliers need to know. Failing to pass that information down the supply chain is your nonconformity, not theirs.
Treating all suppliers the same: Applying the same level of scrutiny to a critical subcontractor and a stationery supplier is both inefficient and ineffective. Risk-based thinking is not optional in ISO 9001, it is a core principle.
Keeping supplier control documentation separate from your QMS: If your supplier records live in a filing cabinet or a personal drive that your team cannot access, they are not part of your management system in any meaningful sense.

Getting the Balance Right

The businesses that handle outsourced process control best are those that have invested time upfront in defining their requirements clearly, segmenting their suppliers by risk, and building lightweight but consistent monitoring habits. They are not the businesses with the thickest supplier manuals or the most aggressive audit schedules.

If you are in the process of building or improving your ISO 9001 system and supplier control is an area you are struggling with, it is often worth getting a second opinion from someone who has seen how different businesses approach it. The approach that works for a ten-person engineering firm looks very different from the one that works for a fifty-person food manufacturer, even though both are trying to satisfy the same clause.

CertBetter connects businesses with experienced ISO consultants who can review your current supplier control approach and help you build something that actually works in practice. You submit one form, receive up to three quotes from vetted consultants, and the service is completely free. It is a straightforward way to get practical guidance without committing to a long engagement before you know whether the fit is right.

How to Control Outsourced Processes Without Micromanaging Your Suppliers