Why Contractors Create Real Problems for ISO Certification
If your business uses contractors or subcontractors to deliver any part of your product or service, your ISO certification is directly affected. This is not a minor administrative detail. It is one of the most common reasons businesses struggle during audits, receive nonconformances, and find their certified scope challenged by clients.
On this page
The core issue is straightforward. When you get certified to a standard like ISO 9001, ISO 45001, or ISO 27001, the certification covers the processes and activities within your defined scope. The moment a contractor performs work that falls inside that scope, you are responsible for the outcomes of that work. Your certificate does not come with a disclaimer that says “except for the bits we outsourced.”
This article walks you through the practical steps to manage contractors properly within your management system, what auditors actually look for, and how to avoid the most common mistakes businesses make in this area. If you want a broader picture of how outsourced processes fit into your system overall, the article on how to control outsourced processes without micromanaging your suppliers is worth reading alongside this one.
What the Standards Actually Say About Outsourced Processes
Most ISO management system standards address outsourcing explicitly. ISO 9001:2015 deals with it under Clause 8.4, which covers the control of externally provided processes, products, and services. The standard requires you to determine the controls you will apply to external providers based on the potential impact they have on your ability to consistently deliver conforming products and services.
ISO 45001 takes a similar position. Under Clause 8.1.4, it requires organisations to coordinate with contractors to identify hazards and assess risks arising from their activities. You cannot simply hand a contractor a set of tasks and assume your safety obligations end there.
ISO 27001 is arguably the most demanding when it comes to external parties. Annex A controls address supplier relationships and require you to establish information security requirements in agreements with suppliers who access, process, store, communicate, or provide IT infrastructure for your organisation.
The common thread across all these standards is this: you cannot outsource your responsibility. You can outsource the work, but you remain accountable for the quality, safety, and compliance of the output.
The Difference Between a Contractor and a Supplier
Before going further, it is worth being clear about terminology, because this trips people up. In the ISO world, the term “external provider” covers a broad range of relationships. A contractor or subcontractor typically performs work that is directly part of your service delivery or production process. A supplier might provide you with materials, components, or tools that you then use in your own processes.
The distinction matters because the level of control you need to apply depends on how closely the external party's work integrates with your certified scope. A contractor who installs systems on your behalf at client sites is far more embedded in your process than a supplier who delivers stationery to your office. Your controls need to be proportionate to that risk.
For practical guidance on what your scope should actually cover, the guide to Clause 4.3 on determining the scope of your management system gives a solid foundation for thinking through these boundaries.
How to Include Contractors in Your Management System
Step 1: Map Which Contractors Fall Inside Your Scope
Start by listing every contractor and subcontractor your business uses. Then go through each one and ask a simple question: does this party perform any activity that directly contributes to the products or services covered by my ISO certification?
If the answer is yes, that contractor needs to be managed within your system. This does not mean you need to certify them. It means you need to have documented controls in place that give you confidence their work meets your requirements.
Examples of contractors that typically fall inside scope include:
- Subcontractors who carry out installation, construction, or service delivery work on your behalf
- IT contractors who have access to systems or data covered by your ISO 27001 scope
- Labour hire workers who operate within your production environment
- Specialist consultants whose outputs form part of your deliverables to clients
Examples that typically fall outside scope include:
- Office cleaning contractors
- Couriers delivering internal mail
- Payroll processing services that do not touch your product or service delivery
Step 2: Define Your Requirements Before Work Begins
This is where most businesses fall short. They engage contractors, hand over a scope of work, and assume the contractor knows what quality, safety, or security standards are expected. Auditors see this constantly, and it almost always results in a finding.
Before any contractor starts work that falls within your ISO scope, you need to communicate your requirements in writing. Depending on your standard, this might include:
- Quality specifications and acceptance criteria for their work
- Applicable safety procedures and site rules under ISO 45001
- Information security obligations and access controls under ISO 27001
- Environmental requirements if you hold ISO 14001 certification
- Your nonconformance reporting and escalation process
- Document and record-keeping requirements
This does not have to be an enormous document. A well-written contractor agreement or a clear scope of work with attached requirements is often enough. What matters is that the requirements are documented and that the contractor has acknowledged them.
Step 3: Verify Contractor Competence
ISO standards require you to ensure that people performing work under your system are competent. For contractors, this means you need evidence that they have the skills, qualifications, and experience to do the work to your required standard.
Practically, this means collecting and keeping records such as:
- Copies of relevant licences, trade qualifications, or professional registrations
- Evidence of inductions completed for your site or system
- Records of any training you have provided
- Insurance certificates where relevant to the risk
You do not need to run a full training programme for every contractor. But you do need to be able to show an auditor that you checked they were capable before they started work. The article on what competence means and how to prove it for ISO is a useful reference here.
Step 4: Monitor and Verify Their Work
Having requirements on paper is not enough. You need to demonstrate that you actually monitor whether contractors are meeting those requirements. The level of monitoring should be proportionate to the risk and the complexity of the work.
For a high-risk contractor performing critical work, you might need:
- Regular site inspections or progress reviews
- Sign-off on completed work before it is accepted
- Documented quality checks or testing at defined hold points
For lower-risk contractors, periodic review of their performance and records may be sufficient. The key is that you have a defined process, you follow it, and you keep records that show you did.
Step 5: Handle Nonconformances Involving Contractors
When a contractor's work does not meet your requirements, you need to treat it the same way you would treat any other nonconformance within your system. This means logging it, investigating the cause, and taking corrective action.
This is important for two reasons. First, it demonstrates that your system is actually functioning. Second, it creates a record that shows you identified the problem and did something about it. An auditor who sees a history of contractor-related nonconformances that were properly managed will have far more confidence in your system than one who sees no issues recorded at all, which usually means issues are not being captured.
Contractor Management for Specific ISO Standards
ISO 9001 and Quality
Under ISO 9001, your supplier and contractor controls need to be risk-based. The standard does not prescribe a single approach, but it does require you to evaluate and select external providers based on their ability to meet your requirements, apply controls proportionate to the impact on conformity, and retain documented information as evidence of these activities.
A practical tool here is a supplier or contractor evaluation register. This does not need to be complex. A simple spreadsheet that captures who you use, what they do, how you assessed them, and how they have performed over time is often sufficient for a small to medium business.
ISO 45001 and Safety
Safety is where contractor management gets particularly serious, and the legal stakes in Australia are real. Under the Work Health and Safety Act, a business that engages contractors has duties of care that extend to those workers. ISO 45001 formalises this by requiring you to coordinate with contractors to identify hazards, assess risks, and communicate your safety requirements.
In practice, this means:
- Conducting site inductions before contractors commence work
- Including contractors in hazard identification and risk assessment processes where relevant
- Ensuring contractors are aware of emergency procedures
- Monitoring contractor safety performance on an ongoing basis
If you are in the construction industry, this is even more critical. The article on ISO 45001 certification for construction companies covers the specific considerations for that sector in more detail.
ISO 27001 and Information Security
For information security, contractors who have any access to your systems, data, or infrastructure need to be managed under formal agreements that address security requirements. This includes:
- Confidentiality and non-disclosure obligations
- Access controls and the principle of least privilege
- Incident reporting obligations
- Requirements around how data is handled, stored, and destroyed
- The right to audit or review the contractor's security practices
Under ISO 27001:2022, supplier relationships are addressed through specific controls in Annex A, and your auditor will look for evidence that these controls are implemented and not just documented in policy.
Common Mistakes Businesses Make With Contractor Management
Assuming the Contractor's Own Certification Covers You
This is a very common misconception. If a subcontractor holds their own ISO 9001 certificate, that is useful information, but it does not remove your obligation to manage them within your own system. Their certificate covers their processes. Your certificate covers your processes, including how you manage and control the external providers you use. The two are separate.
Relying on Verbal Agreements
Auditors cannot audit verbal agreements. If you tell an auditor that you always brief contractors before they start and that everyone knows the requirements, the auditor will ask to see the records. If there are none, that is a nonconformance. Everything that matters needs to be documented.
Treating All Contractors the Same
A risk-based approach means applying more rigorous controls to contractors whose work has a higher potential impact on your certified scope. Applying the same level of scrutiny to a critical subcontractor as you do to a casual labourer doing minor tasks is not risk-based thinking, and auditors will notice.
Forgetting Contractors During Internal Audits
Internal audits are one of the most powerful tools for keeping your system working. But many businesses focus their internal audits entirely on internal processes and forget to include contractor management as an audit area. Your internal audit programme should include a review of how you are managing external providers, including whether records are being maintained and whether performance is being monitored. For practical guidance on running effective internal audits, the article on how to run ISO internal audits that actually find problems is worth your time.
Practical Documentation You Should Have in Place
To give you a concrete picture, here is the documentation that a well-managed business should be able to produce when an auditor asks about contractor management:
- A register of external providers that fall within your ISO scope, including what they do and what risk category they represent
- Contractor agreements or purchase orders that include your quality, safety, or security requirements
- Competence records such as copies of licences, qualifications, induction records, and insurance
- Monitoring records such as inspection reports, sign-off sheets, or performance reviews
- Nonconformance records for any issues involving contractor work, along with evidence of corrective action
- Evaluation records showing how you selected and continue to assess your contractors
None of this needs to be elaborate. The goal is to demonstrate a systematic, documented approach, not to create an administrative burden.
When a Contractor Becomes a Subcontractor Under Your Certificate
There is an important distinction worth understanding here. In some industries and for some standards, you may want or need to explicitly include a contractor within the scope of your certificate. This is sometimes called a multi-site certification or an extended scope arrangement.
This is different from simply managing a contractor within your system. Including a contractor within your certified scope means the certification body's auditors will also audit that contractor's site and activities as part of your certification audit. This is more complex and more expensive, but it may be required in certain supply chain or contractual situations.
If a client is asking whether your subcontractors are covered by your certificate, the answer depends on whether they are included in the scope. If they are not, you should be clear about that and explain how you manage and control their work instead. Misrepresenting the scope of your certificate is a serious issue, and the article on what happens if you falsely claim ISO certification explains the consequences in plain terms.
Getting This Right From the Start
The businesses that handle contractor management well are the ones that build it into their system from day one rather than trying to retrofit it before an audit. If you are just starting your ISO certification journey and your business model relies heavily on contractors, make sure you raise this with your consultant early. The scope definition, the documented processes, and the records you keep all need to account for the contractor relationships that are central to how you deliver your product or service.
If you are already certified and you know your contractor management is not where it should be, the good news is that this is a fixable problem. Start by mapping your contractors against your scope, identify the gaps in your documentation and monitoring, and work through them systematically before your next surveillance audit.
If you are looking for an experienced consultant who understands how to build contractor management into a practical, auditable system, CertBetter can connect you with vetted ISO consultants who have done exactly this across a range of industries. You submit one form, and you receive up to three competing quotes from verified providers. It is completely free for businesses, and it saves you the time and frustration of searching for the right person on your own.




