Skip to content

ISO 9001 clause 8.4 mapping

ISO 9001:2015 clause 8.4 — Control of externally provided processes, products and services — is the part of the standard that governs what you buy and what your suppliers do. It is also the clause Sertiq was built around. This page explains it in SME-readable English and shows where in Sertiq each requirement is covered.

If you only read one ISO clause this year, read this one — it’s the source of most “non-conformance” findings in supplier audits.

Anything you don’t make in-house but that affects the quality of your product:

  • Raw materials, components, sub-assemblies you buy.
  • Services performed for you (heat treatment, plating, machining, NDT, calibration).
  • Processes outsourced (a contract manufacturer running your tooling).

Clause 8.4 applies whether you call them a supplier, vendor, sub-contractor, or partner. The standard does not care about labels.

Clause 8.4 has three sub-clauses. Each addresses a different failure mode.

“The organization shall ensure that externally provided processes, products and services conform to requirements.”

In plain English: you are accountable for what your suppliers do. You must control them in proportion to the risk they carry. Buy a screw from a screw shop — light control. Outsource a flight-safety component — heavy control.

What ISO expects you to have:

  • Approved supplier list (ASL) with risk-based criteria for getting on it.
  • Evaluation history — how each supplier became approved, when they were re-evaluated, and what changed.
  • Re-evaluation triggers (e.g. quality failure, recurring NCR, change in scope).

How Sertiq covers it:

  • Supplier register with risk band (High / Medium / Low) — Suppliers.
  • Supplier evaluations with weighted ISO scoring template (quality, delivery, compliance, communication, CAPA capability).
  • AI Supplier Risk Profile narrates 12 months of NCRs, CAPAs, RMAs, SCAR responses into an evaluator-ready summary — AI assist.

“The organization shall determine the controls to be applied to externally provided processes, products and services.”

In plain English: decide how much you control, what you control, and what evidence you need. Then prove it works.

Common controls:

  • Receiving inspection (sampling plan, AQL, FAI).
  • Certificates of conformity (CoC), material certs, test reports.
  • First-article inspection on new part numbers or process changes.
  • Source inspection at the supplier’s site.
  • Statistical process control data shared by the supplier.
  • Periodic supplier audits.

How Sertiq covers it:

  • NCRs flagged with clause 8.4.2 capture failures of receiving inspection, verification, or release — NCRs.
  • CAPAs with effectiveness verification at 30 days prove your control adjustment worked — CAPA.
  • 8D module (Enterprise) for formal containment, root cause, and verification of recurring 8.4.2 failures.
  • Calibration tools register (Starter+) — keeping measurement equipment in date is itself an 8.4.2 control.

“The organization shall ensure the adequacy of requirements prior to their communication to the external provider.”

In plain English: tell suppliers exactly what you want, in writing, before you expect them to deliver it. If you don’t, the resulting non-conformance is yours, not theirs.

What you need to communicate:

  • Product / service specification (drawings, BOMs, revisions).
  • Process requirements (welding code, plating standard, tolerances).
  • Personnel qualifications (NDT Level II, IPC-A-610).
  • Method, process and equipment requirements.
  • Release and acceptance criteria — when do you sign it off?
  • Reporting and record-keeping expectations.
  • Performance interactions (lead time, communication cadence).
  • Control of changes to the requirements (what’s the change-management process?).

How Sertiq covers it:

  • NCRs flagged with clause 8.4.3 capture failures where requirements were not communicated, the wrong revision shipped, or the supplier reverted a spec change — NCRs.
  • SCAR (Supplier Corrective Action Request) documents — Sertiq generates branded .docx (and PDF on Enterprise) you send to suppliers with the requirement and the deviation spelled out — Reports.
  • Interactive supplier SCAR portal (Pro+) — password-protected page where suppliers respond directly, eliminating the “we didn’t get your email” failure mode.

Clause 8.7 — Control of nonconforming outputs

Section titled “Clause 8.7 — Control of nonconforming outputs”

Sertiq also surfaces clause 8.7 (Control of nonconforming outputs) on every NCR via the containment action field. Critical-severity NCRs cannot be saved without one — the constraint is enforced at the database level. Containment is the immediate, short-term action (segregate the lot, stop shipment, switch to alternate supplier) that protects the customer while you work the long-term CAPA.

Clause 10.2 — Nonconformity and corrective action

Section titled “Clause 10.2 — Nonconformity and corrective action”

CAPAs are not under 8.4 — they’re under 10.2 Nonconformity and corrective action. But they’re inseparable from 8.4 in practice: every CAPA in Sertiq is bound to a parent NCR. The 30-day effectiveness verification on closed CAPAs satisfies clause 10.2.1(e). See CAPA.

The Sertiq .docx audit report (Starter+) covers, per supplier:

  • Identity, contact, category, location (8.4.1 — supplier identification).
  • Risk band, quality score, evaluation history (8.4.1 — supplier evaluation).
  • Open and closed NCRs with severity and clause (8.4.2 — verification failures, 8.4.3 — communication failures).
  • CAPAs with status, due date, effectiveness rating (10.2 — corrective action).
  • Containment actions on critical NCRs (8.7).

Take it into the audit folder. The auditor expects to see this, and it answers most of their 8.4-bucket questions in one document.

Sertiq is opinionated about 8.4 and does not try to cover the full standard. Internal NCRs (clause 10.2 outside the supplier chain) are on the roadmap. Document control (clause 7.5), management review (9.3), and resource management (clause 7) are out of scope.

  • AS9100 (aerospace) — extends 8.4 with risk-based supplier classification, special process oversight, and counterfeit-prevention requirements. Sertiq covers the recordkeeping side; AS9100 certification requires additional process controls outside the tool.
  • IATF 16949 (automotive) — extends 8.4 with PPAP, APQP, and supplier development requirements. Sertiq is not IATF-certified out of the box; the supplier register and CAPA flow are a useful component, not a complete solution.
  • NCRs — clause-tagged at creation time.
  • CAPA — clause 10.2 effectiveness verification.
  • Suppliers — clause 8.4.1 evaluations.
  • Reports — audit-ready .docx.
  • Glossary — terms used here defined.