The intent of this subsection is to control processes, products and services that are provided by an external provider.
The organization is responsible for ensuring that externally provided processes, products and services conform to requirements (e.g. through incoming goods inspection, or surveillance of an outsourced service provider).
The organization should determine the requirements and specific controls to be applied for external provision, depending on the effect they can have on the organization’s operation and performance.
For example, the organization might require that:
— a raw material complies with a technical specification, to be verified through inspection or tests;
— maintenance activities provided by a partner company be carried out by persons with determined competence using specified safety equipment;
— an associate company (such as a sister plant that provides component parts for assembly) conducts verifications.
The organization needs to determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers. Implementation of such a process enables an organization to have a clear understanding of the current capacities of external providers, determine gaps in what is needed, and determine solutions to resolve these issues.
In situations where a parent company or customer mandates the use of a specific external provider, this could be the criterion that is established; however, the monitoring of performance for these types of external providers is still required.
The intent of this subsection is also to establish the controls for external providers, in order for the organization to have confidence that the products and services to be provided will meet requirements.
The type and extent of control is based on what the potential impact that the externally provided process, product or service can have on the organization’s ability to consistently deliver conforming products and services.
EXAMPLE In a printing organization, the paper quality could be critical.
However, a travel agency might use normal, commercial stationery without the need for any quality related purchasing controls.
The printing organization needs to monitor the performance of its paper providers very closely to ensure that the quality of its printed products remains at the expected level.
The organization should determine which controls are to be implemented by or for an external provider.
The intent of these controls is to ensure that product or service provision will be carried out according to planned arrangements and that the product or service will conform to requirements.
The organization needs to ensure that processes provided by an external provider that is within the control of the organization’s management system meet the applicable requirements of relevant ISO standard.
Examples of controls, include, but are not limited to:
a) the qualification of the persons taking the calls and the set-up of the information and communication system at the beginning of a shift, for an outsourced call centre;
b) an incoming inspection carried out by a qualified inspector, or a test carried out on a sample at the organization’s laboratory, for a provided product;
c) a checklist used when verifying that all the planned activities were carried out for a bathroom cleaning service at a hotel or an office.