Quality Digest      
  HomeSearchSubscribeGuestbookAdvertise November 30, 2023
This Month
Need Help?
ISO 9000 Database
Web Links
Web Links
Back Issues
Contact Us

by Charlie Cianfrani

ISO 9001:2000 presents its users with several concepts and requirements that, at first glance, appear to be additions to the 1994 version. However, upon closer scrutiny, it becomes evident that they’re often amplifications or restatements of requirements that were always implied or presumed. Such is the case with the requirements surrounding outsourced processes. In this, the fifth article in our series, Charlie Cianfrani, a recognized international expert on ISO 9001:2000, helps us to better understand the intent of this requirement.
--Denise E. Robitaille, series editor

“Would you like them here or there?”
--Dr. Seuss, Green Eggs and Ham

Outsourcing and exclusion are two concepts from ISO 9001:2000 that many registered users still find confusing. Although the standard’s crafters concede that the requirements for both are somewhat related, these concepts actually address different issues in a quality management system. Likewise, their content and intent are unique. The applications concept discussed in Clause 1.2 covers permissible exclusions; the outsourcing concept discussed in Clause 4.1 relates to those activities that are essential to a quality management system and carried out by entities external to your organization.

To reiterate, the applications concept is included in ISO 9001:2000 to permit an organization to exclude from its QMS any requirements in Clause 7--Product Realization that, “… do not affect the organization’s ability, or responsibility, to provide product that meets customer and applicable regulatory requirements.”

Where the buck stops

By way of ancient history, when ISO 9001, 9002 and 9003 were first released, many organizations chose to seek 9002 registration--even though customers were vitally affected by the design of the products or services the organization was providing. This was contrary to ISO 9001’s intent. Some registrars permitted and even encouraged this behavior. Consequently, ISO 9001:2000 was structured to encourage (if not force) organizations to include in their QMS everything that impacts the quality of products or services delivered to customers. Clause 1.2--Applications was inserted to permit the legitimate exclusion of Clause 7 requirements, which had no relationship to the products provided to customers. In other words, the revised standard was designed to be flexible but difficult to misuse.

In ISO 9001:2000’s Clause 4.1, the outsourcing concept is included to highlight the fact that special attention might be required when obtaining products or services from others that impact the products provided to customers. The words in 4.1 specifically refer to outsourced processes to indicate that the organization must ensure control over them.

Some have argued that the requirement in Clause 4.1 isn’t necessary because Clauses 7.1, 7.4 and 7.5 contain adequate provisions to ensure the integrity of products provided to customers. However an organization decides to do it, though, the requirement clearly states that outsourced processes shall be controlled no matter where they and the resulting products are sourced.

This means that, when addressing the concept of outsourcing and control, geography is irrelevant. Unfortunately, the misconception that it’s permissible to abdicate responsibility for any process that occurs off-site endures, fostering an underlying attitude in some organizations that the more remote a process’s location, the greater the justification for dissociating it from the organization’s QMS. All too often, auditors hear things like: “We exclude 7.5.1 because we contract out the entire manufacturing process to another company,” or, “We exclude purchasing because that’s done at corporate. We don’t do that here.”

The question shouldn’t be, “Does it happen here or there?” It must be, “Is it a process that in any way affects conformity of the product to requirements?”

An organization can’t exclude a process from the scope of its QMS simply because it’s conducted by another entity or is purchased from an outside vendor. For this reason ISO 9001:2000’s authors positioned the language about outsourcing in Section 4.1--General Requirements. Because the only allowable exclusions are found in Section 7, this means outsourced processes aren’t exempt from the standard’s requirements.

ISO 9001:2000 clearly directs the organization to ensure those activities integral to the QMS--even if conducted off-site and purchased from another supplier--are identified, planned and controlled in the same manner as other QMS processes. The intent of this obvious and unnecessarily troublesome requirement is to emphasize that the location of an activity doesn’t in any way alter the organization’s accountability for the process’s outcome. It doesn’t matter if the process is conducted by another corporate office, a contracted service provider or any other contractor.

Similarly, the relationship between the organization and the supplier of an outsourced process isn’t part of the criteria for determining adequate control. Simply because purchasing is done at another corporate location doesn’t absolve the organization from the need to integrate control of it into the QMS, most notably through implementing clauses such as 7.1--Planning of Product Realization: “The organization shall plan and develop the processes needed for product realization,” and 4.1--General Requirements: “The organization shall… identify the processes needed… and determine the sequence and interaction of these processes.”

The general requirements go on to state: “When an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.”

What and how much to control is dependent on the nature and complexity of the process. The controls must reflect the criticality of the process and any risks that might exist. Outsourcing a delicate machining process will probably require more vigilance than outsourcing the purchasing of off-the-shelf components.

What are outsourced processes?

The ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on “Outsourced Processes” provides the following definition of the term: “Within the context of ISO 9001:2000 an ‘outsourced process’ is a process that the organization has identified as being needed for its quality management system, but one which it has chosen to be carried out by an external party.”

A simple litmus test for any outsourced activity might be whether you can fulfill the customer’s requirement without that process. Consider, for example, outsourcing the catering for the company’s annual awards luncheon. This activity probably isn’t integral to fulfilling customer requirements and usually wouldn’t be considered as part of the QMS. An argument could be made that it should be included if it’s part of a recognition program for achieving objectives. However, it’s reasonable to exclude it.

What about outsourcing the development of a product’s user manuals? Such an activity is definitely integral to meeting customers’ requirements and directly relevant to their ability to experience optimum value from the product. Also, it should be integrated into the planning and design/development process as well as any other related activities, such as training service technicians, ensuring manuals are included in shipping documents and incorporating provisions for review of any revision to the product.

The reasons for outsourcing processes fall into two general categories: 1) the organization doesn’t have the necessary expertise and/or resources; 2) the organization can perform the process but has chosen to outsource it for cost savings, increased efficiency or some other business reason. Examples of typical outsourced processes include:


Internal auditing


Web hosting

Independent lab testing

Plating, painting, heat treating or coating

Contract assembly of components provided by the organization

Entire manufacturing processes

Development of user manuals and maintenance instructions

Customer surveys

Call centers

Design validation


Field service

Human resources

Equipment preventive maintenance

Installation (where contractually required)

Records archiving

The diversity of outsourced processes illustrates why consideration must be given to the manner in which each is controlled. It would be as inappropriate to use the one-size-fits-all approach for these as it would be for any other element of your QMS. The method used to plan how a part is manufactured is different than how an e-commerce Web site is set up. The tools and techniques employed to assess fulfillment and conformance of these two different requirements would be quite different as well. Control typically is achieved through one or a combination of several techniques such as those listed below:

Supplier audit

Provision of detailed process documentation, work instructions, build specifications and/or in-process test information

Third-party validation of product performance


Joint planning sessions

Representative on-site

In-process performance data

Demonstrated conformance to ISO 9001:2000 or comparable QMS model

Pre-existing criteria as defined in purchasing procedures

The following secondary activities also relate to controlling the output of a process. Generally they shouldn’t suffice as stand-alones but are used in conjunction with process controls such as those listed above.

Incoming inspection

Certificates of analysis

Final product conformance data

As with any QMS requirement, it’s important that it make good business sense. What are the benefits that might be derived from outsourcing and bringing definition, control and consistency to these processes? The purpose of any activity is to fulfill the customer’s requirement. If the outcome of such a process doesn’t contribute to that purpose, it’s a detriment. Having a supplier do something twice because it had poor control is no more efficient or less costly than if the organization repeats the process. Both carry costs of scrapped material, lost time, wasted labor, missed deliveries and customer dissatisfaction. Therefore, the benefits of definition, planning and control are the same--regardless of whether it happens here or there.

About the author

Charlie Cianfrani is managing director of the Customer-Focused Quality Group at ARBOR E & T LLC. He’s co-author of ISO 9001:2000 Explained and the ISO 9000:2000 Handbook.

He’s also co-author, with Jack West, of Cracking the Case of ISO 9001:2000 for Manufacturing, Cracking the Case of ISO 9001:2000 for Service and ISO 9001:2000 An Audio Workshop. Cianfrani is an American Society for Quality Certified Quality Engineer, Certified Reliability Engineer, Certified Quality Auditor and RAB-certified Quality Systems Auditor. He’s a Fellow of ASQ.