The organization shall ensure that externally provided processes, products, and services conform to requirements.
The organization shall be responsible for the conformity of all externally provided processes, products, and services, including from sources defined by the customer.
The organization shall ensure, when required, that customer-designated or approved external providers, including process sources (e.g., special processes), are used.
The organization shall identify and manage the risks associated with the external provision of processes, products, and services, as well as the selection and use of external providers.
The organization shall require that external providers apply appropriate controls to their external providers, to ensure that requirements are met.
The organization shall determine the controls to be applied to externally provided processes, products, and services when:
a. products and services from external providers are intended for incorporation into the organization’s own products and services;
a. products and services are provided directly to the customer(s) by external providers on behalf of the organization;
b. a process, or part of a process, is provided by an external provider as a result of a decision by the organization.
The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re- evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.
NOTE: During external provider evaluation and selection, the organization can use quality data from objective and reliable external sources, as evaluated by the organization (e.g., information from accredited quality management system or process certification bodies, external provider approvals from government authorities or customers). Use of such data would be only one element of an organization’s external provider control process and the organization remains responsible for verifying that externally provided processes, products, and services meet specified requirements.