In Scope or Out(sourced)! Is your supplier’s ISO certificate applicable?

ISO certificates describe the scope of the certified management system.  Typically this includes physical location of the organization but it also includes a description of the products and services covered –  those that a customer might be buying.  Technically if the organization outsources main processes, design is a good example, then it cannot be included on the certificate.  To be included the certification body must see what controls they have over those outsourced activities and then actually audit them.  They have to know that the processes fully meet the requirements of the standard before they add them to the certificate.

Many organizations outsource some of the work they perform.  When an organization outsources work, they cannot absolve themselves of the responsibility for the quality of work completed on their behalf.  It may be their sub-contractors fault but they are the one who supplied it to the customer.  That is a commonly understood principle.  However, when you rely on an outsourced process you don’t have control over the Quality Management System involved that assures the quality of the product.

When a customer contracts with you (an ISO 9001 certified company) they are expecting their products to be manufactured under ISO conditions.  While an ISO certified organization is required to define the outsourced processes “in the quality system” they are not required to tell the customer.  That is where complexities occur in looking at an ISO 9001 certificate.

Some scenarios will help explain this.

The customer orders a part from us (an ISO 9001 certified organization) which is completely or partly produced at an ISO 9001 sub-contractor. 

All work on the part was completed at an ISO certified organization and so it is valid to say it was produced in an ISO certified process.  It is important to remember that the ISO certification has to be valid.  Typically this means that it is provided by an accredited certification body whose accreditation agency belongs to the IAF (recognized international body for ISO).  Of course you still don’t have control over that quality system so while it is fair to say that a certificate was involved throughout, the customer may still have problems with it.

The customer orders a part from us (an ISO 9001 certified organization) which is completely produced at a non-ISO 9001 sub-contractor. 

If we are able to inspect the product upon receipt we can assure the quality to the customer.  However, the ISO certificate implies it will be manufactured under ISO 9001 and that wasn’t the case.  Technically we should declare that the ISO scope for the supply of this item was “procurement and inspection”.   There are many issues with this scenario.  Inspection is never a great way of assuring quality and its not always possible to check everything.

The customer orders a part from us (an ISO 9001 certified organization) which is outsourced for plating at a non-ISO 9001 sub-contractor. 

The ISO certificate doesn’t mention plating (we are only certified for machining) and thus although this product was not completely produced under ISO 9001 conditions, it can be argued that the customer should be aware of this from the description on the certificate.  It is likely that we have good controls over the vendor (typically purchasing controls) because those controls are subject to ISO auditing.  However, the actual outsourced process itself is not audited and is not separately certified.  Plating is a special process (one which cannot be inspected or verified) and thus we cant inspect the quality of the product when we receive it.  Technically because “plating” is not on the certificate, this is an acceptable situation so long as our controls over the process are comprehensive.

The customer orders a part from us (an ISO 9001 certified organization) which is outsourced for limited machining at a non-ISO 9001 sub-contractor. 

Technically this scenario incorporates comments from both scenarios above.  Because the quality of the machining can be inspected we can verify the quality of the part and it is only one part of the final item supplied to the customer so it is not representative of the whole quality of what is supplied.  So the answer is a matter of degrees.  The more we outsource of the production of this item, the less “produced under ISO” is true.  This scenario must also be considered in the light of the scenario below.  What’s the difference between buying a “part” and subcontracting the manufacture of a part?

The customer orders a part from us (an ISO 9001 certified organization) which is assembled in house although some of the parts may be purchased from a non-ISO 9001 sub-contractor. 

In this situation our certificate should state that we assemble – not that we manufacture (and/or include both terms).  Under these circumstances we own the design of the part that we provide and we obtain the parts from who we want.  If this was the customers finished part that we were assembling then it is likely that they told us how and where to get the parts.  Thus they would know of any non-ISO 9001 organizations in the supply chain.


The problem and complexities get even worse when an organization does all (or most) of the activities in house but chooses to outsource some of these to non-ISO 9001 suppliers.  The customer is rarely told exactly where their parts are to be made.  This is not really a problem for the ISO certified organization.  They want the certificate to be as broad and encompassing as possible.  It is the customer that might be confused.

The solution is easy.  Customers can request a copy of the suppliers quality manual and work out what is included and what is not.  Too much hard work?  Then they simply request in purchasing documents that products are specifically produced through the organizations ISO 9001 quality management system (and to notify them if any processes are not ISO 9001).  To be effective, it may be necessary to follow up on this but it’s a good place to start.