ISO 9001 Supplier Evaluation: Clause 8.4 Guide + Free Approved Supplier List Template

Clause 8.4 is one of the most consistently cited clauses in ISO 9001 audits — and one of the most misunderstood. Organizations that think supplier control means having a list of vendors they've used before are in for a rude surprise when the auditor starts asking questions.

The quality of your product is only as good as the quality of what goes into it. Purchased materials, outsourced processes, and externally provided services all carry quality risk directly into your operation. Clause 8.4 is the standard's mechanism for managing that risk — systematically, proportionally, and with documented evidence.

This guide covers what Clause 8.4 actually requires, how to build an Approved Supplier List that satisfies auditors and actually manages risk, the most common findings, and a free ASL template you can put to work immediately.

What Clause 8.4 Actually Requires

Clause 8.4 is titled "Control of Externally Provided Processes, Products and Services." It applies whenever your organization uses an external provider — whether that's a raw material supplier, a subcontractor, a calibration lab, a staffing agency, or a cloud software vendor that touches your product or service.

The clause is structured across three sub-clauses, each with distinct requirements:

8.4.1 — General

The organization must determine and apply criteria for the evaluation, selection, monitoring performance, and re-evaluation of external providers. The criteria must be based on the provider's ability to provide processes, products, or services in accordance with requirements. Documented information must be retained as evidence of the results of evaluations and any necessary actions arising from them.

This is where the Approved Supplier List lives. It is the documented evidence that you have evaluated your suppliers against defined criteria and made a deliberate approval decision. An auditor asking "how did you approve this supplier?" should get a specific, documented answer — not a shrug.

8.4.2 — Type and Extent of Control

Control of external providers must be proportional to the impact on the organization's ability to consistently deliver conforming products and services and on customer satisfaction. The standard identifies three scenarios that require different levels of control:

• Products and services incorporated into your own products or services — the highest risk category. A defective component that becomes part of your product becomes your problem with your customer. These suppliers typically require the most rigorous qualification and ongoing monitoring.
• Products and services provided directly to your customer on your behalf — you're accountable for what the external provider delivers to your customer. Same risk level as above.
• Processes or functions outsourced — a process your organization has decided to perform externally (heat treating, powder coating, software testing). You remain responsible for the conformity of the outputs, even though you didn't perform the process yourself.

The practical implication: a supplier of low-impact consumables doesn't need the same evaluation rigor as the supplier of a critical sub-assembly. Your controls should scale with your risk.

8.4.3 — Information for External Providers

Before you send work to an external provider, you must communicate your requirements clearly. The standard lists what must be communicated, as applicable:

• The processes, products, or services to be provided (specifications, drawings, work instructions)
• The methods, processes, and equipment to be used
• Competency and qualification requirements for personnel
• QMS requirements the external provider must satisfy
• The organization's intent to verify work at the external provider's premises
• Control and monitoring activities to be performed by your organization

This sub-clause catches organizations that assume suppliers know what's expected. Undocumented verbal instructions are not requirements. Purchase orders with part numbers but no specifications are a finding waiting to happen.

What Is an Approved Supplier List (ASL)?

The Approved Supplier List is the practical tool for satisfying Clause 8.4.1. It is a controlled document that records every external provider your organization has evaluated and approved for use, along with the evidence and conditions of that approval.

A complete ASL entry should capture:

• Supplier name and contact information
• Commodity or service category — what they're approved to supply (not just their company name)
• Approval status — Approved, Conditional, or Disqualified
• Risk tier — Critical, Preferred, or Standard (more on this below)
• ISO 9001 or other relevant certifications — with expiration dates
• Initial approval date
• Last evaluation date
• Next scheduled re-evaluation
• Overall performance score with component scores (quality, delivery, responsiveness)
• Any conditions or restrictions on the approval
• Approved by — who authorized the approval decision

Critically, the ASL must be a controlled document — version-numbered, dated, and managed within your document control system. An ASL that exists in someone's personal spreadsheet or email archive doesn't satisfy the documented information requirements of the standard.

Purchasing must verify ASL status before placing orders. "We always use them" is not a process. A purchase order to a supplier not on the ASL — or to one with expired approval — is a nonconformity.

Supplier Evaluation Criteria

The standard requires you to define evaluation criteria — not guess at them for each supplier. Your criteria should be documented in your supplier qualification procedure and applied consistently. Common evaluation dimensions:

Quality Performance

For active suppliers: incoming inspection rejection rates, defects per million (for high-volume), customer complaint data attributable to supplier material, number of corrective actions issued and response quality. For new suppliers: quality certifications (ISO 9001, IATF 16949, AS9100), references, and a supplier questionnaire or on-site audit.

Delivery Performance

On-time delivery rate, lead time reliability, fill rate (complete orders vs. short shipments), and advance notice of delivery issues. A supplier who consistently delivers quality material three weeks late creates just as many production problems as one who delivers on time but with defects.

Responsiveness to Issues

How quickly and thoroughly does the supplier respond to corrective action requests? Do they conduct root cause analysis or just ship a replacement? A supplier who stonewalls corrective actions or provides superficial 8D responses is a quality risk regardless of their inspection rejection rate.

Certifications and Qualifications

ISO 9001 certification is not required — but it is a strong indicator of systematic quality management. Track certification status and expiration dates. For critical applications: IATF 16949 (automotive), AS9100 (aerospace), ISO 13485 (medical devices). For specialized processes: NADCAP (aerospace special processes), weld certifications (AWS/ASME), AIAG PPAP compliance.

Financial Stability

For critical sole-source suppliers, financial instability is a supply chain risk. A supplier that goes under mid-production run is a quality and delivery crisis. This doesn't require a full financial audit — Dun & Bradstreet ratings or annual review of business health indicators is sufficient for most organizations.

Scoring and Weighting

Define a scoring scale (0-100 is common) with weighted components. A typical weighting for a manufacturing supplier might be: Quality 40%, Delivery 35%, Responsiveness 25%. Adjust weights based on what matters most for the commodity — for a just-in-time component, delivery weight goes up. Document your scoring methodology in the procedure so it's applied consistently and can be defended to an auditor.

Risk-Based Supplier Classification

Not all suppliers carry the same risk, and treating them identically wastes resources while underprotecting the high-risk ones. A risk-based classification tier system satisfies the "proportional to impact" requirement of Clause 8.4.2 and makes your qualification program defensible and practical.

The tier assignment should be reviewed annually or whenever a significant quality event occurs — a major rejection, a corrective action refusal, or a supplier-caused customer complaint should immediately trigger a tier downgrade review.

Common Audit Findings for Clause 8.4

Clause 8.4 findings show up in a predictable set of patterns. These are the ones auditors look for first:

• No documented evaluation criteria. The auditor pulls a purchase order, looks up the supplier on the ASL, and asks: "What criteria did you use to approve this supplier?" "We've used them for years" or "the buyer knows them well" are not answers. The criteria must be documented in a procedure and applied consistently.
• ASL not kept current. Suppliers on the list with evaluation dates two or three years old, with no documented re-evaluation. Re-evaluation doesn't have to be elaborate — an annual performance scorecard review is sufficient for most suppliers — but it must happen and be documented.
• No evidence of re-evaluation for critical suppliers. The most serious version of the previous finding. A sole-source critical supplier who hasn't been formally re-evaluated in three years, with quality escape history and no corrective action evidence, is a major nonconformity.
• Purchasing from suppliers not on the ASL. The buyer found a better price and used a new supplier without triggering the qualification process. One purchase order to an unapproved supplier is enough for a finding.
• No documented requirements communicated to suppliers (8.4.3). Purchase orders with part numbers but no drawings, specifications, or quality requirements attached. "They know what we need" is not a documented requirement.
• Outsourced processes not included in supplier control. Plating, heat treating, welding — farmed out to job shops with no formal qualification, no performance monitoring, and no evidence of oversight. The standard is explicit: you remain responsible for outsourced process conformity.

How to Build Your Approved Supplier List

Step 1: Define Supplier Categories

Group your supply base by commodity or service type: raw materials, sub-assemblies, outsourced processes, calibration services, professional services, etc. This determines which evaluation criteria apply — a calibration lab gets evaluated differently than a steel distributor.

Step 2: Document Evaluation Criteria by Category

For each category, document: the evaluation dimensions (quality, delivery, responsiveness, certifications), how they are scored, the minimum score for Approved status, and what triggers a Conditional or Disqualified status. Put this in your supplier qualification procedure — not just in the spreadsheet.

Step 3: Initial Qualification

New suppliers must complete the qualification process before the first purchase order. Depending on the risk tier, this may include: a supplier questionnaire, certificate verification, reference checks, product or process samples, a supplier quality survey (desktop audit), or an on-site audit. Document the results and make a deliberate approval decision with a responsible approver.

Step 4: Ongoing Performance Monitoring

Collect performance data at a defined cadence — monthly or quarterly for high-volume suppliers, at minimum annually for all others. Score them against your criteria. Feed the scores into the annual re-evaluation decision. Maintain the performance history in a way that's retrievable — an auditor may ask for three years of performance data on a critical supplier.

Step 5: Re-Evaluation Triggers

In addition to scheduled re-evaluations, define the events that trigger an immediate review:

• A customer complaint attributable to supplier material
• An incoming inspection rejection rate above a defined threshold
• A corrective action that goes unresolved beyond the due date
• A lapse or downgrade in the supplier's quality certification
• A major ownership change or financial distress event

Step 6: Integrate with Purchasing

The ASL is only effective if purchasing actually uses it. Build the check into your purchase order process: before issuing a PO, verify the supplier is on the ASL with current Approved status. Automate this where possible. Document it in the purchasing procedure. Make the ASL accessible to everyone who places orders.

Free Approved Supplier List Template

Download our free Approved Supplier List template. It includes all the fields required for Clause 8.4.1 compliance — supplier information, approval status, risk tier, certification tracking, performance scores, and evaluation history.

How Training Tiger Supports Supplier Control

At first glance, training software and supplier control seem like separate worlds. They're not — and Clause 8.4 is where they connect.

When you receive material from a critical supplier, your incoming inspection procedure is a controlled document — it needs to be current, revision-controlled, and your inspection team needs to be trained on it. When a supplier changes their process and you update your incoming inspection procedure accordingly, Training Tiger automatically flags the affected employees for retraining on the new version. No one performs incoming inspection on an outdated procedure.

The same applies to supplier-specific handling requirements. Special storage conditions for controlled materials, quarantine procedures for conditional supplier shipments, specific test methods for critical characteristics — these are all documents that need to be controlled and employees trained on. That training needs to be tracked and verifiable.

When Clause 8.4.3 requires you to communicate competency requirements to external providers, or when an outsourced process requires your team to be trained on the supplier's process requirements before providing oversight — Training Tiger tracks that training. When an auditor asks "how do you ensure your receiving team is trained on the inspection requirements for this critical supplier?" you pull up Training Tiger and show them.

Frequently Asked Questions

Related Articles