Supplier Management and Procurement Controls for ISO Standards

Purchasing in Brief

Approved supplier list with selection criteria that match the risk of what is bought
Goods-in checks proportionate to the criticality of the supply
Periodic supplier review based on actual performance

What is Purchasing and Supplier Management?

Purchasing and supplier management covers every arrangement where the organisation relies on another organisation or individual to provide something it uses - raw materials, components, finished goods for resale, outsourced services, professional services, consultants, subcontractors, cleaners, hauliers, software providers. All of these are what ISO 9001 calls externally provided products, processes and services, and the management system is expected to control them.

The reason this matters is simple. An organisation is responsible for the final product or service delivered to its customers, regardless of which parts were made or done by someone else. A defective component from a supplier becomes a defective product. A missed deadline from a subcontractor becomes a missed deadline to the customer. A data breach at a software provider becomes a data breach affecting the organisation's own customers. The quality, timeliness and safety of external inputs directly affect the outputs the organisation is accountable for.

A working purchasing and supplier management process therefore has three stages: deciding who to buy from (supplier selection and approval), controlling individual purchases (specifications, orders, receipt), and reviewing how suppliers are performing over time (ongoing monitoring and re-evaluation).

What ISO 9001 Requires - Clause 8.4

ISO 9001 covers purchasing and supplier management under Clause 8.4 - Control of externally provided processes, products and services. The clause has three main sub-parts.

Clause 8.4.1 General requires externally provided products and services to conform to requirements. This means determining and applying criteria for evaluation, selection, monitoring of performance and re-evaluation of external providers. Records of these activities are documented information.

Clause 8.4.2 Type and extent of control recognises that different suppliers warrant different levels of control. A supplier of commodity stationery needs less oversight than a supplier of safety-critical components. The organisation decides the appropriate level of control based on the potential impact on product and service conformity, the effectiveness of the controls the supplier has in place, and the risks arising from the arrangement.

Clause 8.4.3 Information for external providers requires the organisation to communicate its requirements to suppliers clearly - what is being purchased, the methods and equipment or processes to be used, competence requirements, the interactions with the organisation's management system, any controls or monitoring the organisation will apply, and any verification or validation activities at the supplier's premises.

The three sub-clauses work together: decide who is fit to supply, control what and how they supply it, and be clear about what they need to deliver.

Types of Externally Provided Products and Services

The scope of Clause 8.4 is broader than traditional purchasing. It covers three kinds of external provision, each with slightly different control considerations.

Products bought in. Raw materials, components, packaging, consumables, finished goods for resale. These are the classic subject of purchasing. Control typically involves specifications, purchase orders, goods receipt checks and inspection on arrival.

Services provided externally. Cleaning, maintenance, calibration, logistics, IT support, professional services, training, auditing. Service control focuses on service level agreements, defined scope, competence of the service providers and periodic review of how the service is being delivered.

Outsourced processes. Activities that form part of the organisation's own processes but are carried out by someone else - outsourced manufacturing, subcontracted installation, white-label production, drop-shipping. These need the tightest control because the organisation remains accountable for the output even though the process itself is handled externally. Control usually includes approval of methods, verification activities and sometimes on-site audits.

An organisation typically has all three kinds of external provision running in parallel. The purchasing and supplier management process needs to cover each at the appropriate level.

Assessing Suppliers Before You Use Them

A supplier should be approved before work starts, not afterwards. The depth of the assessment should match the risk and importance of what the supplier is providing.

For routine, low-risk suppliers - office supplies, low-value consumables - a light-touch approval is sufficient: verify the company exists, that they can supply the product, and that pricing and payment terms are acceptable. For critical or high-risk suppliers - safety-related components, outsourced manufacturing, key subcontractors, significant professional services - a more thorough assessment is appropriate. This typically includes:

Confirmation of legal status, insurance and financial standing
Review of relevant certifications - ISO 9001, ISO 14001, sector-specific schemes
Assessment of capability against the specific work to be done - capacity, equipment, competence
References from other customers where appropriate
For contractors working on site, confirmation of health and safety arrangements, risk assessments and method statements
For suppliers handling sensitive data, assessment of their information security arrangements
For material suppliers in regulated sectors, evidence of traceability and product testing

Approved suppliers are typically added to an approved suppliers register so that purchases can only be placed with suppliers that have been through the assessment process. This is where ER3 Key Supplier and Contractor Register fits in - a single list of who has been approved, for what, and when they were last reviewed.

Controlling Purchases Day-to-Day

Once suppliers are approved, day-to-day purchasing control happens through a handful of routine disciplines.

Specifications. What is being bought should be defined clearly enough that the supplier knows what to deliver and the organisation can verify what it received. A purchase for safety boots that just says "safety boots" is not a specification; one that includes safety standard (EN ISO 20345), steel toe class, size range and colour is.

Purchase orders. Orders are placed through a controlled process with appropriate authority levels, referencing the specification and the supplier's agreed pricing. For significant purchases, written purchase orders create a record that can be verified on receipt. For small routine purchases, looser controls may be appropriate.

Goods receipt and inspection. Incoming products are checked against what was ordered. For routine supplies this may be a straight count against the delivery note. For critical items it may include measurement, functional testing, material certificates, batch records or supplier-provided test data. Non-conforming goods are quarantined and either returned or subject to a formal concession.

Service delivery verification. For externally provided services and outsourced processes, the equivalent of goods receipt is verification that the service was delivered to the agreed scope and standard. This might be checking a calibration certificate, reviewing a cleaning schedule completion sheet, or witnessing a subcontracted installation.

Monitoring Supplier Performance

Approval and individual-purchase control deal with suppliers at the start and at the transaction level. Supplier performance monitoring deals with the pattern over time.

A simple monitoring approach captures a few measures for each key supplier:

On-time delivery - percentage of orders delivered on or before the agreed date
Quality - percentage of deliveries received without defect or non-conformity
Response to issues - how promptly and effectively the supplier addresses problems
Commercial performance - pricing stability, accuracy of invoicing, responsiveness to queries

For most organisations, tracking these for the top ten or twenty suppliers is enough. Smaller or occasional suppliers can be reviewed less formally. The data is reviewed periodically - quarterly for active suppliers, annually for less critical ones - and feeds into the re-evaluation required by Clause 8.4. Suppliers whose performance has declined can be re-rated, put on notice, or removed from the approved list.

This monitoring is what gives purchasing and supplier management its improvement dimension. Without it, a supplier approved five years ago remains approved on the basis of a five-year-old assessment, regardless of how they are actually performing now.

Common Mistakes in Purchasing and Supplier Management

A few patterns come up frequently enough to mention.

Approving suppliers once and never revisiting. An approved suppliers register that is never pruned accumulates suppliers that should no longer be on it. Re-evaluation on a defined cycle keeps the register honest.

Treating all suppliers the same. Applying the same depth of control to a stationery supplier as to a safety-critical component supplier wastes effort in one case and takes risks in the other. Tiering suppliers by risk and importance is more effective than a one-size-fits-all process.

No clear specifications. Vague or verbal specifications make it hard to reject non-conforming deliveries because it is never clear what was actually agreed. Written specifications for anything significant make acceptance and rejection simple.

Separating purchasing from quality. When the purchasing function has no link to the quality function, poor-quality suppliers can remain on the approved list because the data never reaches the people who decide. Integrating supplier performance data into management review and making quality issues visible to purchasing decisions corrects this.

Ignoring contractors as suppliers. Contractors working on site are covered by Clause 8.4, not only by health and safety regulations. Treating them as a separate category - managed only through H&S paperwork - misses the quality and management system obligations that also apply.

We buy in from about two hundred suppliers across everything we do - raw materials, subcontracted machining, contract cleaning, calibration services, IT support. They do not all get the same attention. We rank them into three tiers based on what they supply and what it costs us if they fail.

Tier one is the critical suppliers - the ones whose failure would stop us manufacturing or cause us to miss customer deadlines. We audit those every year or two and review their performance quarterly. Tier two is important but substitutable - we track monthly and review annually. Tier three is routine - we notice if they go wrong but do not monitor them actively.

The tiering is what keeps the process manageable. Trying to apply tier one controls to two hundred suppliers would be impossible. Ignoring tier one suppliers would be dangerous.

From a health and safety angle, contractor management is one of the bits people forget when they think about purchasing. Anyone you bring onto site to do work is a supplier, and they also need to be managed under CDM, the Management Regulations and your own site safety arrangements.

The practical overlap is approval. An approved contractor list should cover competence for the work, relevant qualifications, insurance, risk assessments and method statements - the H&S evidence and the management system evidence at the same time. One register, not two.

On Clause 8.4, the first thing I check is whether there is actually an approved suppliers list that the purchasing team uses. If purchasing is happening from suppliers that are not on the list, or if the list includes suppliers that nobody could remember approving, the process is not under control.

The second thing I check is monitoring. A good supplier management process has current data on supplier performance - on-time delivery, quality issues, recent non-conformities - and uses it in decisions. When I ask who the worst-performing supplier is and the answer is a shrug, I know the data is not being used even if it exists.

Practical Compliance Guidance

Consider establishing a list of key suppliers for your business, and details for how you will appraise them. This could be via certifications they hold such as ISO, checks of the insurances they hold or a review of their overall performance. You can then note any issues with suppliers and plan ahead for future changes.

To collect key details from key suppliers - individual appraisal forms can be used and sent out to collect the relevant information.

The alphaZ toolkits include the policies, procedures, registers and forms needed to operate purchasing and supplier management in line with ISO 9001 Clause 8.4. The documents below are the ones most directly relevant, with IMS1 providing the overall management system context.

alphaZ document	How to use it
ISO 9001 Management System Toolkit	Includes the purchasing policy, supplier approval procedure, supplier register and appraisal form needed to cover Clause 8.4 from day one.
ISO 9001, 14001, 45001 IMS Toolkit	For organisations that also need to consider environmental and health and safety aspects of suppliers, particularly contractors and on-site service providers. Integrates supplier management across all three standards.
ER3 Key Supplier and Contractor Register	Central approved suppliers list. One register covering key suppliers, subcontractors and on-site contractors, with approval status, risk tier, last review date and scope of approval.
F-Q9 Supplier and Contractor Appraisal	Assessment form used during initial approval and periodic re-evaluation. Captures the capability, certification, insurance, H&S arrangements and performance information the approval decision rests on.
F-IMS23 Opportunities and Risks Register	Where significant supplier-related risks are captured at the strategic level - dependency on key suppliers, supply chain exposure, single points of failure - alongside the mitigation controls.
ER1 Issues and Actions Register	Used to log supplier non-conformities, customer complaints traceable to suppliers, and the corrective actions taken. Patterns here feed into the supplier re-evaluation process.
F-Q3 Management Review	Supplier performance is a standard input to management review. F-Q3 captures the review of top supplier performance, supplier-related non-conformities and decisions on changes to the approved list.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do ISO 9001 certified suppliers need less checking?

An ISO 9001 certified supplier has demonstrated that they operate a management system that meets the standard, which is evidence of capability. It does not remove the need for the organisation to assess them for the specific work they will provide, to define requirements clearly and to monitor their ongoing performance. Certification is useful input to the approval decision but does not replace it.

How often should suppliers be re-evaluated?

The frequency should match the risk and importance of the supplier. Critical or high-risk suppliers are typically re-evaluated annually, sometimes with an on-site audit every two or three years. Moderate-risk suppliers might be re-evaluated every two years based on performance data. Low-risk routine suppliers can be reviewed every three years or on a trigger-based basis - for example, if their performance drops or if the relationship changes significantly. There is no single right answer in the standard - the organisation decides based on risk.

Does Clause 8.4 apply to sub-contractors on site?

Yes. Sub-contractors working on site are externally provided service providers under Clause 8.4, so the approval, control and monitoring requirements apply in addition to any health and safety obligations. In practice most organisations manage contractors through a combined approved contractor list that covers both the quality management system requirements and the H&S approval (competence, insurance, risk assessments, method statements) in one place.

What if a supplier delivers a non-conforming product?

Non-conforming goods from a supplier are handled through the non-conforming outputs process - the material is quarantined and either rejected and returned, reworked, or accepted through a formal concession. The incident is also recorded against the supplier's performance history. A single non-conformity may be noted and followed up with the supplier. Repeated non-conformities trigger re-evaluation and may result in the supplier being removed from the approved list. Either way, the record is evidence for management review and for the next supplier re-evaluation.

UK Legislation

No UK legislation specifically requires an ISO-style purchasing and supplier management process, but several legal frameworks place obligations on how externally provided products, services and labour are controlled.

Health and Safety at Work etc. Act 1974 - places duties on organisations for the safety of contractors and others affected by their work
Construction (Design and Management) Regulations 2015 - sets specific requirements for appointing contractors in construction work
Modern Slavery Act 2015 - requires larger organisations to publish statements on steps taken to address modern slavery in their supply chains
Bribery Act 2010 - places duties on organisations in relation to those acting on their behalf, including suppliers and agents

Further Resources