Q: My company has bought another company in Canada and we are outsourcing to them. They are not certified to ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements. Do we have the legal right to require them to get certified since we are?
A: Thank you for contacting the ASQ Ask the Experts Program. With regard to your question, there is no requirement in ISO 9001 that requires any organization or their suppliers to be certified by a third-party. Certification is only needed if it’s required by a customer contract/purchase order, or if an organization has opted to be ISO 9001 certified.
However, as an ISO 9001 certified organization, your quality management system must include controls to maintain control over outsourced processes. This requirement is stated in clause 4.1. The control over outsourced processes may include all or any of the following:
1. Use of an approved suppliers list (see clause 7.4.1)
2. An onsite supplier quality audit (see clause 7.4.3)
3. Review and approval of equipment, processes, procedures, methods, and personnel qualifications for processes that require validation such as welding, nondestructive testing, heat treatment or others (see clause 7.5.2).
In summary, ISO 9001 certification is a management decision and not a requirement. Organizations that follow the ISO 9001 requirements and have outsourced processes should have controls in place to manage those processes.
I hope this helps.
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
For more on this topic, please visit ASQ’s website.