Clause 8 of ISO 9001:2015 is the longest in the standard — and the most operational. It covers everything the organization does to deliver the product or service to the customer: from planning operations, managing requirements, controlling suppliers and design (if applicable), to product release and handling nonconforming outputs.
In this guide we explain what each sub-clause (8.1 to 8.7) requires, which critical processes it covers, what documents auditors ask for and the most common mistakes we see when working with companies through certification.
What you’ll find in this guide
- What does Clause 8 of ISO 9001 require?
- 8.1 Operational planning and control
- 8.2 Requirements for products and services
- 8.3 Design and development
- 8.4 Control of externally provided products and services
- 8.5 Production and service provision
- 8.6 Release of products and services
- 8.7 Control of nonconforming outputs
- How to implement Clause 8 in an SME
- Documents and evidence auditors ask for
- Common mistakes auditors flag
- How QualityWeb 360 makes Clause 8 easier
- Frequently asked questions
What does Clause 8 of ISO 9001 require?
Clause 8 is called “Operation” and has seven sub-clauses:
- 8.1 — Operational planning and control
- 8.2 — Requirements for products and services
- 8.3 — Design and development (the only excludable clause when not applicable)
- 8.4 — Control of externally provided processes, products and services
- 8.5 — Production and service provision
- 8.6 — Release of products and services
- 8.7 — Control of nonconforming outputs
In short: if Clauses 4-7 are the foundation, Clause 8 is where the QMS turns into real operation. The full cycle is controlled here: customer order → planning → procurement → production/service → delivery → nonconformity handling.
8.1 Operational planning and control
The organization must plan, implement and control the processes needed to meet product/service requirements by determining:
- Requirements for the products and services
- Criteria for the processes and product/service acceptance
- Resources needed to achieve conformity
- Implementation of process control according to the criteria
- Documented information needed to have confidence the processes have been carried out as planned
Typical output: quality plans per product or service, specifications, technical datasheets, operational procedures.
8.2 Requirements for products and services
This sub-clause splits into four blocks:
- 8.2.1 Customer communication: product/service information, inquiries, quotes, orders, feedback, handling customer property, contingencies
- 8.2.2 Determining requirements: legal requirements, customer ones, implicit ones, plus those the organization itself considers
- 8.2.3 Review of requirements: before committing to delivery, verify the requirements can be met
- 8.2.4 Changes to requirements: if the customer changes a requirement, update documented information and notify relevant people
8.3 Design and development
Applies to organizations that design products or services. The standard requires design planning, inputs (customer requirements, regulatory, prior art), controls (review, verification, validation), outputs (drawings, specs, instructions) and design change control.
Important: this is the only excludable clause in ISO 9001:2015. If the organization doesn’t design (e.g., manufactures to customer specs, distributes, resells), it can exclude it with justification.
8.4 Control of externally provided processes, products and services
This sub-clause covers supplier management. The organization must:
- Evaluate, select and re-evaluate suppliers based on their ability to meet requirements
- Define type and extent of control over each supplier (more control for critical suppliers)
- Ensure that externally provided products/services meet specified requirements
- Communicate to the supplier: requirements, approval criteria, personnel competence, interactions, control and monitoring, verification activities
Typical output: supplier evaluation matrix, contracts/agreements, supplier performance records, audit plans for critical suppliers.
8.5 Production and service provision
Sub-clause 8.5 covers actual production/service controls:
- 8.5.1 Control: documented information, monitoring and measurement resources, infrastructure, competent people, process validation
- 8.5.2 Identification and traceability: when necessary, identify output status and maintain traceability
- 8.5.3 Property belonging to customers or external providers: safeguard what the customer or supplier has provided (information, materials, equipment)
- 8.5.4 Preservation: protect outputs during production to preserve conformity (handling, packaging, storage)
- 8.5.5 Post-delivery activities: warranties, maintenance, recalls, support
- 8.5.6 Control of changes: if there are changes during production, review and control them to maintain conformity
8.6 Release of products and services
The organization must implement planned arrangements to verify that product/service requirements have been met before release. Release to the customer must not proceed until planned arrangements are complete, unless approved by a relevant authority.
Documented information must be retained on: evidence of conformity with acceptance criteria + traceability to the person(s) authorizing release.
8.7 Control of nonconforming outputs
Outputs that don’t conform to requirements must be identified and controlled to prevent unintended use or delivery. Typical actions:
- Correction: rework, repair
- Segregation, containment, return or suspension of service provision
- Informing the customer when applicable
- Obtaining authorization for acceptance under concession when applicable
After correcting a nonconformity, conformity must be verified against requirements before releasing the product or service.
How to implement Clause 8 in an SME
Step 1 — Document critical operational processes
Identify the processes in the “customer order → delivery” cycle. Document operational procedures per process: sales, purchasing, planning, production/service, warehouse, shipping. Output: set of operational procedures.
Step 2 — Supplier evaluation system
List critical suppliers. Define evaluation criteria (quality, time, price, support) and approval thresholds. Evaluate initially and re-evaluate at least annually. Output: supplier matrix + evaluation records.
Step 3 — Nonconforming output control procedure
Define how nonconforming product/service is identified, recorded, segregated, dispositioned and verified for conformity. Train staff. Output: procedure + nonconformity record template.
Step 4 — Release checklist
For critical products/services, define the pre-release acceptance checklist and who’s authorized to sign. Log each release with evidence of criteria met. Output: checklist + release log.
Documents and evidence auditors ask for
- Operational procedures for critical processes
- Product/service specifications / technical datasheets
- Records of customer requirement review before commitment
- Supplier evaluation and re-evaluation matrix
- Purchasing records: orders, receipt, inspection
- Production/service records: plans, controls, inspections
- Identification and traceability records (when applicable)
- Release checklist + authorized signature
- Nonconforming output records with disposition and conformity verification
- Maintenance records of critical production equipment
Common mistakes auditors flag
- Generic supplier evaluation — all suppliers are evaluated the same way (an average score with no criteria). Solution: specific criteria (quality, time, support) and clear thresholds per category.
- Not reviewing requirements before commitment — customer orders are accepted without verifying capability or clarity of requirements. Solution: pre-acceptance review checklist in sales.
- Nonconforming outputs without traceability — the operator spots an NC but doesn’t record it; it’s “fixed on the side”. Solution: mandatory record even for small NCs + post-correction conformity verification.
- No release checklist — the product ships to the customer with no formal evidence that acceptance criteria were met. Solution: checklist signed by authorized person before delivery.
- Excluding clause 8.3 when design actually happens — the company modifies customer specs or develops variants but excludes 8.3. Solution: only exclude if no design actually takes place.
- Broken traceability — you can’t trace a delivered product lot back to the raw-material lot used. Solution: identification system (codes, labels) connecting production to procurement.
How QualityWeb 360 makes Clause 8 easier
QualityWeb 360 is a 100% cloud platform that centralizes your entire ISO 9001 QMS. For Clause 8 specifically, it helps with:
📊 Suppliers and nonconformities
Supplier evaluation module with configurable criteria, historical score and re-evaluation alerts. Nonconforming output log with disposition, authorizer and conformity verification. Each NC is traced to product, lot and supplier.
🔍 Traceability for audits
Every operational procedure, specification and release checklist lives in document control with author, date and version. When the auditor asks “who approved this release?”, the answer is one click away.
🔁 Periodic review with alerts
The system reminds you when to re-evaluate a supplier, when an NC stays open past its deadline, and when a process procedure needs updating. Evidence is ready for the external audit.
Frequently asked questions about ISO 9001 Clause 8
When can I exclude Clause 8.3 (Design and development)?
If your organization manufactures or provides services to customer specifications without developing its own products, you can exclude it. It also applies when products are resold without modification. It doesn’t apply if specs are modified, variants are developed, or new production processes are designed.
How often are suppliers re-evaluated?
The standard requires periodic re-evaluation but sets no frequency. Typical practice: annual for critical suppliers (those affecting product/service conformity), every 2 years for standard suppliers, whenever poor performance is detected at any time.
What counts as “customer property” (8.5.3)?
Any material, information or equipment the customer provides for the organization to use in production/service. Examples: technical specs, drawings, tooling, raw material, personal data, proprietary software. The standard requires identifying, verifying, protecting and notifying the customer if loss or damage occurs.
What is “acceptance under concession”?
When a product or service doesn’t fully meet requirements but the customer decides to accept it under certain conditions (discount, deadline, accepted risk). Clause 8.7 requires obtaining formal authorization before delivering. It’s exceptional and must be documented.
Difference between “nonconformity” and “nonconforming output”?
A nonconforming output (8.7) is a specific product or service that failed to meet a requirement (e.g., a defective lot). A nonconformity (10.2) is a systemic failure — of the QMS or the standard. Recurring nonconforming outputs are a signal that a systemic nonconformity exists.
Is process validation mandatory?
Only for processes whose result can’t be verified by subsequent monitoring or measurement (special processes). Examples: welding, heat treatment, sterilization, chemical processes. For processes that can be inspected at the end (the majority), pre-validation isn’t required but process controls are.
Do I need traceability for every product?
Only when traceability is a requirement (by sector standard, customer contract or the organization’s own decision). The standard requires identifying output status (which inspection it passed), but detailed lot-to-raw-material traceability depends on the sector. In food, pharma and automotive it’s standard; in professional services it may not be necessary.
📚 Keep exploring the ISO 9001 clauses: