Supplier evaluation and ethical sourcing

24 August 2020


Supplier evaluation / management

Few, if any, organizations can do everything in-house. To some degree, most of us rely on external parties to provide something included in our product or service. It is therefore, not surprising that all the main ISO management system standards include requirements relating to supplier management. While the standards all have different perspectives, the general theme is that outsourcing or buying something in should not affect the organization's ability to meet requirements. In short, we cannot shirk our responsibilities and hide behind outsourcing.

Standards requirements

The following is a brief summary of relevant requirements in some of the management system standards.

For those seeking to comply with ISO 9001 (Quality), its clause 8.4 includes a number of specific requirements for the management of what it describes as 'external providers'.  That means any person or organisation outside of your organization that provides you with products or services, or to whom you outsource work that ultimately forms part of your own product or service. It is necessary to ensure that any outsourced product, service or process meets requirements. Your organization is expected to determine what controls are necessary and implement those controls. You are expected to have arrangements in place for evaluating, selecting and monitoring of those external providers. You are expected to communicate with those external providers on various factors that may affect quality. That might include what is to be provided, how it will be approved, control, monitoring and checking activities, and any required competences / qualifications.

Other clauses may also include other aspects of the supplier relationship. For example, care of property belonging to the external provider (8.5.3).

Many organizations maintain a Suppliers List and schedule regular supplier assessments or reviews. These can help to ensure that the required competences and insurances are in place along with any other assessment criteria. Such a list can also be helpful to direct people to the appropriate external provider when needed.

In ISO 45001 (OH&S), clause 8.1.4 deals with implication of the procurement process on the health and safety of contractor's workers and others that may be affected by their work. Outsourced work must be controlled and consistent with legal and other requirements.

The ISO 27001 Information Security standard includes control A15 which is specific to supplier relationships. The main objectives here are to ensure that information assets accessible by suppliers are protected and that there is a mutually agreed level of information security and service delivery. These requirements are often addressed in documents such as Contracts, SLA's (service level agreements), and Confidentiality or non-disclosure agreements.

Ethical sourcing

In recent years, there is also a growing trend towards 'ethical sourcing'. Recent media attention such as this article on the BBC web site, show that even corporate giants including Apple and Nike are under scrutiny. Regardless of the conclusions of this particular situation, the report is indicative of the trend. Ethical sourcing may be described as ensuring that materials and products being procured are obtained responsibly and sustainably, that the supplier's workers are safe and treated fairly, and that both environmental and social impacts are taken into account. For many organisations, ethical sourcing is becoming a key component of their risk mitigation strategy and protection of brand reputation.

CIPS (The Chartered Institute of Proceurement and Supply) has published an article with ten tips and principles for ethical sourcing in supplier management.

There is a clear convergence between this trend towards ethical sourcing and the supplier management / procurement requirements of ISO standards. For example, in the ISO 45001 OH&S standard, clause requires organizations to ensure that their outsourcing arrangements are consistent with legal requirements and other requirements and with achieving the intended outcomes of the OH&S management system. Legal requirements are increasingly likely to include legislation on ethical sourcing being considered in territories such as Europe and the US. The 'other' requirements mentioned in the clause may include the ethical sourcing and 'Fair trading' policies of the organization itself or associations to which it belongs.

Using software for supplier evaluation

Qudos provides tools to help our clients effectively and efficiently incorporate supplier controls into their management systems. The latest version of Qudos 3 IMS software includes enhanced tools for listing your preferred suppliers with their products / services and contact details, and performing score-based assessments or evaluations. We have included a series of template checklists to help you get started. These include general assessment templates for product and service providers. There is even one specifically based on ethical sourcing considerations. It includes hints / tips for checks on a range of related issues such as forced labour, child labour and abuse or intimidation of workers. Of course, the templates may all be adjusted as required.

Contact us if you would like to know more about these new tools.


Relevant standard clauses / requirements include: ISO 9001 (Quality) Clause 8.4 Control of externally provided processes, products and services; ISO 45001 (OHS) Clause 8.1 Procurement; ISO 27001 (Information Security) Annex control A15 Supplier relationships.

Photo by Andy Li on Unsplash