Re: Determining what are and are not Outsourced Process
I agree the standard does not say you SHALL list them...but it would be kind of difficult to define what controls are in place if you don't identify what the processes are in the first place.
I describe it more as follows...
The standard, in cl 4.1, requires you to define all sorts of details about your processes...When it comes to outsourced processes, the standard still requires you to define them as a process related to your QMS, but allows you to do much less documenting of the details...just the necessary controls you have applied. I believe that is because the standard recognizes that most of the controls are provided by the suppliers. You just need to define any additional controls you bring to the party.
Also, it should be noted, all outsourced processes and purchases shall be controlled - some are controlled under the "Outsourced Processes" (cl 4.1) category, and the rest under Purchasing cl 7.4. So, if it is not one, it will fall under the other.
There is no requirement to list your outsourced processes.
What the standard says is:
"Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to those processes shall be defined within the quality management system."
I don't see list in there anywhere.
You should appeal that nonconformance. The auditor appears to have fallen into "requirement creep".
I would view buying labels as simply making a purchase, not outsourcing.
The Auditing Practices Group has published guidelines on outsourcing that you may find useful. Google TC-176 and look on their site for Auditing Practices Group and look for information on outsourcing. TC-176 is the technical committee within ISO that is responsible for ISO 9001:2008.
What the standard says is:
"Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to those processes shall be defined within the quality management system."
I don't see list in there anywhere.
You should appeal that nonconformance. The auditor appears to have fallen into "requirement creep".
I would view buying labels as simply making a purchase, not outsourcing.
The Auditing Practices Group has published guidelines on outsourcing that you may find useful. Google TC-176 and look on their site for Auditing Practices Group and look for information on outsourcing. TC-176 is the technical committee within ISO that is responsible for ISO 9001:2008.
I agree the standard does not say you SHALL list them...but it would be kind of difficult to define what controls are in place if you don't identify what the processes are in the first place.
I describe it more as follows...
The standard, in cl 4.1, requires you to define all sorts of details about your processes...When it comes to outsourced processes, the standard still requires you to define them as a process related to your QMS, but allows you to do much less documenting of the details...just the necessary controls you have applied. I believe that is because the standard recognizes that most of the controls are provided by the suppliers. You just need to define any additional controls you bring to the party.
Also, it should be noted, all outsourced processes and purchases shall be controlled - some are controlled under the "Outsourced Processes" (cl 4.1) category, and the rest under Purchasing cl 7.4. So, if it is not one, it will fall under the other.