In Canada, we hold the licence for a viral transport medium. We are going to hire a 3rd party contractor to actually manufacture the medical device. Who needs ISO? Us? The 3rd party contractor? Or both?
This decision depends primarily on who is the holder of the product, whose name will be on the product as the manufacturer.
If you are a manufacturer (license), then the manufacturer is expected to have ISO 13485 implemented. According to ISO 13485, when the manufacturer (license holder) outsources any part of the production process, this part of the process is still the manufacturer's responsibility. This means that regardless of the fact that you have outsourced that part of the production, that production must also be carried out in accordance with the requirements of ISO 13485. It doesn't matter if they will be ISO 13485 certified, or if you will make all this documentation as part of your ISO 13485 quality system. It all depends on how you agree. There must be a Quality Agreement between you and that company in which all mutual responsibilities will be described. Be prepared that regardless of your mutual agreement and the fact whether they are certified or not, there is a possibility that during your audit by a certification body, the auditor requires that an audit be conducted in that outsourced company as well.
For more information on this topic, please see the following article: