What is the primary objective of AS9100?

AS9100's primary objective is to establish a quality management system (QMS) for aviation, space, and defense organizations that ensures product safety, configuration integrity, and supply chain reliability. Developed by the IAQG, AS9100D (2016) builds on ISO 9001:2015's 10-clause structure with over 100 aerospace additions, including operational risk management (Clause 8.1.1), configuration management (8.1.2), product safety (8.1.3), and counterfeit parts prevention (8.1.4). It mandates process-based controls, risk-based thinking across enterprise (Clause 6.1) and operational levels, and lifecycle assurance to prevent catastrophic failures.

Who is legally or professionally required to comply with AS9100?

AS9100 applies professionally to organizations designing, developing, manufacturing, or servicing aviation, space, and defense products. It targets manufacturers of parts, materials suppliers, design centers, and service providers in ASD supply chains; AS9110 suits MRO, AS9120 distributors. Major OEMs and primes require certification for supplier qualification and OASIS database visibility. No legal mandate exists, but contractual flow-downs make it essential; scope excludes non-applicable clauses only if justified without compromising conformity.

Does AS9100 require an external audit or third-party certification?

Yes, AS9100 requires accredited third-party certification via a two-stage external audit process. Stage 1 assesses documentation and readiness; Stage 2 verifies implementation and effectiveness using AS9101 guidance. Certification bodies under IAQG oversight conduct audits, with nonconformities resolved via corrective actions (typically 60-90 days). Certified status is listed in OASIS for market access.

How often should an assessment for AS9100 be performed?

AS9100 requires annual surveillance audits and recertification every three years post-initial certification. Internal audits occur per a planned program (Clause 9.2), risk-based on processes like Clause 8 operations. Management reviews (Clause 9.3) are periodic, typically quarterly, evaluating KPIs, risks, and improvements.

What are the consequences of non-compliance with AS9100?

Non-compliance with AS9100 risks certification suspension, contract loss, and supply chain exclusion. Major nonconformities in audits (e.g., Clause 8 controls) demand root-cause analysis and verification; failure leads to recertification denial. Professionally, OEMs delist non-certified suppliers from OASIS, causing market access denial and potential liability from quality escapes or safety events.

An AS9100 be mapped to other international frameworks?

Yes, AS9100D aligns structurally with Annex SL frameworks via its 10-clause ISO 9001:2015 base. It supports integrated systems by sharing PDCA cycles, risk-based thinking, and clauses 4-10, enabling mapping to compatible standards without clause conflicts.

What is the first step to begin implementing AS9100?

The first step is conducting a gap analysis against AS9100D clauses to assess current QMS maturity. Define scope (Clause 4.3), map processes, identify aerospace gaps (e.g., Clause 8 additions), and prioritize via risk register, involving cross-functional teams for a remediation roadmap.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for the supply chain. The 2022 edition (ISO 28000:2022) provides a risk-based framework using the PDCA cycle to identify security risks, implement proportionate controls across physical, personnel, procedural, and technical domains, evaluate performance via metrics and audits, and drive continual improvement. It protects people, assets, goods, infrastructure, and information in supply-chain ecosystems, applicable to all organization sizes from micro-enterprises to multinationals.

Who is legally or professionally required to comply with ISO 28000?

No organizations are legally required to comply with ISO 28000, as it is a voluntary international standard. Professionally, it applies to supply-chain participants in logistics, transportation, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers where contractual obligations, customs programs (e.g., C-TPAT equivalents), tenders, or insurance demands necessitate demonstrable SMS. Scalable for all sizes, it targets C-suite, supply-chain directors, security managers, and compliance officers facing disruption risks.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification, but supports conformity verification via internal or external audits. Certification follows ISO 28003 requirements for bodies providing audit and certification, typically via accredited Certification Bodies (e.g., ANAB). Process includes Stage 1 (readiness) and Stage 2 (effectiveness) audits, with 3-year validity and annual surveillance. Certification demonstrates conformance to stakeholders but is optional.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained continually, with internal audits at planned intervals per a risk-based program. Management reviews occur at planned intervals (typically annually), considering performance, risks, and changes. Risk reassessments happen annually or upon major changes (e.g., new suppliers, threats). Monitoring uses KPIs like incident rates per 1,000 shipments and supplier control validation.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary. Consequences include indirect risks: lost contracts, exclusion from tenders/customs programs, higher insurance premiums, operational disruptions from theft/sabotage, reputational damage, and litigation from incidents. Unmanaged supply-chain vulnerabilities lead to cascading outages, product loss, and regulatory scrutiny in high-risk sectors.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the ISO High Level Structure (HLS), enabling mapping to compatible management systems. Its PDCA cycle and clauses (4-10) integrate with frameworks sharing HLS, facilitating unified risk registers, audits, and reviews. This supports combined implementation without violating standalone ISO 28000 requirements.

What is the first step to begin implementing ISO 28000?

The first step is Phase 0: secure executive sponsorship, define SMS scope, and charter the program. Conduct supply-chain mapping, appoint a Senior Responsible Owner, allocate resources, and produce a project charter with timeline. This establishes boundaries, risks, and governance before gap analysis.

Standards Comparison

AS9100 vs ISO 28000

AS9100

Mandatory

2016

Aerospace quality management system extending ISO 9001

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

AS9100 enhances ISO 9001 for aerospace quality, safety, and supply chain integrity, while ISO 28000 establishes risk-based security management across all supply chains. Aerospace firms adopt AS9100 for OEM approval; others use ISO 28000 for resilience and compliance.

Quality Management

AS9100

AS9100D:2016 Quality Management Systems - Aerospace

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Configuration management ensures product integrity lifecycle
Product safety controls across entire lifecycle
Counterfeit parts prevention and detection processes
Operational risk management in production planning
Enhanced supplier controls and traceability requirements

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle with HLS for ISO standards integration
Leadership-driven policy and supplier governance
Operational controls for physical, cyber, personnel risks
Internal audits and third-party certification pathway

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

AS9100 Details

What It Is

AS9100D:2016 is the international certification standard for quality management systems (QMS) in aviation, space, and defense. It extends ISO 9001:2015 with over 100 aerospace-specific requirements. Primary purpose: ensure product safety, configuration integrity, and supply chain reliability in high-risk sectors. Adopts a process-based, risk-oriented approach via 10-clause Annex SL structure.

Key Components

Core pillars: operational planning (Clause 8), with configuration management (8.1.2), product safety (8.1.3), counterfeit prevention (8.1.4), operational risks (8.1.1).
Built on ISO 9001 PDCA cycle, plus human factors, supplier controls.
Certification via accredited third-party audits: Stage 1/2 initial, annual surveillance, triennial recertification.

Why Organizations Use It

Market access: required by OEMs/primes for contracts.
Risk reduction: prevents safety incidents, escapes, counterfeits.
Benefits: improved delivery, lower defects, supply chain resilience.
Builds stakeholder trust via OASIS database visibility.

Implementation Overview

Phased: gap analysis, process design, training, internal audits, certification.
Applies to designers/manufacturers in ASD; 6-18 months typical.
Involves cross-functional teams, digital tools for traceability.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security and resilience — Security management systems — Requirements — is an international management system standard for establishing, implementing, maintaining, and improving a security management system (SMS) tailored to supply chain security. It uses a risk-based, PDCA (Plan-Do-Check-Act) framework, not prescriptive controls.

Key Components

Clauses 4–10: context, leadership, planning, support, operation, evaluation, improvement
Risk assessment/treatment aligned with ISO 31000
Security policy, objectives, operational controls, supplier governance
High Level Structure (HLS) for ISO integration
Third-party certification via accredited bodies (ISO 28003)

Why Organizations Use It

Reduces theft, sabotage, disruptions; lowers insurance costs
Meets contractual/regulatory needs (e.g., C-TPAT equivalents)
Enhances resilience, market access, trade facilitation
Builds trust with stakeholders, partners, customers

Implementation Overview

Phased: scoping, gap analysis, risk strategy, deployment, audits
Scalable for all sizes/industries (logistics, manufacturing, pharma)
6–36 months; requires training, KPIs, continual improvement

Key Differences

Aspect	AS9100	ISO 28000
Scope	Aerospace QMS with safety, configuration, counterfeit controls	Supply chain security management system risks
Industry	Aviation, space, defense organizations globally	All supply chain sectors, any organization size
Nature	Voluntary certification standard building on ISO 9001	Voluntary management system standard for security
Testing	Stage 1/2 audits, annual surveillance, recert every 3 years	Internal audits, management review, optional certification audits
Penalties	Loss of certification, market access denial	No legal penalties, potential business continuity risks

Scope

AS9100

Aerospace QMS with safety, configuration, counterfeit controls

ISO 28000

Supply chain security management system risks

Industry

AS9100

Aviation, space, defense organizations globally

ISO 28000

All supply chain sectors, any organization size

Nature

AS9100

Voluntary certification standard building on ISO 9001

ISO 28000

Voluntary management system standard for security

Testing

AS9100

Stage 1/2 audits, annual surveillance, recert every 3 years

ISO 28000

Internal audits, management review, optional certification audits

Penalties

AS9100

Loss of certification, market access denial

ISO 28000

No legal penalties, potential business continuity risks

Frequently Asked Questions

Common questions about AS9100 and ISO 28000

AS9100 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

You Guide on how to Start Implementing NIST CSF in Your Organization

Master NIST CSF implementation in your organization with this detailed guide. Learn core functions, key steps, best practices, and tips for cybersecurity succes

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

NIST CSF 2.0 Deep Dive: Mastering the Updated Framework Core Functions

Unpack NIST CSF 2.0's enhanced Core Functions: Govern, Identify, Protect, Detect, Respond, Recover. Get SME playbooks, governance shifts & strategies for cyber

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how AS9100 and ISO 28000 compare against other standards

Other AS9100 Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Core pillars: operational planning (Clause 8), with configuration management (8.1.2), product safety (8.1.3), counterfeit prevention (8.1.4), operational risks (8.1.1).

Built on ISO 9001 PDCA cycle, plus human factors, supplier controls.

Certification via accredited third-party audits: Stage 1/2 initial, annual surveillance, triennial recertification.

What It Is

Key Components

Clauses 4–10: context, leadership, planning, support, operation, evaluation, improvement

Risk assessment/treatment aligned with ISO 31000

Security policy, objectives, operational controls, supplier governance

High Level Structure (HLS) for ISO integration

Third-party certification via accredited bodies (ISO 28003)

Aspect

AS9100

ISO 28000

Scope

Aerospace QMS with safety, configuration, counterfeit controls

Supply chain security management system risks

Industry

Aviation, space, defense organizations globally

All supply chain sectors, any organization size

Nature

Voluntary certification standard building on ISO 9001

Voluntary management system standard for security

Testing

Stage 1/2 audits, annual surveillance, recert every 3 years

Internal audits, management review, optional certification audits

Penalties

Loss of certification, market access denial

No legal penalties, potential business continuity risks