What is the primary objective of **AS9100**?

**AS9100's primary objective is to establish a quality management system (QMS) for aviation, space, and defense organizations that ensures product safety, configuration integrity, and supply chain reliability.** Developed by the IAQG, AS9100D (2016) builds on ISO 9001:2015's 10-clause structure with over 100 aerospace additions, including operational risk management (Clause 8.1.1), configuration management (8.1.2), product safety (8.1.3), and counterfeit parts prevention (8.1.4). It mandates process-based controls, risk-based thinking across enterprise (Clause 6.1) and operational levels, and lifecycle assurance to prevent catastrophic failures.

Who is legally or professionally required to comply with **AS9100**?

**AS9100 applies professionally to organizations designing, developing, manufacturing, or servicing aviation, space, and defense products.** It targets manufacturers of parts, materials suppliers, design centers, and service providers in ASD supply chains; AS9110 suits MRO, AS9120 distributors. Major OEMs and primes require certification for supplier qualification and OASIS database visibility. No legal mandate exists, but contractual flow-downs make it essential; scope excludes non-applicable clauses only if justified without compromising conformity.

Does **AS9100** require an external audit or third-party certification?

**Yes, AS9100 requires accredited third-party certification via a two-stage external audit process.** Stage 1 assesses documentation and readiness; Stage 2 verifies implementation and effectiveness using AS9101 guidance. Certification bodies under IAQG oversight conduct audits, with nonconformities resolved via corrective actions (typically 60-90 days). Certified status is listed in OASIS for market access.

How often should an assessment for **AS9100** be performed?

**AS9100 requires annual surveillance audits and recertification every three years post-initial certification.** Internal audits occur per a planned program (Clause 9.2), risk-based on processes like Clause 8 operations. Management reviews (Clause 9.3) are periodic, typically quarterly, evaluating KPIs, risks, and improvements.

What are the consequences of non-compliance with **AS9100**?

**Non-compliance with AS9100 risks certification suspension, contract loss, and supply chain exclusion.** Major nonconformities in audits (e.g., Clause 8 controls) demand root-cause analysis and verification; failure leads to recertification denial. Professionally, OEMs delist non-certified suppliers from OASIS, causing market access denial and potential liability from quality escapes or safety events.

An **AS9100** be mapped to other international frameworks?

**Yes, AS9100D aligns structurally with Annex SL frameworks via its 10-clause ISO 9001:2015 base.** It supports integrated systems by sharing PDCA cycles, risk-based thinking, and clauses 4-10, enabling mapping to compatible standards without clause conflicts.

What is the first step to begin implementing **AS9100**?

**The first step is conducting a gap analysis against AS9100D clauses to assess current QMS maturity.** Define scope (Clause 4.3), map processes, identify aerospace gaps (e.g., Clause 8 additions), and prioritize via risk register, involving cross-functional teams for a remediation roadmap.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for the supply chain.** The 2022 edition (ISO 28000:2022) provides a risk-based framework using the PDCA cycle to identify security risks, implement proportionate controls across physical, personnel, procedural, and technical domains, evaluate performance via metrics and audits, and drive continual improvement. It protects people, assets, goods, infrastructure, and information in supply-chain ecosystems, applicable to all organization sizes from micro-enterprises to multinationals.

Who is legally or professionally required to comply with **ISO 28000**?

**No organizations are legally required to comply with ISO 28000, as it is a voluntary international standard.** Professionally, it applies to supply-chain participants in logistics, transportation, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers where contractual obligations, customs programs (e.g., C-TPAT equivalents), tenders, or insurance demands necessitate demonstrable SMS. Scalable for all sizes, it targets C-suite, supply-chain directors, security managers, and compliance officers facing disruption risks.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 does not require external audit or third-party certification, but supports conformity verification via internal or external audits.** Certification follows ISO 28003 requirements for bodies providing audit and certification, typically via accredited Certification Bodies (e.g., ANAB). Process includes Stage 1 (readiness) and Stage 2 (effectiveness) audits, with 3-year validity and annual surveillance. Certification demonstrates conformance to stakeholders but is optional.

How often should an assessment for **ISO 28000** be performed?

**ISO 28000 requires risk assessments to be maintained continually, with internal audits at planned intervals per a risk-based program.** Management reviews occur at planned intervals (typically annually), considering performance, risks, and changes. Risk reassessments happen annually or upon major changes (e.g., new suppliers, threats). Monitoring uses KPIs like incident rates per 1,000 shipments and supplier control validation.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary.** Consequences include indirect risks: lost contracts, exclusion from tenders/customs programs, higher insurance premiums, operational disruptions from theft/sabotage, reputational damage, and litigation from incidents. Unmanaged supply-chain vulnerabilities lead to cascading outages, product loss, and regulatory scrutiny in high-risk sectors.

An **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns with the ISO High Level Structure (HLS), enabling mapping to compatible management systems.** Its PDCA cycle and clauses (4-10) integrate with frameworks sharing HLS, facilitating unified risk registers, audits, and reviews. This supports combined implementation without violating standalone ISO 28000 requirements.

What is the first step to begin implementing **ISO 28000**?

**The first step is Phase 0: secure executive sponsorship, define SMS scope, and charter the program.** Conduct supply-chain mapping, appoint a Senior Responsible Owner, allocate resources, and produce a project charter with timeline. This establishes boundaries, risks, and governance before gap analysis.

AS9100 vs ISO 28000

Standards Comparison

AS9100

Mandatory

2016

Aerospace quality management system extending ISO 9001

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

AS9100 enhances ISO 9001 for aerospace quality, safety, and supply chain integrity, while ISO 28000 establishes risk-based security management across all supply chains. Aerospace firms adopt AS9100 for OEM approval; others use ISO 28000 for resilience and compliance.

Quality Management

AS9100

AS9100D:2016 Quality Management Systems - Aerospace

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Configuration management ensures product integrity lifecycle
Product safety controls across entire lifecycle
Counterfeit parts prevention and detection processes
Operational risk management in production planning
Enhanced supplier controls and traceability requirements

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle with HLS for ISO standards integration
Leadership-driven policy and supplier governance
Operational controls for physical, cyber, personnel risks
Internal audits and third-party certification pathway

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

AS9100 Details

What It Is

AS9100D:2016 is the international certification standard for quality management systems (QMS) in aviation, space, and defense. It extends ISO 9001:2015 with over 100 aerospace-specific requirements. Primary purpose: ensure product safety, configuration integrity, and supply chain reliability in high-risk sectors. Adopts a process-based, risk-oriented approach via 10-clause Annex SL structure.

Key Components

Core pillars: operational planning (Clause 8), with configuration management (8.1.2), product safety (8.1.3), counterfeit prevention (8.1.4), operational risks (8.1.1).
Built on ISO 9001 PDCA cycle, plus human factors, supplier controls.
Certification via accredited third-party audits: Stage 1/2 initial, annual surveillance, triennial recertification.

Why Organizations Use It

Market access: required by OEMs/primes for contracts.
Risk reduction: prevents safety incidents, escapes, counterfeits.
Benefits: improved delivery, lower defects, supply chain resilience.
Builds stakeholder trust via OASIS database visibility.

Implementation Overview

Phased: gap analysis, process design, training, internal audits, certification.
Applies to designers/manufacturers in ASD; 6-18 months typical.
Involves cross-functional teams, digital tools for traceability.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security and resilience — Security management systems — Requirements — is an international management system standard for establishing, implementing, maintaining, and improving a security management system (SMS) tailored to supply chain security. It uses a risk-based, PDCA (Plan-Do-Check-Act) framework, not prescriptive controls.

Key Components

Clauses 4–10: context, leadership, planning, support, operation, evaluation, improvement
Risk assessment/treatment aligned with ISO 31000
Security policy, objectives, operational controls, supplier governance
High Level Structure (HLS) for ISO integration
Third-party certification via accredited bodies (ISO 28003)

Why Organizations Use It

Reduces theft, sabotage, disruptions; lowers insurance costs
Meets contractual/regulatory needs (e.g., C-TPAT equivalents)
Enhances resilience, market access, trade facilitation
Builds trust with stakeholders, partners, customers

Implementation Overview

Phased: scoping, gap analysis, risk strategy, deployment, audits
Scalable for all sizes/industries (logistics, manufacturing, pharma)
6–36 months; requires training, KPIs, continual improvement

Key Differences

Aspect	AS9100	ISO 28000
Scope	Aerospace QMS with safety, configuration, counterfeit controls	Supply chain security management system risks
Industry	Aviation, space, defense organizations globally	All supply chain sectors, any organization size
Nature	Voluntary certification standard building on ISO 9001	Voluntary management system standard for security
Testing	Stage 1/2 audits, annual surveillance, recert every 3 years	Internal audits, management review, optional certification audits
Penalties	Loss of certification, market access denial	No legal penalties, potential business continuity risks

Scope

AS9100

Aerospace QMS with safety, configuration, counterfeit controls

ISO 28000

Supply chain security management system risks

Industry

AS9100

Aviation, space, defense organizations globally

ISO 28000

All supply chain sectors, any organization size

Nature

AS9100

Voluntary certification standard building on ISO 9001

ISO 28000

Voluntary management system standard for security

Testing

AS9100

Stage 1/2 audits, annual surveillance, recert every 3 years

ISO 28000

Internal audits, management review, optional certification audits

Penalties

AS9100

Loss of certification, market access denial

ISO 28000

No legal penalties, potential business continuity risks

Frequently Asked Questions

Common questions about AS9100 and ISO 28000

AS9100 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)

Tactical CIS Controls v8.1 IG1 playbook for ransomware resilience. 30-60-90 day sprint with tool-agnostic tasks, ownership & evidence checklists to prove progre

NIST CSF 2.0 Implementation Tiers Roadmap: Step-by-Step Guide from Partial to Adaptive Cybersecurity Maturity

Master NIST CSF 2.0 Implementation Tiers with a step-by-step roadmap. Assess your tier, build gap analyses, and advance from Partial (Tier 1) to Adaptive (Tier

The SOC Maturity Roadmap: A 5-Step Blueprint for Scaling from Ad-Hoc to Optimized Operations

Unlock SOC excellence with our 5-step maturity roadmap. Compare SOC-CMM, NIST CSF, and CMMC frameworks to scale from ad-hoc to automated operations. Start your

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 27017 vs ISO 27701

Compare ISO 27017 vs ISO 27701: Cloud security extensions vs privacy PIMS. Uncover differences, shared responsibilities, controls & benefits for CSPs—choose wisely now.

ISO 14064 vs Australian Privacy Act

Compare ISO 14064 vs Australian Privacy Act: GHG emissions standards meet data privacy rules. Master compliance gaps, principles & best practices for risk-free reporting. Dive in!

C-TPAT vs AS9120B

Compare C-TPAT vs AS9120B: CBP's supply chain security for trusted trade vs aerospace distributor QMS. Uncover key differences, MSC criteria, benefits & strategies to boost compliance & resilience. Dive in now!

AS9100

ISO 28000

Quick Verdict

AS9100

Key Features

ISO 28000

Key Features

Detailed Analysis

AS9100 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

AS9100 FAQ

What is the primary objective of AS9100?

Who is legally or professionally required to comply with AS9100?

Does AS9100 require an external audit or third-party certification?

How often should an assessment for AS9100 be performed?

What are the consequences of non-compliance with AS9100?

An AS9100 be mapped to other international frameworks?

What is the first step to begin implementing AS9100?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

An ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)

NIST CSF 2.0 Implementation Tiers Roadmap: Step-by-Step Guide from Partial to Adaptive Cybersecurity Maturity

The SOC Maturity Roadmap: A 5-Step Blueprint for Scaling from Ad-Hoc to Optimized Operations

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 27017 vs ISO 27701

ISO 14064 vs Australian Privacy Act

C-TPAT vs AS9120B