What is the primary objective of AS9110C?

AS9110C's primary objective is to enable aviation maintenance organizations to consistently provide products and services meeting customer and statutory/regulatory requirements while enhancing satisfaction through effective QMS application and continual improvement. It incorporates ISO 9001:2015's Annex SL structure (Clauses 4–10) with aviation-specific additions like configuration management, product safety, counterfeit parts prevention, traceability, preservation, and human factors controls, ensuring continuing airworthiness in repair stations and MRO providers.

Who is legally or professionally required to comply with AS9110C?

AS9110C applies to aviation maintenance organizations, including repair stations, MRO providers, and OEMs with autonomous maintenance operations. It targets entities performing maintenance, repair, overhaul, or continuing airworthiness management for civil/military aircraft, regardless of size, to demonstrate QMS conformity via IAQG OASIS listing, often mandated by customers, OEMs, or regulators like FAA/EASA Part 145.

Does AS9110C require an external audit or third-party certification?

Yes, AS9110C requires third-party certification through accredited bodies, with initial Stage 1/2 audits followed by surveillance. The QMS must be fully operational for at least three months, including a full internal audit cycle and management review, before certification; ongoing audits verify Clauses 4–10 compliance, including operational controls like traceability and risk management.

How often should an assessment for AS9110C be performed?

AS9110C requires internal audits at planned intervals based on process risk, status, and results, with full cycles before certification and ongoing surveillance. Management reviews occur regularly (e.g., annually or per business cycles), analyzing performance data, audits, nonconformities, and risks; external surveillance audits are typically annual, recertification every three years.

What are the consequences of non-compliance with AS9110C?

Non-compliance with AS9110C risks loss of certification, OASIS delisting, contract ineligibility, and regulatory sanctions like FAA/EASA Part 145 certificate suspension. It can lead to safety incidents from poor configuration/traceability, rework costs, customer dissatisfaction, market exclusion from OEMs, and legal/financial exposure from airworthiness failures.

Can AS9110C be mapped to other international frameworks?

AS9110C aligns directly with ISO 9001:2015 via its Annex SL high-level structure and shares terminology like “documented information” and “external providers.” IAQG correlation matrices facilitate mapping to regulatory frameworks such as FAA/EASA Part 145, enabling integrated QMS without exclusions unless justified in scope.

What is the first step to begin implementing AS9110C?

The first step is to define QMS scope, determine internal/external issues (Clause 4), and conduct a gap analysis against Clauses 4–10. Map existing processes to requirements, justify any non-applicability, identify interested parties/regulatory needs, and prioritize risks using tools like Risk and Opportunity Worksheets for a phased implementation plan.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, integrate leadership commitment, and ensure performance evaluation through audits and management reviews. The standard is holistic, sector-agnostic, and aligns risk treatment with ISO 31000 guidance.

Who is legally or professionally required to comply with ISO 28000?

No organization is legally mandated to comply with ISO 28000, as it is a voluntary international standard applicable to all types and sizes of organizations. It is professionally relevant for entities influencing supply chain security, such as logistics providers, manufacturers, retailers, ports, and government agencies handling transport, storage, or procurement. Adoption is driven by contractual flow-down requirements, customer demands, insurance incentives, or trade facilitation programs.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity may be verified through internal or external auditing processes. Certification is optional, supported by ISO 28003 for certification bodies, typically involving Stage 1 (design review) and Stage 2 (implementation) audits, followed by surveillance. Organizations pursue it for market credibility, while internal audits per Clause 9.2 ensure ongoing compliance.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires internal audits at planned intervals via a risk-based audit program (Clause 9.2), with management reviews at planned intervals (Clause 9.3). Risk assessments (Clause 8.3) must be maintained continuously, with updates triggered by changes in context, incidents, or performance data. Frequency depends on risks, prior results, and processes, typically annually or more for high-risk areas.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary, but results in lost business opportunities, heightened supply chain risks, and potential contractual breaches. Impacts include increased incident likelihood (theft, sabotage), higher insurance premiums, exclusion from tenders requiring certification, regulatory scrutiny in trade programs, and reputational damage from disruptions.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000 aligns with ISO management system standards via its Annex SL structure and PDCA cycle, enabling integrated systems. Clause structure (4–10) supports combined audits with ISO 9001, ISO 14001, ISO 45001, ISO/IEC 27001, and ISO 22301 (explicit consistency in security plans). Risk processes reference ISO 31000, facilitating enterprise risk management integration without duplication.

What is the first step to begin implementing ISO 28000?

The first step is determining the context of the organization, including internal/external issues, interested parties, and SMS scope (Clause 4). Map supply chain nodes, identify legal/regulatory requirements, and document boundaries, especially for externally provided processes, to establish a tailored foundation for risk planning and leadership commitment.

Standards Comparison

AS9110C vs ISO 28000

AS9110C

Mandatory

2016

Aerospace QMS standard for aviation maintenance organizations

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

AS9110C delivers quality management for aviation maintenance with safety and traceability focus, while ISO 28000 establishes security management across supply chains. Organizations adopt AS9110C for aerospace compliance and ISO 28000 for resilient logistics.

Quality Management

AS9110C

AS9110C:2016 Quality Management Systems for Aviation Maintenance

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Rigorous configuration management for maintenance processes
Counterfeit and suspect parts prevention controls
Risk-based thinking in operational planning
Traceability and preservation of aviation parts
Human factors in root cause analysis

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based PDCA cycle for supply chain security
Leadership commitment and top management accountability
Supplier and external process controls integration
Security plans with response and recovery procedures
Alignment with ISO 31000 and ISO 22301 standards

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

AS9110C Details

What It Is

AS9110C:2016 is an international certification standard for quality management systems (QMS) in aviation maintenance organizations (MROs). It builds on ISO 9001:2015 Annex SL structure, adding maintenance-specific requirements for continuing airworthiness, using risk-based thinking and PDCA cycles.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, improvement.
Aviation additions: configuration management, counterfeit parts prevention, product safety, traceability, human factors.
No fixed control count; focuses on documented information and process approach.
Certification via IAQG OASIS after audits.

Why Organizations Use It

Ensures regulatory compliance (FAA/EASA) and customer contracts.
Mitigates safety risks, enhances traceability.
Boosts market access, customer satisfaction, on-time delivery.
Builds stakeholder trust through auditable evidence.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months).
Applies to MROs of all sizes globally.
Requires internal audits, management reviews before Stage 1/2 certification.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international certification standard specifying requirements for a security management system (SMS) focused on supply chain security. It adopts a risk-based, PDCA (Plan-Do-Check-Act) approach to manage threats like theft, sabotage, and disruptions across organizational operations and supply chains.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.
Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.
Optional third-party certification via ISO 28003 guidelines.

Why Organizations Use It

Reduces security incidents, ensures compliance, and meets partner requirements.
Enhances resilience, lowers insurance costs, and provides market access.
Builds stakeholder trust through auditable governance.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, training, audits.
Scalable for all sizes/industries; 9-18 months typical.
Involves supply chain mapping and continual improvement.

Key Differences

Aspect	AS9110C	ISO 28000
Scope	Aerospace maintenance QMS with safety, traceability	Supply chain security management system
Industry	Aviation MRO organizations worldwide	All supply chain sectors globally
Nature	Voluntary QMS certification standard	Voluntary security management certification
Testing	Internal audits, management reviews, certification	Internal audits, risk assessments, certification audits
Penalties	Loss of certification, market exclusion	Loss of certification, no legal penalties

Scope

AS9110C

Aerospace maintenance QMS with safety, traceability

ISO 28000

Supply chain security management system

Industry

AS9110C

Aviation MRO organizations worldwide

ISO 28000

All supply chain sectors globally

Nature

AS9110C

Voluntary QMS certification standard

ISO 28000

Voluntary security management certification

Testing

AS9110C

Internal audits, management reviews, certification

ISO 28000

Internal audits, risk assessments, certification audits

Penalties

AS9110C

Loss of certification, market exclusion

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about AS9110C and ISO 28000

AS9110C FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)

Tactical CIS Controls v8.1 IG1 playbook for ransomware resilience. 30-60-90 day sprint with tool-agnostic tasks, ownership & evidence checklists to prove progre

The £0 Cyber Essentials Checklist: How to Secure Windows 11 and Microsoft 365 Using Built-In Tools in 2026

Pass Cyber Essentials in 2026 with this free checklist using only built-in Windows 11 and Microsoft 365 tools. Covers MFA, patching, firewalls and CE+ audit pre

Top 10 Cost-Saving Hacks for CMMC Compliance: Budgeting Blueprints for Small DIB Suppliers

Slash CMMC costs 30-50% with top 10 hacks for small DIB suppliers. Enclave scoping, FedRAMP clouds, automation, POA&M tips & budgeting blueprints for Level 2 co

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how AS9110C and ISO 28000 compare against other standards

Other AS9110C Comparisons

Other ISO 28000 Comparisons

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, improvement.

Aviation additions: configuration management, counterfeit parts prevention, product safety, traceability, human factors.

No fixed control count; focuses on documented information and process approach.

Certification via IAQG OASIS after audits.

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.

Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.

Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.

Optional third-party certification via ISO 28003 guidelines.

Aspect

AS9110C

ISO 28000

Scope

Aerospace maintenance QMS with safety, traceability

Supply chain security management system

Industry

Aviation MRO organizations worldwide

All supply chain sectors globally

Nature

Voluntary QMS certification standard

Voluntary security management certification

Testing

Internal audits, management reviews, certification

Internal audits, risk assessments, certification audits

Penalties

Loss of certification, market exclusion

Loss of certification, no legal penalties