AS9110C vs ISO 28000
AS9110C
Aerospace QMS standard for aviation maintenance organizations
ISO 28000
International standard for supply chain security management systems
Quick Verdict
AS9110C delivers quality management for aviation maintenance with safety and traceability focus, while ISO 28000 establishes security management across supply chains. Organizations adopt AS9110C for aerospace compliance and ISO 28000 for resilient logistics.
AS9110C
AS9110C:2016 Quality Management Systems for Aviation Maintenance
Key Features
- Rigorous configuration management for maintenance processes
- Counterfeit and suspect parts prevention controls
- Risk-based thinking in operational planning
- Traceability and preservation of aviation parts
- Human factors in root cause analysis
ISO 28000
ISO 28000:2022 Security management systems Requirements
Key Features
- Risk-based PDCA cycle for supply chain security
- Leadership commitment and top management accountability
- Supplier and external process controls integration
- Security plans with response and recovery procedures
- Alignment with ISO 31000 and ISO 22301 standards
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
AS9110C Details
What It Is
AS9110C:2016 is an international certification standard for quality management systems (QMS) in aviation maintenance organizations (MROs). It builds on ISO 9001:2015 Annex SL structure, adding maintenance-specific requirements for continuing airworthiness, using risk-based thinking and PDCA cycles.
Key Components
- Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, improvement.
- Aviation additions: configuration management, counterfeit parts prevention, product safety, traceability, human factors.
- No fixed control count; focuses on documented information and process approach.
- Certification via IAQG OASIS after audits.
Why Organizations Use It
- Ensures regulatory compliance (FAA/EASA) and customer contracts.
- Mitigates safety risks, enhances traceability.
- Boosts market access, customer satisfaction, on-time delivery.
- Builds stakeholder trust through auditable evidence.
Implementation Overview
- Phased: gap analysis, process design, training, audits (6-12 months).
- Applies to MROs of all sizes globally.
- Requires internal audits, management reviews before Stage 1/2 certification.
ISO 28000 Details
What It Is
ISO 28000:2022 is an international certification standard specifying requirements for a security management system (SMS) focused on supply chain security. It adopts a risk-based, PDCA (Plan-Do-Check-Act) approach to manage threats like theft, sabotage, and disruptions across organizational operations and supply chains.
Key Components
- Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
- Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.
- Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.
- Optional third-party certification via ISO 28003 guidelines.
Why Organizations Use It
- Reduces security incidents, ensures compliance, and meets partner requirements.
- Enhances resilience, lowers insurance costs, and provides market access.
- Builds stakeholder trust through auditable governance.
Implementation Overview
- Phased: gap analysis, risk assessment, controls deployment, training, audits.
- Scalable for all sizes/industries; 9-18 months typical.
- Involves supply chain mapping and continual improvement.
Key Differences
| Aspect | AS9110C | ISO 28000 |
|---|---|---|
| Scope | Aerospace maintenance QMS with safety, traceability | Supply chain security management system |
| Industry | Aviation MRO organizations worldwide | All supply chain sectors globally |
| Nature | Voluntary QMS certification standard | Voluntary security management certification |
| Testing | Internal audits, management reviews, certification | Internal audits, risk assessments, certification audits |
| Penalties | Loss of certification, market exclusion | Loss of certification, no legal penalties |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about AS9110C and ISO 28000
AS9110C FAQ
ISO 28000 FAQ
You Might also be Interested in These Articles...

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)
Tactical CIS Controls v8.1 IG1 playbook for ransomware resilience. 30-60-90 day sprint with tool-agnostic tasks, ownership & evidence checklists to prove progre

The £0 Cyber Essentials Checklist: How to Secure Windows 11 and Microsoft 365 Using Built-In Tools in 2026
Pass Cyber Essentials in 2026 with this free checklist using only built-in Windows 11 and Microsoft 365 tools. Covers MFA, patching, firewalls and CE+ audit pre

Top 10 Cost-Saving Hacks for CMMC Compliance: Budgeting Blueprints for Small DIB Suppliers
Slash CMMC costs 30-50% with top 10 hacks for small DIB suppliers. Enclave scoping, FedRAMP clouds, automation, POA&M tips & budgeting blueprints for Level 2 co
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Explore More Comparisons
See how AS9110C and ISO 28000 compare against other standards