What is the primary objective of AS9120B?

AS9120B establishes a quality management system for organizations that procure, store, split, and resell aerospace parts without altering product characteristics. Built on ISO 9001:2015’s 10-clause structure, it adds over 100 distributor-specific requirements addressing risks like traceability loss, counterfeit parts, documentation errors, and external provider controls to ensure chain-of-custody integrity.

Who is legally or professionally required to comply with AS9120B?

AS9120B applies to stockist distributors, pass-through distributors, and those performing batch splitting in aviation, space, and defense supply chains. Certification is not legally mandatory but is a commercial requirement from OEMs and primes for market access; as of early 2026, over 2,500 global certifications (over 850 in the U.S.) reflect its role as a de facto qualification for ASD distributors excluding value-added modifiers or MRO entities.

Does AS9120B require an external audit or third-party certification?

Yes, AS9120B requires third-party certification through accredited bodies via Stage 1 (documentation) and Stage 2 (implementation) audits per IAQG rules. Certified organizations gain OASIS listing for visibility; surveillance audits occur annually, with recertification every three years to verify ongoing QMS effectiveness.

How often should an assessment for AS9120B be performed?

AS9120B requires internal audits at planned intervals to cover all processes annually, plus management reviews at defined intervals. Monitoring and measurement (Clause 9.1) occur continuously via KPIs like on-time delivery and nonconformities; full internal audit programs ensure effectiveness before surveillance audits.

What are the consequences of non-compliance with AS9120B?

Non-compliance with AS9120B risks contract disqualification, exclusion from OEM supplier lists, and supply chain rejection. It leads to audit nonconformities, loss of OASIS visibility, potential recalls from traceability failures or counterfeit parts, reputational damage, and commercial barriers in ASD markets.

Can AS9120B be mapped to other international frameworks?

AS9120B aligns directly with ISO 9001:2015’s high-level structure, enabling seamless mapping of its baseline clauses. Aerospace additions like counterfeit prevention and traceability integrate with IAQG standards, but it excludes manufacturing elements, focusing on distribution-specific controls.

What is the first step to begin implementing AS9120B?

Conduct a gap analysis against AS9120B clauses using cross-functional teams to identify deficiencies in context, scope, and processes. Document internal/external issues (Clause 4), justify “not applicable” determinations (e.g., Clause 8.3 design), and prioritize distributor risks like traceability and supplier controls to build an implementation plan.

What is the primary objective of APRA CPS 234?

APRA CPS 234 requires regulated entities to maintain an information security capability commensurate with vulnerabilities and threats to information assets, minimizing the likelihood and impact of incidents on confidentiality, integrity, or availability (CIA). This includes assets managed by related parties and third parties, ensuring continued sound operation of the entity (paragraphs 15-16). Boards hold ultimate responsibility (paragraph 13).

Who is legally or professionally required to comply with APRA CPS 234?

APRA CPS 234 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers, and RSE licensees. For Heads of groups, it extends group-wide, including non-regulated entities (paragraphs 2, 4). Foreign ADIs, Category C insurers, and EFLICs comply for Australian branches only (paragraph 3). Effective 1 July 2019, with third-party assets from the earlier of contract renewal or 1 July 2020 (paragraph 6).

Does APRA CPS 234 require an external audit or third-party certification?

No, APRA CPS 234 does not mandate external audits or third-party certification. It requires internal audit to review design and operating effectiveness of controls, including those by related parties and third parties, using appropriately skilled personnel (paragraphs 32-34). Entities must conduct systematic testing by functionally independent specialists (paragraphs 27-31), but external assurance is optional if internal processes suffice.

How often should an assessment for APRA CPS 234 be performed?

APRA CPS 234 requires the testing program to be reviewed at least annually or upon material changes to information assets or the business environment (paragraph 31). Testing frequency must be commensurate with vulnerability/threat change rates, asset criticality/sensitivity, incident consequences, untrusted environments, and asset changes (paragraph 27). Incident response plans must be reviewed and tested annually (paragraph 26).

What are the consequences of non-compliance with APRA CPS 234?

Non-compliance with APRA CPS 234 exposes entities to APRA's prudential powers, including remediation directions, supervisory actions, and potential enforcement under enabling Acts like the Banking Act 1959. APRA may adjust requirements in writing (paragraphs 9, 11). Entities must notify APRA within 72 hours of material incidents (paragraph 35) or 10 business days of unremediable material control weaknesses (paragraph 36), increasing scrutiny and operational risk.

Can APRA CPS 234 be mapped to other international frameworks?

Yes, APRA CPS 234's outcomes-based requirements for governance, controls, testing, and third-party management can be mapped to frameworks like ISO 27001 and NIST Cybersecurity Framework. It aligns with ISO 27001's ISMS structure and NIST's Identify-Protect-Detect-Respond-Recover functions, allowing proportional implementation while meeting CPS 234's board accountability, asset classification (paragraph 20), and assurance mandates (paragraphs 27-34).

What is the first step to begin implementing APRA CPS 234?

The first step to implement APRA CPS 234 is for the Board to assume ultimate responsibility and define information security roles and responsibilities across the entity (paragraphs 13-14). This establishes governance, followed by classifying information assets by criticality and sensitivity (paragraph 20) to drive commensurate capability, policies, and controls (paragraphs 15, 18-21).

Standards Comparison

AS9120B vs APRA CPS 234

AS9120B

Mandatory

2016

Aerospace QMS standard for parts distributors

APRA CPS 234

Mandatory

2019

APRA Prudential Standard for information security resilience

Quick Verdict

AS9120B ensures quality management for aerospace distributors via traceability and counterfeit controls, enabling supply chain approval. APRA CPS 234 mandates cyber resilience for Australian financial entities with strict testing and notifications, ensuring regulatory compliance and operational continuity.

Quality Management

AS9120B

AS9120B Quality Management Systems for Distributors

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Mandates counterfeit and unapproved parts prevention
Ensures robust traceability for split batches
Requires risk-based external provider controls
Implements distribution-specific configuration management
Enhances product safety and ethical awareness

Information Security

APRA CPS 234

APRA Prudential Standard CPS 234 Information Security

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Board ultimate responsibility for information security
72-hour APRA notification for material incidents
Systematic independent testing of controls
Third-party capability and control assessments
Asset classification by criticality and sensitivity

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

AS9120B Details

What It Is

AS9120B is the IAQG quality management system standard for aerospace distributors, built on ISO 9001:2015's 10-clause structure. It targets organizations procuring, storing, splitting, and reselling parts without alteration, using a risk-based PDCA approach to address distribution risks like traceability loss and counterfeits.

Key Components

Over 100 aerospace-specific requirements beyond ISO 9001.
Core areas: context analysis, leadership, planning, support, operations (traceability, counterfeit prevention, provider controls), evaluation, improvement.
Emphasizes chain-of-custody, configuration management, external provider flowdown.
Certification via accredited bodies, OASIS listing.

Why Organizations Use It

Provides market access to OEMs/Tier 1s, reduces counterfeit risks, ensures compliance visibility. Builds trust, efficiency, resiliency; commercially essential despite voluntary status.

Implementation Overview

Phased rollout (6-12 months): gap analysis, process design, training, audits. Suits distributors globally; requires Management Representative, internal audits, management reviews.

APRA CPS 234 Details

What It Is

APRA Prudential Standard CPS 234 (Information Security) is a binding regulation issued by the Australian Prudential Regulation Authority. Effective from 1 July 2019, it mandates APRA-regulated financial institutions to maintain information security capabilities commensurate with threats and vulnerabilities. Its risk-based approach emphasizes governance, resilience against cyber incidents, and coverage of third-party managed assets.

Key Components

**Governance and accountabilityBoard ultimate responsibility (para 13), defined roles (para 14).
**Core requirementsAsset classification (para 20), commensurate controls (para 21), systematic testing (paras 27-31), internal audit assurance (paras 32-34).
**Incident management72-hour notification for material incidents (para 35), 10-business-day for control weaknesses (para 36).
No fixed controls; built on CIA triad principles; compliance via evidence-driven assurance, no certification.

Why Organizations Use It

Mandatory for APRA entities (banks, insurers, super funds) to avoid penalties, enforcement.
Enhances cyber resilience, stakeholder protection, operational continuity.
Builds trust, reduces incident impact, aligns with CPS 220/230.

Implementation Overview

Phased: gap analysis, policy framework, asset inventory, testing programs, third-party assessments.
Applies to all sizes in Australian financial sector; ongoing maintenance required, audited by APRA.

Key Differences

Aspect	AS9120B	APRA CPS 234
Scope	Aerospace distributor QMS, traceability, counterfeit prevention	Financial sector information security, cyber resilience, third-party controls
Industry	Aerospace distribution, global certifications	Australian financial services (banks, insurers, super), regulated entities
Nature	Voluntary certification standard based on ISO 9001	Mandatory prudential regulation with enforcement powers
Testing	Internal audits, management review, certification audits	Systematic independent testing, annual reviews, internal audit assurance
Penalties	Loss of certification, market exclusion	Regulatory sanctions, fines, supervisory actions

Scope

AS9120B

Aerospace distributor QMS, traceability, counterfeit prevention

APRA CPS 234

Financial sector information security, cyber resilience, third-party controls

Industry

AS9120B

Aerospace distribution, global certifications

APRA CPS 234

Australian financial services (banks, insurers, super), regulated entities

Nature

AS9120B

Voluntary certification standard based on ISO 9001

APRA CPS 234

Mandatory prudential regulation with enforcement powers

Testing

AS9120B

Internal audits, management review, certification audits

APRA CPS 234

Systematic independent testing, annual reviews, internal audit assurance

Penalties

AS9120B

Loss of certification, market exclusion

APRA CPS 234

Regulatory sanctions, fines, supervisory actions

Frequently Asked Questions

Common questions about AS9120B and APRA CPS 234

AS9120B FAQ

APRA CPS 234 FAQ

You Might also be Interested in These Articles...

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Unlock human-AI synergy with modern compliance tools. Automate monitoring, cut non-compliance risks 3x, and boost strategic decision-making. Elevate your team's

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)

Tactical CIS Controls v8.1 IG1 playbook for ransomware resilience. 30-60-90 day sprint with tool-agnostic tasks, ownership & evidence checklists to prove progre

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how AS9120B and APRA CPS 234 compare against other standards

Other AS9120B Comparisons

Other APRA CPS 234 Comparisons

Quick Verdict

What It Is

Key Components

Over 100 aerospace-specific requirements beyond ISO 9001.

Core areas: context analysis, leadership, planning, support, operations (traceability, counterfeit prevention, provider controls), evaluation, improvement.

Emphasizes chain-of-custody, configuration management, external provider flowdown.

Certification via accredited bodies, OASIS listing.

What It Is

Key Components

**Governance and accountabilityBoard ultimate responsibility (para 13), defined roles (para 14).

**Core requirementsAsset classification (para 20), commensurate controls (para 21), systematic testing (paras 27-31), internal audit assurance (paras 32-34).

**Incident management72-hour notification for material incidents (para 35), 10-business-day for control weaknesses (para 36).

No fixed controls; built on CIA triad principles; compliance via evidence-driven assurance, no certification.

Aspect

AS9120B

APRA CPS 234

Scope

Aerospace distributor QMS, traceability, counterfeit prevention

Financial sector information security, cyber resilience, third-party controls

Industry

Aerospace distribution, global certifications

Australian financial services (banks, insurers, super), regulated entities

Nature

Voluntary certification standard based on ISO 9001

Mandatory prudential regulation with enforcement powers

Testing

Internal audits, management review, certification audits

Systematic independent testing, annual reviews, internal audit assurance

Penalties

Loss of certification, market exclusion

Regulatory sanctions, fines, supervisory actions