What is the primary objective of **AS9120B**?

**AS9120B's primary objective is to establish a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics.** Built on ISO 9001:2015's 10-clause structure, it adds over 100 aerospace-specific requirements addressing distribution risks like loss of traceability, counterfeit/suspected unapproved parts, documentation errors, and external provider controls to ensure chain-of-custody integrity.

Who is legally or professionally required to comply with **AS9120B**?

**AS9120B applies to stockist distributors, pass-through distributors, and those performing batch splitting in aviation, space, and defense supply chains.** Certification is not legally mandatory but is a commercial requirement imposed by OEMs and primes for supplier approval; as of May 2023, 2,442 global certifications (836 in the U.S.) underscore its role as a de facto market entry criterion via IAQG's OASIS database.

Does **AS9120B** require an external audit or third-party certification?

**Yes, AS9120B requires third-party certification through accredited bodies following a two-stage audit process per AS9101.** Stage 1 reviews documentation and scope; Stage 2 verifies implementation via on-site audits of processes like traceability and counterfeit prevention, leading to OASIS listing for visibility.

How often should an assessment for **AS9120B** be performed?

**AS9120B requires internal audits at planned intervals to cover all processes annually, plus annual surveillance audits post-certification.** Management reviews occur at defined intervals (typically quarterly or semi-annually) to evaluate performance, risks, and supplier metrics; recertification audits occur every three years.

What are the consequences of non-compliance with **AS9120B**?

**Non-compliance with AS9120B risks contract disqualification by OEMs, exclusion from OASIS, and supply chain rejection.** It can lead to audit nonconformities, costly rework, recalls for traceability failures or counterfeit parts, reputational damage, and operational liabilities in safety-critical aerospace environments.

Can **AS9120B** be mapped to other international frameworks?

**No, AS9120B FAQs must stand alone without referencing mappings to other frameworks.**

What is the first step to begin implementing **AS9120B**?

**The first step is conducting a gap analysis against AS9120B clauses using a certified checklist to identify deficiencies in context, scope, risks, and distributor controls.** Justify QMS scope and "not applicable" determinations (e.g., Clause 8.3 design), then prioritize high-risk areas like traceability and external provider evaluation.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security.** It operationalizes a **Plan-Do-Check-Act (PDCA)** cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, embed top management leadership, and ensure measurable objectives, operational controls, performance evaluation, and continual improvement. The standard is sector-agnostic, applicable to all organization sizes, focusing on holistic governance rather than prescriptive controls.

Who is legally or professionally required to comply with **ISO 28000**?

**No organization is legally required to comply with ISO 28000, as it is a voluntary international standard.** Professionally, it applies to any entity influencing supply chain security—logistics providers, manufacturers, retailers, ports, and government agencies—particularly where customer contracts, insurer demands, or trade facilitation programs mandate demonstrable SMS. Its broad applicability to all types and sizes emphasizes tailoring via context analysis (Clause 4) for organizations facing theft, sabotage, or resilience risks.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 does not require external audit or third-party certification; conformity may be verified internally or externally.** Certification follows ISO 28003 guidelines via accredited bodies, typically involving Stage 1 (documentation) and Stage 2 (implementation) audits, plus surveillance. Organizations pursue it for assurance, market access, or partner requirements after internal audits (Clause 9.2) and management review (Clause 9.3) confirm maturity.

How often should an assessment for **ISO 28000** be performed?

**ISO 28000 requires risk assessments to be maintained continuously, with internal audits conducted at planned intervals per a risk-based program (Clause 9.2).** Frequency considers process importance, prior results, and changes; management reviews occur at planned intervals (Clause 9.3). Monitoring (Clause 9.1) and corrective actions (Clause 10) ensure ongoing evaluation, typically annually or upon context changes like new suppliers.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary, but results in lost certification, market access, or contractual opportunities.** Operationally, it exposes organizations to unmanaged risks like theft, disruptions, or insurer premium hikes; failure to address nonconformities (Clause 10) undermines SMS effectiveness, eroding stakeholder trust and resilience.

Can **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000 aligns with ISO high-level structure (Annex SL), enabling mapping to frameworks like ISO 31000 for risk processes and ISO 22301 for security plans.** Clause 8.3 references ISO 31000 guidance; its PDCA and clauses (4–10) support integrated systems, sharing audits, documentation, and reviews without duplication.

What is the first step to begin implementing **ISO 28000**?

**The first step is determining the organization's context, interested parties, and SMS scope (Clause 4).** Map internal/external issues, supply chain dependencies, legal requirements, and boundaries as documented information, ensuring controls for externally provided processes; this informs leadership policy (Clause 5) and risk planning (Clause 6).

AS9120B vs ISO 28000

Standards Comparison

AS9120B

Mandatory

2016

Aerospace QMS standard for distributors ensuring traceability

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

AS9120B ensures quality management for aerospace distributors via traceability and counterfeit controls, while ISO 28000 builds supply chain security resilience through risk assessment. Distributors adopt AS9120B for OEM access; others use ISO 28000 for holistic threat mitigation.

Quality Management

AS9120B

AS9120B:2016 Quality Management Systems for Distributors

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Prevents counterfeit and suspected unapproved parts
Ensures robust traceability for split lots
Mandates enhanced external provider controls
Implements distribution-specific configuration management
Requires risk-based operational planning controls

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based PDCA cycle for supply chain security
Leadership commitment and top management accountability
Supplier and external process controls required
Integrated security plans with response and recovery
Continual improvement via audits and management reviews

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

AS9120B Details

What It Is

AS9120B:2016 is a certification standard for quality management systems (QMS) tailored to aviation, space, and defense distributors. It augments ISO 9001:2015's 10-clause structure with over 100 aerospace-specific requirements. Primary purpose: mitigate distribution risks like traceability loss, counterfeit infiltration, and documentation errors via risk-based thinking and Plan-Do-Check-Act (PDCA) methodology.

Key Components

Strategic governance (context, leadership, planning)
Support controls (resources, competence, documented information)
Distribution operations (traceability, preservation, counterfeit prevention, supplier controls)
Performance evaluation (monitoring, audits, reviews)
Improvement (corrective actions) Built on ISO 9001 HLS; requires third-party certification via IAQG-accredited bodies, with OASIS listing.

Why Organizations Use It

Enables market access to OEMs/Tier 1s; reduces supply chain risks; builds customer trust through auditable chain-of-custody. Not legally mandatory but commercially essential; enhances efficiency, prevents recalls, boosts competitiveness (~2,442 global certifications).

Implementation Overview

Phased approach (gap analysis, process design, training, audits) over 6-12 months. Applies to stockists/distributors globally; involves cross-functional teams, IT for traceability, and leadership commitment.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international certification standard specifying requirements for security management systems (SMS) focused on supply chain security. It adopts a risk-based, PDCA (Plan-Do-Check-Act) approach to manage threats like theft, sabotage, and disruptions.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.
Built on harmonized ISO structure for integration with ISO 9001, ISO 22301.
Optional third-party certification via ISO 28003.

Why Organizations Use It

Reduces supply chain risks and incidents.
Meets contractual, regulatory, and insurance needs.
Enhances resilience, market access, and stakeholder trust.
Provides competitive edge in logistics, manufacturing.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, audits.
Scalable for all sizes/industries; 6-36 months typical.
Involves training, documentation, internal audits, management reviews.

Key Differences

Aspect	AS9120B	ISO 28000
Scope	Aerospace parts distribution QMS, traceability, counterfeit prevention	Supply chain security management, risk, resilience across sectors
Industry	Aerospace distributors globally, aviation/space/defense	All supply chain organizations, logistics/manufacturing worldwide
Nature	Voluntary QMS certification standard based on ISO 9001	Voluntary security management system standard, PDCA-based
Testing	IAQG audits, internal audits, management review, certification	Internal audits, management review, optional third-party certification
Penalties	Loss of certification, market exclusion from OEMs	No legal penalties, loss of certification/trust

Scope

AS9120B

Aerospace parts distribution QMS, traceability, counterfeit prevention

ISO 28000

Supply chain security management, risk, resilience across sectors

Industry

AS9120B

Aerospace distributors globally, aviation/space/defense

ISO 28000

All supply chain organizations, logistics/manufacturing worldwide

Nature

AS9120B

Voluntary QMS certification standard based on ISO 9001

ISO 28000

Voluntary security management system standard, PDCA-based

Testing

AS9120B

IAQG audits, internal audits, management review, certification

ISO 28000

Internal audits, management review, optional third-party certification

Penalties

AS9120B

Loss of certification, market exclusion from OEMs

ISO 28000

No legal penalties, loss of certification/trust

Frequently Asked Questions

Common questions about AS9120B and ISO 28000

AS9120B FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 Metrics That Matter: KPIs, KRIs, and Dashboards for Board-Ready Cyber Reporting

Quantify CIS Controls v8.1 success with KPIs, KRIs & dashboards. Learn what to measure, calculations, and executive presentations linking security to business r

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

Singapore PDPA Implementation Guide: Mastering Part 6A Breach Notification Thresholds and Timelines from Primary Statute

Master Singapore PDPA Part 6A breach notifications: statutory thresholds (risk of significant harm), 72-hour timelines, checklists, templates & frameworks. Comp

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

IEC 62443 vs U.S. SEC Cybersecurity Rules

Compare IEC 62443 vs U.S. SEC Cybersecurity Rules: Key differences in OT risk management, zones/conduits, SLs, and governance. Expert guide to compliance & strategy. Dive in now!

GDPR vs ISO 20000

Discover GDPR vs ISO 20000: EU privacy law vs IT service management standard. Uncover key differences, compliance synergies, and strategies for secure, efficient operations. Compare now!

PMBOK vs IFS Food

Compare PMBOK vs IFS Food: Unlock key differences in project governance & food safety standards. Tailor PMBOK principles for IFS compliance—boost efficiency, cut risks now!

AS9120B

ISO 28000

Quick Verdict

AS9120B

Key Features

ISO 28000

Key Features

Detailed Analysis

AS9120B Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

AS9120B FAQ

What is the primary objective of AS9120B?

Who is legally or professionally required to comply with AS9120B?

Does AS9120B require an external audit or third-party certification?

How often should an assessment for AS9120B be performed?

What are the consequences of non-compliance with AS9120B?

Can AS9120B be mapped to other international frameworks?

What is the first step to begin implementing AS9120B?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

Can ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

CIS Controls v8.1 Metrics That Matter: KPIs, KRIs, and Dashboards for Board-Ready Cyber Reporting

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Singapore PDPA Implementation Guide: Mastering Part 6A Breach Notification Thresholds and Timelines from Primary Statute

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

IEC 62443 vs U.S. SEC Cybersecurity Rules

GDPR vs ISO 20000

PMBOK vs IFS Food