What is the primary objective of AS9120B?

AS9120B's primary objective is to establish a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics. Built on ISO 9001:2015's 10-clause structure, it adds over 100 aerospace-specific requirements addressing distribution risks like loss of traceability, counterfeit/suspected unapproved parts, documentation errors, and external provider controls to ensure chain-of-custody integrity.

Who is legally or professionally required to comply with AS9120B?

AS9120B applies to stockist distributors, pass-through distributors, and those performing batch splitting in aviation, space, and defense supply chains. Certification is not legally mandatory but is a commercial requirement imposed by OEMs and primes for supplier approval; as of early 2026, approximately 2,800 global certifications (over 900 in the U.S.) underscore its role as a de facto market entry criterion via IAQG's OASIS database.

Does AS9120B require an external audit or third-party certification?

Yes, AS9120B requires third-party certification through accredited bodies following a two-stage audit process per AS9101. Stage 1 reviews documentation and scope; Stage 2 verifies implementation via on-site audits of processes like traceability and counterfeit prevention, leading to OASIS listing for visibility.

How often should an assessment for AS9120B be performed?

AS9120B requires internal audits at planned intervals to cover all processes annually, plus annual surveillance audits post-certification. Management reviews occur at defined intervals (typically quarterly or semi-annually) to evaluate performance, risks, and supplier metrics; recertification audits occur every three years.

What are the consequences of non-compliance with AS9120B?

Non-compliance with AS9120B risks contract disqualification by OEMs, exclusion from OASIS, and supply chain rejection. It can lead to audit nonconformities, costly rework, recalls for traceability failures or counterfeit parts, reputational damage, and operational liabilities in safety-critical aerospace environments.

Can AS9120B be mapped to other international frameworks?

Yes, AS9120B aligns with the ISO high-level structure (Annex SL) via ISO 9001, enabling mapping to other international frameworks.

What is the first step to begin implementing AS9120B?

The first step is conducting a gap analysis against AS9120B clauses using a certified checklist to identify deficiencies in context, scope, risks, and distributor controls. Justify QMS scope and "not applicable" determinations (e.g., Clause 8.3 design), then prioritize high-risk areas like traceability and external provider evaluation.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, embed top management leadership, and ensure measurable objectives, operational controls, performance evaluation, and continual improvement. The standard is sector-agnostic, applicable to all organization sizes, focusing on holistic governance rather than prescriptive controls.

Who is legally or professionally required to comply with ISO 28000?

No organization is legally required to comply with ISO 28000, as it is a voluntary international standard. Professionally, it applies to any entity influencing supply chain security—logistics providers, manufacturers, retailers, ports, and government agencies—particularly where customer contracts, insurer demands, or trade facilitation programs mandate demonstrable SMS. Its broad applicability to all types and sizes emphasizes tailoring via context analysis (Clause 4) for organizations facing theft, sabotage, or resilience risks.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity may be verified internally or externally. Certification follows ISO 28003 guidelines via accredited bodies, typically involving Stage 1 (documentation) and Stage 2 (implementation) audits, plus surveillance. Organizations pursue it for assurance, market access, or partner requirements after internal audits (Clause 9.2) and management review (Clause 9.3) confirm maturity.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained continuously, with internal audits conducted at planned intervals per a risk-based program (Clause 9.2). Frequency considers process importance, prior results, and changes; management reviews occur at planned intervals (Clause 9.3). Monitoring (Clause 9.1) and corrective actions (Clause 10) ensure ongoing evaluation, typically annually or upon context changes like new suppliers.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary, but results in lost certification, market access, or contractual opportunities. Operationally, it exposes organizations to unmanaged risks like theft, disruptions, or insurer premium hikes; failure to address nonconformities (Clause 10) undermines SMS effectiveness, eroding stakeholder trust and resilience.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000 aligns with ISO high-level structure (Annex SL), enabling mapping to frameworks like ISO 31000 for risk processes and ISO 22301 for security plans. Clause 8.3 references ISO 31000 guidance; its PDCA and clauses (4–10) support integrated systems, sharing audits, documentation, and reviews without duplication.

What is the first step to begin implementing ISO 28000?

The first step is determining the organization's context, interested parties, and SMS scope (Clause 4). Map internal/external issues, supply chain dependencies, legal requirements, and boundaries as documented information, ensuring controls for externally provided processes; this informs leadership policy (Clause 5) and risk planning (Clause 6).

Standards Comparison

AS9120B vs ISO 28000

AS9120B

Mandatory

2016

Aerospace QMS standard for distributors ensuring traceability

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

AS9120B ensures quality management for aerospace distributors via traceability and counterfeit controls, while ISO 28000 builds supply chain security resilience through risk assessment. Distributors adopt AS9120B for OEM access; others use ISO 28000 for holistic threat mitigation.

Quality Management

AS9120B

AS9120B:2016 Quality Management Systems for Distributors

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Prevents counterfeit and suspected unapproved parts
Ensures robust traceability for split lots
Mandates enhanced external provider controls
Implements distribution-specific configuration management
Requires risk-based operational planning controls

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based PDCA cycle for supply chain security
Leadership commitment and top management accountability
Supplier and external process controls required
Integrated security plans with response and recovery
Continual improvement via audits and management reviews

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

AS9120B Details

What It Is

AS9120B:2016 is a certification standard for quality management systems (QMS) tailored to aviation, space, and defense distributors. It augments ISO 9001:2015's 10-clause structure with over 100 aerospace-specific requirements. Primary purpose: mitigate distribution risks like traceability loss, counterfeit infiltration, and documentation errors via risk-based thinking and Plan-Do-Check-Act (PDCA) methodology.

Key Components

Strategic governance (context, leadership, planning)
Support controls (resources, competence, documented information)
Distribution operations (traceability, preservation, counterfeit prevention, supplier controls)
Performance evaluation (monitoring, audits, reviews)
Improvement (corrective actions) Built on ISO 9001 HLS; requires third-party certification via IAQG-accredited bodies, with OASIS listing.

Why Organizations Use It

Enables market access to OEMs/Tier 1s; reduces supply chain risks; builds customer trust through auditable chain-of-custody. Not legally mandatory but commercially essential; enhances efficiency, prevents recalls, boosts competitiveness (~2,800 global certifications).

Implementation Overview

Phased approach (gap analysis, process design, training, audits) over 6-12 months. Applies to stockists/distributors globally; involves cross-functional teams, IT for traceability, and leadership commitment.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international certification standard specifying requirements for security management systems (SMS) focused on supply chain security. It adopts a risk-based, PDCA (Plan-Do-Check-Act) approach to manage threats like theft, sabotage, and disruptions.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.
Built on harmonized ISO structure for integration with ISO 9001, ISO 22301.
Optional third-party certification via ISO 28003.

Why Organizations Use It

Reduces supply chain risks and incidents.
Meets contractual, regulatory, and insurance needs.
Enhances resilience, market access, and stakeholder trust.
Provides competitive edge in logistics, manufacturing.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, audits.
Scalable for all sizes/industries; 6-36 months typical.
Involves training, documentation, internal audits, management reviews.

Key Differences

Aspect	AS9120B	ISO 28000
Scope	Aerospace parts distribution QMS, traceability, counterfeit prevention	Supply chain security management, risk, resilience across sectors
Industry	Aerospace distributors globally, aviation/space/defense	All supply chain organizations, logistics/manufacturing worldwide
Nature	Voluntary QMS certification standard based on ISO 9001	Voluntary security management system standard, PDCA-based
Testing	IAQG audits, internal audits, management review, certification	Internal audits, management review, optional third-party certification
Penalties	Loss of certification, market exclusion from OEMs	No legal penalties, loss of certification/trust

Scope

AS9120B

Aerospace parts distribution QMS, traceability, counterfeit prevention

ISO 28000

Supply chain security management, risk, resilience across sectors

Industry

AS9120B

Aerospace distributors globally, aviation/space/defense

ISO 28000

All supply chain organizations, logistics/manufacturing worldwide

Nature

AS9120B

Voluntary QMS certification standard based on ISO 9001

ISO 28000

Voluntary security management system standard, PDCA-based

Testing

AS9120B

IAQG audits, internal audits, management review, certification

ISO 28000

Internal audits, management review, optional third-party certification

Penalties

AS9120B

Loss of certification, market exclusion from OEMs

ISO 28000

No legal penalties, loss of certification/trust

Frequently Asked Questions

Common questions about AS9120B and ISO 28000

AS9120B FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Unlock human-AI synergy with modern compliance tools. Automate monitoring, cut non-compliance risks 3x, and boost strategic decision-making. Elevate your team's

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder with Real-World Analogies

Decode SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) into plain English with tables, TL;DRs & analogies

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

Discover why the SEC's 2023 cybersecurity rules treat cyber risks as material financial threats. Explore the 'stick and carrot' approach for standardized disclo

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how AS9120B and ISO 28000 compare against other standards

Other AS9120B Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Strategic governance (context, leadership, planning)

Support controls (resources, competence, documented information)

Distribution operations (traceability, preservation, counterfeit prevention, supplier controls)

Performance evaluation (monitoring, audits, reviews)

Improvement (corrective actions) Built on ISO 9001 HLS; requires third-party certification via IAQG-accredited bodies, with OASIS listing.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.

Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.

Built on harmonized ISO structure for integration with ISO 9001, ISO 22301.

Optional third-party certification via ISO 28003.

Aspect

AS9120B

ISO 28000

Scope

Aerospace parts distribution QMS, traceability, counterfeit prevention

Supply chain security management, risk, resilience across sectors

Industry

Aerospace distributors globally, aviation/space/defense

All supply chain organizations, logistics/manufacturing worldwide

Nature

Voluntary QMS certification standard based on ISO 9001

Voluntary security management system standard, PDCA-based

Testing

IAQG audits, internal audits, management review, certification

Internal audits, management review, optional third-party certification

Penalties

Loss of certification, market exclusion from OEMs

No legal penalties, loss of certification/trust