What is the primary objective of ISO 31000?

ISO 31000 provides internationally recognized guidelines for managing risk to create and protect value. It defines risk as the effect of uncertainty on objectives and establishes principles, a framework, and process for systematic risk identification, analysis, evaluation, treatment, monitoring, review, recording, and reporting applicable to any organization.

Who is legally or professionally required to comply with ISO 31000?

No organization is legally required to comply with ISO 31000 as it offers voluntary guidelines, not certifiable requirements. It applies universally to any public, private, or non-profit entity of any size or sector seeking to enhance decision-making, governance, and resilience through structured risk management.

Does ISO 31000 require an external audit or third-party certification?

ISO 31000 explicitly does not require external audits or third-party certification. As guidelines rather than requirements, organizations demonstrate alignment via internal governance, leadership commitment, documented framework, process evidence, and performance outcomes like monitoring and continual improvement.

How often should an assessment for ISO 31000 be performed?

ISO 31000 requires risk assessments to be performed iteratively based on context changes, not on a fixed schedule. The dynamic principle and monitoring/review process mandate continual reassessment triggered by new information, emerging risks, control deterioration, or significant environmental shifts, integrated into governance rhythms.

What are the consequences of non-compliance with ISO 31000?

Non-compliance with ISO 31000 carries no direct legal penalties as it is a voluntary guideline standard. However, inadequate risk management aligned with its principles may expose organizations to unmitigated operational losses, strategic failures, reputational damage, or regulatory scrutiny in sectors expecting systematic practices.

Can ISO 31000 be mapped to other international frameworks?

Yes, ISO 31000 serves as a foundational framework compatible with other international standards. Its principles, framework, and process provide a common risk management language that supports integration with specialized guidelines, enabling consistent risk thinking across governance and operational systems.

What is the first step to begin implementing ISO 31000?

The first step in implementing ISO 31000 is securing leadership commitment and establishing the risk management framework per Clause 5. Top management must demonstrate accountability through policy issuance, resource allocation, integration into governance, and definition of roles, ensuring risk management embeds into organizational activities before scaling the Clause 6 process.

What is the primary objective of AS9120B?

AS9120B establishes a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics. Built on ISO 9001:2015’s 10-clause high-level structure, it adds over 100 aerospace-specific requirements addressing distribution risks like loss of traceability, counterfeit/suspected unapproved parts, documentation errors, and external provider controls. The standard ensures chain-of-custody integrity through operational controls in Clause 8, including identification/traceability (8.5.2), preservation (8.5.4), and counterfeit prevention (8.1.4/8.1.5), enabling market access via IAQG OASIS listing.

Who is legally or professionally required to comply with AS9120B?

AS9120B applies to aviation, space, and defense distributors that purchase, store, split, or resell parts without affecting conformity. It targets stockist distributors, pass-through distributors, and batch splitters, excluding those modifying products (e.g., machining) or performing maintenance/repair. Certification is not legally mandatory but is a commercial requirement from OEMs and primes for supply chain approval; as of March 2026, over 2,800 global certifications (over 900 U.S.) reflect its de facto market entry criterion.

Does AS9120B require an external audit or third-party certification?

Yes, AS9120B requires third-party certification through accredited bodies following IAQG rules and AS9101 audit criteria. Organizations undergo Stage 1 (documentation review) and Stage 2 (on-site effectiveness audit), leading to OASIS listing. Surveillance audits occur annually, with recertification every three years, verifying QMS implementation across Clauses 4-10.

How often should an assessment for AS9120B be performed?

AS9120B requires internal audits at planned intervals to cover the QMS annually, plus management reviews at defined intervals. Clause 9.2 mandates audit programs providing objective evidence of conformity and effectiveness; Clause 9.3 requires reviews with inputs like performance trends, risks, and supplier data. External surveillance audits occur yearly post-certification.

What are the consequences of non-compliance with AS9120B?

Non-compliance with AS9120B risks commercial exclusion, supply chain rejection, and safety liabilities from traceability failures or counterfeit parts. Lacking certification bars OEM/Tier 1 approval and OASIS visibility; audit findings trigger corrective actions, potential decertification, recalls, and legal exposure for product nonconformities impacting safety.

An AS9120B be mapped to other international frameworks?

AS9120B aligns directly with ISO 9001:2015’s high-level structure, enabling seamless integration. Its 10-clause PDCA framework shares Clauses 4-10 verbatim as baseline, with aerospace additions (e.g., counterfeit prevention, traceability) mappable via clause-by-clause comparisons; organizations with ISO 9001 achieve ~75% compliance baseline.

What is the first step to begin implementing AS9120B?

Conduct a gap analysis against AS9120B clauses using a certified checklist to identify deficiencies. Form a cross-functional team to assess current processes versus requirements, prioritizing distributor risks like supplier controls (8.4) and traceability (8.5.2); document scope (4.3) with “not applicable” justifications (e.g., 8.3 design).

Standards Comparison

ISO 31000 vs AS9120B

ISO 31000

Voluntary

2018

International guidelines for enterprise risk management

AS9120B

Mandatory

2016

IAQG standard for aerospace distributor quality management

Quick Verdict

ISO 31000 offers voluntary risk management guidelines for any organization, embedding risk into governance. AS9120B mandates certifiable QMS for aerospace distributors, focusing on traceability and counterfeit prevention. Companies adopt ISO 31000 for resilience, AS9120B for supply chain access.

Risk Management

ISO 31000

ISO 31000:2018 Risk management — Guidelines

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Non-certifiable risk guidelines
Eight core principles
Leadership integration emphasis
PDCA risk framework
Iterative process steps

Quality Management

AS9120B

AS9120B Quality Management Systems - Requirements

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Counterfeit and suspected unapproved parts prevention
Enhanced traceability and chain-of-custody controls
Risk-based external provider evaluation and monitoring
Configuration management for split lots and inventory
Product preservation and shelf-life management

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 31000 Details

What It Is

ISO 31000:2018, Risk management — Guidelines is a principles-based international standard providing flexible guidance for enterprise-wide risk management. Its primary purpose is to help organizations systematically manage uncertainty affecting objectives, applicable to any size, sector, or risk type. It uses a non-prescriptive, iterative approach focused on creating and protecting value through better decisions.

Key Components

Three pillars: 8 principles (integrated, structured, customized, inclusive, dynamic, best information, human/cultural factors, continual improvement), framework (leadership, integration, design, implementation, evaluation, improvement), and process (communication, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting).
No fixed controls; aligns with PDCA cycle.
Non-certifiable guidelines emphasizing tailoring.

Why Organizations Use It

Enhances decision-making, resilience, and value creation; supports governance, strategy, and operations. Builds stakeholder trust, reduces losses, and enables opportunity capture. Voluntary but benchmarked by regulators/insurers for due diligence.

Implementation Overview

Phased approach: leadership alignment, gap analysis, pilot process, integration, monitoring. Suited for all organizations; involves policy, roles, training, tools like GRC platforms. No certification; internal audits assure alignment. (178 words)

AS9120B Details

What It Is

AS9120B is the IAQG quality management system standard for aviation, space, and defense distributors. Built on ISO 9001:2015's high-level structure, it adds distributor-specific requirements for procuring, storing, splitting, and reselling parts without alteration. Its risk-based approach emphasizes traceability, counterfeit prevention, and supply chain integrity.

Key Components

Over 100 aerospace additions to ISO 9001 clauses 4-10.
Core areas: context analysis, leadership, planning, support, operations (traceability, preservation, external providers), performance evaluation, improvement.
Principles: PDCA cycle, process approach, evidence-based decisions.
Certification via accredited bodies, OASIS listing.

Why Organizations Use It

Commercial necessity for OEM/Tier-1 supply chains.
Mitigates risks like counterfeit parts, traceability loss.
Enhances market access, customer trust, operational efficiency.
Builds resilience against regulatory scrutiny.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months).
Applies to distributors globally; scales by size.
Requires internal audits, management reviews, third-party certification.

Key Differences

Aspect	ISO 31000	AS9120B
Scope	Enterprise risk management guidelines	Aerospace distributor QMS controls
Industry	All industries, any organization	Aerospace parts distribution only
Nature	Non-certifiable guidelines	Certifiable quality standard
Testing	Internal reviews, no certification	Third-party audits, surveillance
Penalties	No legal penalties	Loss of certification, market exclusion

Scope

ISO 31000

Enterprise risk management guidelines

AS9120B

Aerospace distributor QMS controls

Industry

ISO 31000

All industries, any organization

AS9120B

Aerospace parts distribution only

Nature

ISO 31000

Non-certifiable guidelines

AS9120B

Certifiable quality standard

Testing

ISO 31000

Internal reviews, no certification

AS9120B

Third-party audits, surveillance

Penalties

ISO 31000

No legal penalties

AS9120B

Loss of certification, market exclusion

Frequently Asked Questions

Common questions about ISO 31000 and AS9120B

ISO 31000 FAQ

AS9120B FAQ

You Might also be Interested in These Articles...

From SOC to AI-Native CDC: Redefining Triage and Response in 2026

Explore the shift from SOCs to AI-Native CDCs. Autonomous agents handle Tier 1 triage in 2026, empowering analysts for complex threats. Discover the future of c

Evidential Readiness Blueprint: Mapping Multi-Cloud Access Controls to Cyber Essentials Audit Requirements

Step-by-step blueprint for IT managers to document and verify access control plus patch management evidence across Microsoft 365, AWS, and Azure for first-time

You Guide on how to Start Implementing NIST CSF in Your Organization

Master NIST CSF implementation in your organization with this detailed guide. Learn core functions, key steps, best practices, and tips for cybersecurity succes

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 31000 and AS9120B compare against other standards

Other ISO 31000 Comparisons

Other AS9120B Comparisons

What It Is

Key Components

Three pillars: 8 principles (integrated, structured, customized, inclusive, dynamic, best information, human/cultural factors, continual improvement), framework (leadership, integration, design, implementation, evaluation, improvement), and process (communication, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting).

No fixed controls; aligns with PDCA cycle.

Non-certifiable guidelines emphasizing tailoring.

What It Is

Key Components

Over 100 aerospace additions to ISO 9001 clauses 4-10.

Core areas: context analysis, leadership, planning, support, operations (traceability, preservation, external providers), performance evaluation, improvement.

Principles: PDCA cycle, process approach, evidence-based decisions.

Certification via accredited bodies, OASIS listing.

Aspect

ISO 31000

AS9120B

Scope

Enterprise risk management guidelines

Aerospace distributor QMS controls

Industry

All industries, any organization

Aerospace parts distribution only

Nature

Non-certifiable guidelines

Certifiable quality standard

Testing

Internal reviews, no certification

Third-party audits, surveillance

Penalties

No legal penalties

Loss of certification, market exclusion