What is the primary objective of ISO 37301?

ISO 37301:2021 specifies requirements for establishing, implementing, maintaining, and improving an effective Compliance Management System (CMS). Published on 13 April 2021, it replaces the guidance-only ISO 19600 by introducing certifiable 'shall' requirements, following the High-Level Structure (HLS) and Plan-Do-Check-Act (PDCA) cycle to systematically identify compliance obligations, assess risks, embed controls, and drive continual improvement.

Who is legally or professionally required to comply with ISO 37301?

No organization is legally required to comply with ISO 37301, as it is a voluntary, certifiable standard applicable to all sizes and sectors. It is professionally adopted by organizations seeking third-party validation of CMS effectiveness, particularly in regulated industries facing complex obligations like ESG, whistleblowing, or third-party risks, with proportionality scaled to context and risk exposure.

Does ISO 37301 require an external audit or third-party certification?

ISO 37301 enables but does not require external audits or third-party certification. Certification is optional via accredited bodies (e.g., ANAB-accredited), involving initial conformity assessment and surveillance audits in a typical three-year cycle, providing verifiable evidence of CMS alignment to HLS clauses like leadership, risk planning, and performance evaluation.

How often should an assessment for ISO 37301 be performed?

ISO 37301 requires ongoing monitoring, internal audits at planned intervals, and management reviews at planned intervals to assess CMS effectiveness. Performance evaluation must be risk-based, with continual improvement via nonconformity handling; certification involves surveillance audits, commonly annually within a three-year cycle, plus adaptation for changes like the 2024 climate action amendment.

What are the consequences of non-compliance with ISO 37301?

Non-conformance with ISO 37301 results in internal corrective actions, potential certification suspension, and heightened exposure to external regulatory fines or reputational damage. As a voluntary standard, direct penalties stem from unaddressed compliance obligations (e.g., legal breaches), not the standard itself; certification withdrawal signals governance weaknesses to stakeholders.

Can ISO 37301 be mapped to other international frameworks?

Yes, ISO 37301 follows the ISO High-Level Structure (HLS), enabling seamless mapping and integration with other management system standards. Its PDCA cycle and clauses (context, leadership, planning, support, operation, performance evaluation, improvement) align with HLS-based frameworks, supporting Integrated Management Systems (IMS) and companion standards like ISO 37302 (effectiveness) and ISO 37303 (competence).

What is the first step to begin implementing ISO 37301?

The first step is to determine the context of the organization, identifying internal/external issues, interested parties, and compliance obligations. Secure top management commitment, scope the CMS, and initiate a centralized compliance register prioritizing material risks, per Phase 1 of standard implementation playbooks.

What is the primary objective of AS9110C?

AS9110C’s primary objective is to enable aviation maintenance organizations to consistently provide products and services meeting customer and statutory/regulatory requirements while enhancing customer satisfaction through effective QMS application and continual improvement. It incorporates ISO 9001:2015’s Annex SL structure across Clauses 4–10, adding maintenance-specific controls like configuration management, product safety, counterfeit parts prevention, traceability, preservation, and human factors to ensure continuing airworthiness in repair stations and MRO providers.

Who is legally or professionally required to comply with AS9110C?

AS9110C applies to aviation maintenance organizations, including repair stations, MRO providers, and OEMs with autonomous maintenance operations, regardless of size. It targets entities providing maintenance, repair, overhaul, or continuing airworthiness services for civil and military aircraft, where certification is often mandated by customers, OEMs, or regulators for OASIS listing and supply chain access.

Does AS9110C require an external audit or third-party certification?

Yes, AS9110C requires third-party certification through accredited bodies, with the QMS fully operational for at least three months, including a full internal audit cycle and management review. Initial certification involves Stage 1 (documentation review) and Stage 2 (on-site effectiveness audit), followed by annual surveillance and triennial recertification.

How often should an assessment for AS9110C be performed?

AS9110C requires internal audits at planned intervals based on process risk, with full coverage annually, plus management reviews at least annually. Critical processes like configuration management and maintenance release receive higher frequency; external surveillance audits occur yearly post-certification, with recertification every three years.

What are the consequences of non-compliance with AS9110C?

Non-compliance with AS9110C risks loss of repair station approvals, contract ineligibility, regulatory sanctions, and safety incidents from poor traceability or counterfeit parts. It can lead to OASIS delisting, OEM exclusion, fines under aviation regulations (e.g., FAA/EASA Part 145), litigation, and operational shutdowns due to unproven continuing airworthiness.

Can AS9110C be mapped to other international frameworks?

AS9110C aligns directly with ISO 9001:2015 via its Annex SL high-level structure and shares terminology like “documented information” and “external providers.” IAQG correlation matrices facilitate integration, but customer/regulatory requirements override where conflicts arise.

What is the first step to begin implementing AS9110C?

The first step is to define the QMS scope, determine internal/external issues (Clause 4), and conduct a gap analysis against Clauses 4–10 using IAQG checklists. Justify any non-applicable requirements and map to regulatory approvals, producing a prioritized remediation plan with executive sponsorship.

Standards Comparison

ISO 37301 vs AS9110C

ISO 37301

Voluntary

2021

Certifiable international standard for compliance management systems

AS9110C

Mandatory

2016

Aerospace QMS standard for aviation maintenance organizations.

Quick Verdict

ISO 37301 establishes certifiable compliance management systems for all organizations, embedding risk-based culture and whistleblowing. AS9110C delivers aerospace-specific QMS for MROs, focusing on configuration, traceability, and airworthiness. Companies adopt them for certification, risk reduction, and market access.

Compliance Management

ISO 37301

ISO 37301:2021 Compliance management systems – Requirements with guidance

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Certifiable CMS requirements replacing guidance-only ISO 19600
High-Level Structure for integration with ISO 9001/14001/27001
Risk-based approach to obligations, risks, and controls
Leadership commitment fostering compliance culture and accountability
Mandatory confidential whistleblowing with anti-retaliation protections

Quality Management

AS9110C

AS9110C: Quality Management Systems Requirements for Aviation Maintenance

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based thinking in strategic and operational planning
Configuration management and product traceability controls
Counterfeit and suspect parts prevention program
Human factors integration in root cause analysis
Dedicated safety policy and maintenance release requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37301 Details

What It Is

ISO 37301:2021, titled "Compliance management systems – Requirements with guidance for use," is a certifiable international standard for Compliance Management Systems (CMS). It specifies auditable requirements to establish, implement, maintain, and improve CMS using a risk-based approach and Plan-Do-Check-Act (PDCA) cycle within the ISO High-Level Structure (HLS). Applicable to all organization sizes and sectors, it replaces guidance-only ISO 19600.

Key Components

**LeadershipTop management commitment, policy, roles, culture.
**PlanningObligations identification, risk assessment, objectives.
**SupportResources, competence (per ISO 37303), awareness, whistleblowing communication.
**OperationControls, third-party management, investigations.
**Performance evaluationMonitoring, KPIs (per ISO 37302), audits, reviews.
**ImprovementNonconformities, corrective actions, continual enhancement. Supports certification by accredited bodies like ANAB.

Why Organizations Use It

Reduces noncompliance risks, fines, reputational damage; enhances investor trust, ESG reporting. Meets regulatory/ESG demands, integrates with ISO 9001/27001, provides competitive certification edge.

Implementation Overview

Phased: gap analysis, register building, training, audits, certification (3-year cycle). Scalable for SMEs/enterprises globally; requires resources, cultural change, tools like platforms.

AS9110C Details

What It Is

AS9110C (AS9110:2016 Rev C) is an international certification standard for quality management systems (QMS) in aviation maintenance organizations, such as repair stations and MRO providers. It builds on ISO 9001:2015 with aerospace-specific requirements for continuing airworthiness, using a risk-based thinking approach via Annex SL high-level structure and PDCA cycle.

Key Components

Core clauses (4–10): context, leadership, planning, support, operation, evaluation, improvement.
Aviation additions: configuration management, counterfeit parts prevention, human factors, traceability, product safety.
No fixed control count; emphasizes documented information and operational evidence.
Certification via IAQG-accredited bodies with audits.

Why Organizations Use It

Meets customer/OEM contracts and regulatory alignment (FAA/EASA).
Mitigates safety risks, ensures traceability for airworthiness.
Boosts market access via OASIS listing, improves on-time delivery.
Enhances stakeholder trust, reduces rework and liabilities.

Implementation Overview

Phased: gap analysis, process design, training, audits (6–12 months typical).
Applies to MROs globally; requires internal audits, management review.
Involves risk registers, competence matrices, supplier controls.

Key Differences

Aspect	ISO 37301	AS9110C
Scope	Compliance obligations, risks, culture, whistleblowing	Aerospace MRO quality, configuration, counterfeit prevention
Industry	All sectors, all sizes worldwide	Aerospace maintenance organizations globally
Nature	Certifiable management system standard	Certifiable QMS standard with aviation additions
Testing	Internal audits, management reviews, certification audits	Internal audits, operational checks, Stage 1/2 certification
Penalties	Loss of certification, no legal penalties	Loss of certification, regulatory sanctions possible

Scope

ISO 37301

Compliance obligations, risks, culture, whistleblowing

AS9110C

Aerospace MRO quality, configuration, counterfeit prevention

Industry

ISO 37301

All sectors, all sizes worldwide

AS9110C

Aerospace maintenance organizations globally

Nature

ISO 37301

Certifiable management system standard

AS9110C

Certifiable QMS standard with aviation additions

Testing

ISO 37301

Internal audits, management reviews, certification audits

AS9110C

Internal audits, operational checks, Stage 1/2 certification

Penalties

ISO 37301

Loss of certification, no legal penalties

AS9110C

Loss of certification, regulatory sanctions possible

Frequently Asked Questions

Common questions about ISO 37301 and AS9110C

ISO 37301 FAQ

AS9110C FAQ

You Might also be Interested in These Articles...

Top 5 Audit Survival Secrets for Your First SOC 2 Type 2: What Auditors Really Check (and How to Pass)

Master your first SOC 2 Type 2 audit with proven strategies: 40-sample testing, vendor gaps, CPA walkthroughs. Get checklists, scripts & tips from SignWell to s

SOC 2 for Bootstrapped SaaS: Lazy Founder's Automation Roadmap with Vanta/Drata Templates

Bootstrapped SaaS founders: Achieve SOC 2 Type 2 in 3 months with Vanta automation (cuts 70% manual work). Free templates, workflows, screenshots, metrics & Sig

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Discover the top tools for ISO 27701 compliance. Compare functionality, complexity, costs, and benefits to choose the best solution for your privacy program. Ac

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 37301 and AS9110C compare against other standards

Other ISO 37301 Comparisons

Other AS9110C Comparisons

Quick Verdict

What It Is

Key Components

**LeadershipTop management commitment, policy, roles, culture.

**PlanningObligations identification, risk assessment, objectives.

**SupportResources, competence (per ISO 37303), awareness, whistleblowing communication.

**OperationControls, third-party management, investigations.

**Performance evaluationMonitoring, KPIs (per ISO 37302), audits, reviews.

**ImprovementNonconformities, corrective actions, continual enhancement. Supports certification by accredited bodies like ANAB.

What It Is

Key Components

Core clauses (4–10): context, leadership, planning, support, operation, evaluation, improvement.

Aviation additions: configuration management, counterfeit parts prevention, human factors, traceability, product safety.

No fixed control count; emphasizes documented information and operational evidence.

Certification via IAQG-accredited bodies with audits.

Aspect

ISO 37301

AS9110C

Scope

Compliance obligations, risks, culture, whistleblowing

Aerospace MRO quality, configuration, counterfeit prevention

Industry

All sectors, all sizes worldwide

Aerospace maintenance organizations globally

Nature

Certifiable management system standard

Certifiable QMS standard with aviation additions

Testing

Internal audits, management reviews, certification audits

Internal audits, operational checks, Stage 1/2 certification

Penalties

Loss of certification, no legal penalties

Loss of certification, regulatory sanctions possible