What is the primary objective of ISO 37301?

ISO 37301 specifies requirements for establishing, implementing, maintaining, and improving an effective Compliance Management System (CMS). Published on 13 April 2021, it replaces the guidance-only ISO 19600 by introducing certifiable 'shall' requirements, following the High-Level Structure (HLS) and Plan-Do-Check-Act (PDCA) cycle to systematically identify compliance obligations, assess risks, and foster a culture of integrity.

Who is legally or professionally required to comply with ISO 37301?

No organization is legally required to comply with ISO 37301, as it is a voluntary certifiable standard applicable to all sizes and sectors. It is professionally adopted by organizations seeking third-party certification to demonstrate systematic compliance risk management, particularly in regulated industries facing ESG pressures, with accreditation available via bodies like ANAB.

Does ISO 37301 require an external audit or third-party certification?

ISO 37301 enables but does not require external audits or third-party certification. Certification is optional through accredited bodies (e.g., ANAB-accredited), involving initial conformity assessment and surveillance audits in a typical three-year cycle, providing verifiable evidence of CMS effectiveness to stakeholders.

How often should an assessment for ISO 37301 be performed?

ISO 37301 requires continual performance evaluation, including internal audits at planned intervals and management reviews at regular planned times. Monitoring, measurement, and analysis occur ongoing via KPIs, with risk-based internal audits and management reviews feeding into the PDCA cycle for continual improvement; certification involves annual surveillance audits.

What are the consequences of non-compliance with ISO 37301?

Non-compliance with ISO 37301 itself carries no direct penalties, as it is voluntary, but certification withdrawal or failure to maintain CMS exposes organizations to regulatory fines, litigation, and reputational damage. It increases risks of unmet compliance obligations, lacking mitigating evidence in enforcement actions.

Can ISO 37301 be mapped to other international frameworks?

Yes, ISO 37301 follows the High-Level Structure (HLS), enabling seamless mapping and integration with other ISO management system standards. Its PDCA-based clauses on context, leadership, planning, support, operation, evaluation, and improvement align directly, supporting Integrated Management Systems (IMS) without referencing specific other frameworks.

What is the first step to begin implementing ISO 37301?

The first step for implementing ISO 37301 is determining the context of the organization, including internal/external issues and interested parties' expectations. This informs CMS scope, obligation identification, and risk assessment per Clause 4, securing top management buy-in before building a centralized compliance register.

What is the primary objective of AS9120B?

AS9120B establishes quality management system requirements for aerospace distributors that procure, store, split, and resell parts without altering characteristics. Built on ISO 9001:2015's 10-clause structure, it adds over 100 IAQG-specific controls targeting distribution risks like traceability loss, counterfeit parts, documentation errors, and external provider weaknesses. Core focus: chain-of-custody integrity via configuration management, preservation, and counterfeit prevention.

Who is legally or professionally required to comply with AS9120B?

AS9120B applies to stockist distributors, pass-through distributors, and those performing batch splitting in aviation, space, and defense supply chains. It targets organizations handling aerospace parts without modification; excludes value-added activities altering conformity or MRO. Certification is not legally mandated but commercially required by OEMs and primes for supply chain approval, with ~2,442 global certifications (836 U.S.) as of March 2026 enabling OASIS visibility.

Does AS9120B require an external audit or third-party certification?

AS9120B requires third-party certification through accredited bodies for formal recognition and OASIS listing. Organizations conduct internal audits per Clause 9.2 at planned intervals, but certification involves Stage 1 (documentation) and Stage 2 (implementation) audits per AS9101, followed by annual surveillance and triennial recertification to verify QMS effectiveness.

How often should an assessment for AS9120B be performed?

AS9120B mandates internal audits at planned intervals to cover all processes annually, plus management reviews at defined intervals. Clause 9.2 requires audit programs ensuring objectivity; Clause 9.3 ties reviews to performance data like nonconformities, supplier trends, and risks. External surveillance audits occur yearly post-certification, with full recertification every three years.

What are the consequences of non-compliance with AS9120B?

Non-compliance with AS9120B risks commercial exclusion from OEM supply chains, loss of OASIS listing, and supply chain liabilities. Auditors issue major nonconformities for gaps in traceability, counterfeit controls, or supplier evaluation, potentially delaying certification. Operationally, it leads to nonconforming outputs, recalls, and eroded customer trust; no direct legal penalties but exposes to contract breaches and safety liabilities.

Can AS9120B be mapped to other international frameworks?

AS9120B aligns directly with ISO 9001:2015's high-level structure, enabling seamless mapping of its 10 clauses. It augments ISO baseline with aerospace additions (e.g., Clause 8 counterfeit prevention, traceability), supporting integrated QMS without other standards. IAQG tools facilitate clause-by-clause comparisons for gap analysis.

What is the first step to begin implementing AS9120B?

Conduct a formal gap analysis against AS9120B clauses using cross-functional teams to map current processes. Per Clause 4, document context, interested parties, scope, and "not applicable" justifications (e.g., 8.3 design); prioritize distributor risks like supplier controls and traceability to build a risk register and implementation backlog.

Standards Comparison

ISO 37301 vs AS9120B

ISO 37301

Voluntary

2021

International certifiable standard for compliance management systems

AS9120B

Mandatory

2016

Aerospace QMS standard for distributors of parts.

Quick Verdict

ISO 37301 establishes certifiable compliance management systems for all organizations, emphasizing risk-based compliance culture. AS9120B delivers quality management for aerospace distributors, focusing on traceability and counterfeit prevention. Companies adopt them for certification, risk reduction, and supply chain credibility.

Compliance Management

ISO 37301

ISO 37301:2021 Compliance management systems requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Certifiable CMS requirements replacing guidance-only ISO 19600
High-Level Structure for IMS integration with ISO 9001/27001
Risk-based compliance obligations assessment and controls
Leadership commitment and organizational culture emphasis
Confidential whistleblowing with anti-retaliation protections

Quality Management

AS9120B

AS9120B Quality Management Systems - Requirements

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Prevents counterfeit and suspected unapproved parts
Ensures traceability from receipt to split delivery
Risk-based external provider evaluation and controls
Configuration management via sales order records
Preservation controls for storage and handling

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37301 Details

What It Is

ISO 37301:2021 is a certifiable international standard specifying requirements with guidance for Compliance Management Systems (CMS). It provides a systematic, risk-based approach to identify obligations, manage risks, and foster integrity across organizations of all sizes and sectors, using the Plan-Do-Check-Act (PDCA) cycle and High-Level Structure (HLS).

Key Components

Core clauses: context, leadership, planning, support, operation, performance evaluation, improvement.
Emphasizes leadership commitment, risk assessment, whistleblowing, competence, monitoring, audits, and continual improvement.
Built on HLS for integration with ISO 9001/14001/27001; supports companion standards like ISO 37302/37303.
Certifiable via accredited bodies like ANAB.

Why Organizations Use It

Drives regulatory compliance, reduces fines/reputational risks, enhances stakeholder trust, supports ESG/SDGs. Provides certification for competitive edge, investor confidence, and integrated risk management.

Implementation Overview

Phased approach: gap analysis, obligation register, controls/training, audits/certification. Applicable universally; scalable for SMEs/enterprises. Typical 12-18 months; involves resources, cultural change, third-party audits.

AS9120B Details

What It Is

AS9120B is the IAQG quality management system standard for aviation, space, and defense distributors. It augments ISO 9001:2015's high-level structure with distributor-specific requirements. Primary purpose: ensure traceability, prevent counterfeits, and maintain product conformity without altering characteristics. Adopts risk-based thinking and PDCA approach.

Key Components

Over 100 aerospace additions to ISO 9001 clauses 4-10.
Pillars: context/leadership, planning/support, operations (traceability, counterfeit prevention, external providers), evaluation, improvement.
Built on 10-clause HLS; certification via accredited bodies, OASIS listing.

Why Organizations Use It

Commercial necessity for OEM/Tier-1 supply chains.
Mitigates risks like traceability loss, counterfeits.
Builds customer trust, enables market access (2,442 global certifications).
Drives efficiency, reduces nonconformities.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months).
Applies to stockists/distributors globally; multi-site scalable.
Stage 1/2 certification audits required.

Key Differences

Aspect	ISO 37301	AS9120B
Scope	Compliance management systems (CMS) requirements	Aerospace distributor quality management systems
Industry	All sectors and organization sizes globally	Aerospace distribution supply chain specifically
Nature	Voluntary certifiable international standard	Voluntary certifiable quality standard
Testing	Internal audits, management reviews, certification audits	Internal audits, process audits, surveillance audits
Penalties	Loss of certification, no legal penalties	Loss of certification, market exclusion

Scope

ISO 37301

Compliance management systems (CMS) requirements

AS9120B

Aerospace distributor quality management systems

Industry

ISO 37301

All sectors and organization sizes globally

AS9120B

Aerospace distribution supply chain specifically

Nature

ISO 37301

Voluntary certifiable international standard

AS9120B

Voluntary certifiable quality standard

Testing

ISO 37301

Internal audits, management reviews, certification audits

AS9120B

Internal audits, process audits, surveillance audits

Penalties

ISO 37301

Loss of certification, no legal penalties

AS9120B

Loss of certification, market exclusion

Frequently Asked Questions

Common questions about ISO 37301 and AS9120B

ISO 37301 FAQ

AS9120B FAQ

You Might also be Interested in These Articles...

Unpacking the True Cost: A Guide to Calculating TCO for Modern Compliance Monitoring Software

Unpack the true Total Cost of Ownership (TCO) for compliance monitoring software. Factor in licenses, implementation, training, maintenance, and ROI savings for

Evidential Readiness Blueprint: Mapping Multi-Cloud Access Controls to Cyber Essentials Audit Requirements

Step-by-step blueprint for IT managers to document and verify access control plus patch management evidence across Microsoft 365, AWS, and Azure for first-time

NIST SP 800-53 Rev 5.1 Private Sector Tailoring Blueprint: First 5 Steps to Overlay-Driven Compliance with Infographic

Step-by-step blueprint for private sector NIST SP 800-53 Rev 5.1 tailoring using overlays for AI & supply chain risks. Infographic + first 5 steps for ROI-drive

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 37301 and AS9120B compare against other standards

Other ISO 37301 Comparisons

Other AS9120B Comparisons

Quick Verdict

What It Is

Key Components

Core clauses: context, leadership, planning, support, operation, performance evaluation, improvement.

Emphasizes leadership commitment, risk assessment, whistleblowing, competence, monitoring, audits, and continual improvement.

Built on HLS for integration with ISO 9001/14001/27001; supports companion standards like ISO 37302/37303.

Certifiable via accredited bodies like ANAB.

What It Is

Aspect

ISO 37301

AS9120B

Scope

Compliance management systems (CMS) requirements

Aerospace distributor quality management systems

Industry

All sectors and organization sizes globally

Aerospace distribution supply chain specifically

Nature

Voluntary certifiable international standard

Voluntary certifiable quality standard

Testing

Internal audits, management reviews, certification audits

Internal audits, process audits, surveillance audits

Penalties

Loss of certification, no legal penalties

Loss of certification, market exclusion