ISO 9001 vs AS9100: What Ops Teams Need to Know

If you run operations in aerospace, defense, or NewSpace, you've almost certainly been pulled into a conversation about quality certifications. A prime asks for proof. A supplier asks which one applies to them. A new hire from outside the industry wants to know why ISO 9001 isn't enough.

The ISO 9001 vs AS9100 question gets asked constantly, but most explanations stop at "AS9100 is the aerospace version." That's true, and it's also the least useful framing for the people who actually have to operationalize either standard. The real differences show up in how work gets executed on the floor — in the procedures, traceability records, configuration controls, and risk evidence that auditors actually want to see.

Here's the breakdown ops teams need.

The short version

ISO 9001 is the global, industry-agnostic standard for Quality Management Systems (QMS). It applies to any organization, in any sector, that wants to demonstrate it can consistently deliver products and services that meet customer and regulatory requirements.

AS9100 is the aerospace, aviation, and defense extension of ISO 9001. It contains the full text of ISO 9001 and adds more than 100 sector-specific requirements maintained by the International Aerospace Quality Group (IAQG). For organizations that supply primes like Boeing, Lockheed Martin, Northrop Grumman, or Airbus, AS9100 is effectively a ticket to do business.

The active revision is AS9100 Rev D, released in September 2016 and aligned with ISO 9001:2015. A new revision — rebranded as IA9100 — is in the IAQG pipeline and is expected to publish alongside ISO 9001:2026. More on that at the end.

Where the standards overlap

Both standards share the same backbone:

• The same high-level structure based on Annex SL, which makes them compatible with other ISO management system standards

• The Plan-Do-Check-Act (PDCA) cycle as the foundation for continual improvement

• Risk-based thinking embedded throughout planning and operations

• The seven ISO quality management principles, including customer focus, leadership, process approach, and evidence-based decision making

• Documentation requirements covering policies, objectives, processes, and records

• Internal audit, management review, corrective action, and nonconformity controls

If you already operate a mature ISO 9001 QMS, you've done roughly 75 percent of the work required for AS9100. The gap is in the remaining 25 percent — and that's where ops teams need to focus.

Where AS9100 adds requirements

AS9100 layers aerospace-specific demands onto the ISO 9001 base. Most of the additions sit in two places: Clause 8 (Operation) and Clause 9 (Performance Evaluation). For an operations leader, these are the clauses that translate most directly into procedure design, work instructions, and shop floor execution.

The major additions:

Product safety. AS9100 requires a documented process for assessing and mitigating product safety risks across the lifecycle — design, production, delivery, and post-delivery. ISO 9001 has no equivalent clause. In practice, this means safety-critical characteristics need to be identified, controlled, and traced through manufacturing.

Counterfeit parts prevention. AS9100 requires controls to prevent the use of counterfeit or suspect unapproved parts. This includes supplier qualification, material verification, segregation procedures, and reporting protocols. ISO 9001 makes no specific demand here.

Configuration management. AS9100 mandates a formal configuration management process — identification, change control, status accounting, and verification — for products and their associated documentation. ISO 9001 references documented information control but does not require a configuration management system.

Risk management as a structured discipline. Both standards require risk-based thinking, but AS9100 expects risk management to be a defined operational process with assigned ownership, evaluation criteria, and integrated controls. Tools like Failure Mode and Effects Analysis (FMEA) are typical evidence.

First article inspection (FAI). AS9100 requires FAI to verify that production processes are capable of producing parts that meet design requirements. ISO 9001 does not.

Supplier management. AS9100 expects flowdown of customer and regulatory requirements through multiple supplier tiers, plus more rigorous supplier qualification, monitoring, and on-site verification rights.

Human factors in nonconformity. AS9100 explicitly requires human factors to be considered when investigating nonconformities and determining corrective actions.

Awareness and ethics. AS9100 expands the awareness clause to include each person's contribution to product safety and the importance of ethical behavior.

Special process control. Processes whose outputs cannot be fully verified by subsequent inspection — welding, heat treating, nondestructive testing, additive manufacturing — require validated, qualified procedures and personnel.

Post-delivery support and product recall. AS9100 requires defined processes for handling product issues after delivery, including recall procedures.

What this means for procedure execution

This is where the standards become an operational problem rather than a documentation exercise. Every requirement above has to be evidenced by something an auditor can pull up on demand — and that evidence almost always traces back to procedures and the records they produce.

A few examples of how AS9100 reshapes day-to-day operations:

Configuration management means every drawing revision, build-of-materials change, and procedure revision needs to be controlled, versioned, and tied to the units it affects. If you ship Unit 47 against Procedure Rev 3, you need to prove on demand that Rev 3 was the approved revision at the time of build — and that any deviations were captured, dispositioned, and signed off.

Counterfeit parts prevention means receiving inspection, lot traceability, and certificate-of-conformance verification have to be reliably executed and recorded for every relevant part. Spreadsheets and paper travelers struggle here, especially as supplier counts grow.

Special process control means qualified operators executing validated procedures, with electronic records that capture process parameters, operator identity, and timestamps. Reconstructing this after the fact from PDFs and paper is where audits go sideways.

FAI requires a defined, repeatable procedure that captures dimensional, material, and process data for the first article — and links it to the design baseline.

Risk management as an operational discipline means the risk register can't be a static document reviewed annually. It has to drive inspection frequency, supplier audit cadence, special process oversight, and contingency plans.

Most of the audit findings that hit aerospace manufacturers don't come from missing clauses in the quality manual. They come from execution gaps — a procedure that didn't capture the right data, a revision that wasn't flowed down, a sign-off that's missing, a deviation that wasn't documented. The standards demand evidence of effectiveness, not just documented intent.

Which standard applies to you

A rough decision framework:

• If you sell directly to aerospace or defense primes or their tier-1 suppliers, AS9100 is almost always required.

• If you supply components, subassemblies, or services to the aviation, space, or defense sectors, AS9100 is expected.

• If you provide maintenance, repair, and overhaul (MRO), AS9110 applies — a parallel standard built on the same base.

• If you distribute aerospace parts, AS9120 applies.

• If you supply raw materials or operate further down the supply chain, ISO 9001 may be sufficient, depending on customer requirements.

• If your work has no aerospace touchpoint, ISO 9001 is the right choice.

Dual certification — holding both ISO 9001 and AS9100 — is generally redundant. AS9100 already contains all of ISO 9001.

What's coming: IA9100

The IAQG has been working on the next revision of the AS9100 series since late 2021. The standard is being rebranded as IA9100, with "IA" standing for International Aerospace. Current industry guidance points to publication aligned with ISO 9001:2026, likely in late 2026 or 2027, with a typical two-to-three-year transition window after release.

Expected emphases in IA9100:

• Information security and cybersecurity, reflecting digital supply chain risk

• Stronger ethics and quality culture expectations at the leadership level

• Expanded counterfeit parts requirements, including obsolescence monitoring

• Tighter supplier flowdown through multiple tiers

• Recognition of AI and digital tools in the QMS

• Greater emphasis on data integrity and traceability

None of this requires a teardown of an existing AS9100 QMS, but it will pressure organizations whose procedure execution, records integrity, and supplier oversight aren't already in good shape.

The operational bottom line

ISO 9001 vs AS9100 is, at one level, a question of scope and industry fit. At the level that matters to operations leaders, it's a question of how much evidence your execution system can produce — and how reliably it produces it under pressure.

Both standards reward organizations that have moved beyond document-as-deliverable thinking. The teams that pass audits cleanly are the ones whose procedures actually run the work, whose records are generated as a byproduct of execution rather than reconstructed after the fact, and whose configuration, traceability, and sign-off controls are built into the workflow rather than bolted on.

That's the difference between a QMS that lives in a binder and one that lives on the floor. And whichever standard applies to your business, that's the gap worth closing first.

Frequently Asked Questions (FAQ)