Share this
IA9100 Is Getting Real: ISO 9001:2026, Leadership, Culture, and Cybersecurity
by Christian Reyes on Jun 30, 2026 10:57:12 AM
AS9100 to IA9100 Transition:
What You'll Learn in This Episode
- IA 9100 should be treated as preparation, not panic. The episode does not frame the transition as a reason to rebuild the entire QMS.
- The real shift is evidence. Procedures, policies, and onboarding records may not be enough if the organization cannot prove the process is working in practice.
- ISO 9001:2026 is likely part of the foundation, not necessarily a separate mountain to climb. Mike explains that AS9100 has historically built on ISO 9001, and IA 9100 is expected to follow that structure.
- Leadership may need to be more directly involved in audits. The discussion suggests auditors may ask how leadership reinforces quality culture, responds to ethical concerns, and closes the loop.
- Quality culture and ethics need tangible proof. A signed policy or training slide may not demonstrate how employees identify, escalate, and respond to real issues.
- Information security is becoming a QMS issue. Electronic records, customer data, regulatory information, portals, remote work, and business continuity all connect directly to quality risk.
- Small suppliers can start practically. Mike points to access controls, multi-factor authentication, backups, and existing software features as reasonable starting points.
- Production process validation, counterfeit part prevention, and supplier controls remain important pressure points. This episode introduces those areas, with more shop-floor discussion set up for the next part of the conversation.
AS9100 to IA9100 Compliance in the Aerospace Industry
In this episode, Christian Reyes and Mike Varney continue their aerospace quality conversation by focusing on what companies should do before IA 9100 is finalized. The key message is clear: this does not appear to be a full QMS rewrite, but aerospace companies should take a harder look at the evidence behind their system. Mike discusses ISO 9001:2026 alignment, leadership accountability, quality culture, ethical behavior, information security, and how auditors may begin asking deeper questions about whether the QMS is actually working.
The conversation also addresses a common question for aerospace suppliers: will companies need one transition plan or two if ISO 9001 changes before IA 9100 is finalized? Mike explains why AS9100 has historically been built on ISO 9001 and why IA 9100 is expected to follow that same foundation. You'll also hear practical discussion around QMS data protection, remote work, customer and regulatory information, access controls, multi-factor authentication, backups, and why "IT handles that" may not be enough in a future audit environment.
Tags & Hashtags:
QT9 Q-Cast, QT9 QMS, AS9100, AS 9100, IA 9100, IA9100, ISO 9001:2026, ISO 9001, aerospace QMS, aerospace quality management, aerospace compliance, AS9100 transition, IA9100 transition, audit readiness, objective evidence, quality culture, ethical behavior, leadership accountability, information security, QMS data, electronic documented information, counterfeit parts, production process validation, first article inspection, supplier quality
Episode Transcript
Christian (00:00)
Mike, welcome back to the QT9 QCast. In our first aerospace episode, we covered the big picture transition from AS-9100 to IA-9100. Why the name is changing, kind of the expected timing, why companies should not treat this like a full QMS rewrite, as well as some of the kind of early signals around cybersecurity, product safety, and audit evidence.
IA 9100 is still not final. You know, we're talking about expected changes, public support material, your informed interpretation.
Mike, since our first episode, what's the biggest thing you think aerospace companies should understand differently, if anything?
Mike Varney (00:38)
Well, you know, we talked initially nearly a year ago now. I think it was, ⁓ you know, Q3, Q4 last year. And there have been a few things that have changed. know, initially there were some discussions regarding ⁓ timeframe, right, which is still not 100 % ironed out. There was some debate about whether or not the aerospace standard was going to wait for the 9001 release and whether or not that was going to happen. It's now starting to look like they are waiting for that.
And we can jump into that a little bit more here later. But I think more importantly, we've received a little more clarification around kind of what that picture might look like, you know, in regards to a couple different topics.
Christian (01:04)
Okay.
Sure, sure. Kind of the the we're we're gaining some clarity as as time has gone on, which is which is good. We want that. and I think kind of one of one of your big messages from our last episode was do not blow up your QMS. Don't don't go in and expect everything to change because this does not appear to be a a full rewrite.
so w when you say IA 9100 is not a rewrite, what do you want people to hear when you say that?
Mike Varney (01:40)
So I thought about this a lot because it can be kind of difficult to understand. The actual requirements within the body, at least to the best of our knowledge as of today, have not changed all that dramatically. What's expected of companies now in the aerospace industry is to have defensible objective evidence to prove that we're doing those things. And that may seem kind of like, you know, what your auditor has been asking you from the start.
But I think the expectations have shifted a little bit. For example, we talk a lot about quality culture, right? And that's something that came up in Rev D of AS9100. But the way that it was demonstrated was kind of vague. And I think the way that auditors are going to expect you to comply with those requirements now has to be a little bit more tangible. We can't just say, we have a policy in place. We trained our employees at the time of onboarding. That I don't think is going to fly anymore.
So there's going to be some more expectations now about how we're going to be able to prove things like ethics and culture, amongst other topics, versus just saying, well, we put a policy in place and our employees signed it. That's not going to fly like it used to. I think we're going to expect some more meat to that.
Christian (02:48)
Sure. Maybe not I don't want to say pushback necessarily, but auditors are gonna follow that that trail a little a little deeper, if you will.
Mike Varney (02:56)
Yes, 100%.
Christian (02:58)
⁓ so what what does more disciplined risk based behavior look like in an actual aerospace audit?
Mike Varney (03:05)
That's a good question. There's a couple of quotes that kind of apply, right? One of which that I love is what gets measured gets done, right? So when we track things like in a traditional QMS, be it ISO 9001, AS9100, 13485 any of the standards, we measure things like KPIs, right? Our key performance indicators or quality objectives. Sometimes they're one and the same.
You know, in an auditor will frequently ask for information about, you know, your year to year performance or performance over the last 12 months against those objectives and those KPIs. I think what we're expecting to see now is not only that we're tracking that information and we have good data, but also what are we doing with that data? You know, what are we learning from the information that we're gathering? And how is that impacting decisions that we're making, not just on a day to day, but also
for the business as a whole, for the structure of the quality management system, you know, in our general decisions throughout the business.
Christian (03:58)
what would you say are the top three areas where companies are going to feel the transition the most?
Mike Varney (04:04)
That's a great question. I think the elephant in the room, and I know you and I have talked about this before, is our production process validation, right? This one really intimidates people. I think this is probably the top one because there's the most confusion around it. Historically, the clause in the standard require that we do a production process validation event using a representative item from our first batch of a production run.
something to that effect to prove that we're capable of producing product using that methodology. Historically, companies said, OK, that's a first article inspection. And the note in the standard, in the Rev-D standard, says that this can be called a first article inspection. However, we've since learned that the industry decided that that's not quite good enough. And we need something a little more defensible other than just, I made this part and it worked.
because that just tells you that that part is good. It doesn't necessarily prove that the production process is capable. And we could talk a little bit more about that, but I think that's something that people are gonna struggle with a little bit. Not because it's hard, not because people can't do it, but because it's a little bit vague. And I expect consultants like myself and auditors out in the field are going to have to kind of fight their way through that the first go round, because I think that's gonna be a little bit clunky and challenging for people.
Christian (04:58)
Yeah.
Mm-hmm.
Mike Varney (05:18)
Some of the other things that I think will be a little more difficult is going to be the ethical and cultural side. Again, not so much because it's challenging, but because it's very subjective. And people need to have something in place other than, like I said before, just a policy that somebody signs. We need to actually see some tangible evidence there about how employees are actually going to handle things if they find something in the workplace that violates a culture and ethical requirement.
Christian (05:19)
Yeah.
Mm-hmm.
Mike Varney (05:45)
versus just saying that we have a policy, you know, more than just something hanging up on a bulletin board. So that'll be a little bit challenging for people to kind of navigate their way through. You know, also there are some changes to counterfeit part prevention. I don't know how difficult that'll be. I think it will depend largely on whose supply chain you're in. Some of the OEMs already have some pretty strict requirements, but for companies that are not working with those OEMs, some of the changes to counterfeit part requirements.
are gonna be a little bit daunting. Again, I think it's all very manageable. I just think we need to make sure that we're guiding people the right way to make sure that they're actually producing something that is repeatable and defensible in an audit environment. And not only for the sake of auditing, but also for the sake of building value for the business. Because if it's not adding value, we shouldn't waste our time doing it.
Christian (06:28)
Absolutely. Absolutely. so kind of don't rewrite your system, but do not assume that your current evidence is enough. the question is not really just do we have a procedure like it was, and it's evolved to kind of the question being can we prove the procedure is is working where the where the risk lives, where it's where it's addressing where it needs to address risk.
let's just talk ⁓ about the ISO 9001 2026 question, ⁓ because this is where people get confused, myself including. but a aerospace companies know that AS9100 has historically been built on ISO 9001, with the aerospace specific requirements layered on top.
IAQG describes 9100 as a QMS standard with additional requirements over ISO 9001 for aviation, space, and defense organizations. So if ISO 9001 changes in 2026, big if, a lot of aerospace companies are asking: do we need an ISO 9001 transition plan and an IA 9100 transition plan?
Mike Varney (07:28)
So if we back up to say 2024, and you asked me this question then, I would say that that's a very feasible possibility. There were some questions back then regarding whether or not AS or IA was going to wait for ISO 9001. And back then it was looking like they weren't going to. And that there was going to be some
Christian (07:29)
Yeah.
Mike Varney (07:50)
some ⁓ deviation from the traditional method of aerospace building upon ISO. However, as we've learned in the last year, those things have started to realign, which I think is a great sign. If that comes to fruition like it looks like it's going to, we will likely see ISO 9001 at the tail end of this year. And then we will likely see the aerospace standard to follow.
similar to what they did with ISO 9001 2015 and then AS9100 2016 or Rev D, where if the ISO came out, little bit of time went by, AS built its stuff on top of it. I anticipate, not with absolute certainty, but with pretty good confidence as of today, that that's what's going to happen in this go around. So I don't think there's any reason that you should have two transitionary plans. I would expect the IA 9100 to have all that stuff built in. If it doesn't, it would be kind of unusual.
a bit unprecedented in the history of this standard. But I think for the time being, it's safe to say that you would not need a separate transition plan.
Christian (08:46)
So ultimately, how should aerospace companies think about nine thousand one twenty twenty six? it's not necessarily a separate mountain to climb, it's more kind of the the foundation that I ninety one hundred will absorb, correct?
Mike Varney (09:00)
That is correct. For anybody who's certified to AS9100 today who's familiar with the standard, anything in the standard that's both in italics, you know that's additional for aerospace. Anything that is in regular font is ISO 9001. It is verbatim the same thing with its stuff layered on top. We anticipate that this is going to be the same going forward, similar structure.
So those things should be one in the same to you as an aerospace certified company. The same way that an AS9100 company today doesn't treat them differently. They follow the AS9100 standard because it complies to both. And if you notice your certificate that you received from your CB or your registrar actually will say AS9100 and ISO 9001 on their certificate. That's not a coincidence or a typo. That's because if you're certified you're inherently certified to the 9001 beneath it. Does that make sense?
Christian (09:50)
Gotcha, yeah, that that makes sense. Definitely clears it up. so is it i even if even if companies are holding nine thousand one and AS ninety one hundred certificates, it it's it's still it's the same. I mean you're you're getting audited to nine thousand one plus some, right? ⁓
Mike Varney (10:05)
Correct,
correct. And you know, one way that this kind of showed up, I'm a certified auditor for both 9,001 and AS 9100. The addendum that came out in 2024 for 4.1 and 4.2 for the consideration of climate change, that was an ISO 9001 amendment. However, every single AS 9100 auditor had to ask that in AS audits. It was not an AS requirement. It was an ISO amendment. And because
Christian (10:29)
Hmm.
Mike Varney (10:32)
It's one in the same, right? The AS9100 is built on top of ISO. All the ISO stuff applies. So the aerospace companies were asked about this ISO 9001 amendment in their audits in 2024, which threw some people for a loop. I actually had a couple of clients say, well, hold on, that's an ISO requirement. That doesn't apply to us. So there's still little bit of misconception out there that those things, if you're certified to AS9100, those things are built in. You don't get to escape the 9001 requirements.
Christian (10:55)
Mm-hmm.
Mike Varney (10:58)
They ultimately all apply to you as well.
Christian (11:00)
That's that's a good example. Thank you for that. ⁓ that definitely kinda clears up my confusion.
your your newer summary says that clause four is expected to put more emphasis on culture as a part of the organization's context. that includes values, organizational knowledge, and performance.
And it also says clause five strengthens leadership accountability for quality culture and ethical behavior. and those are easy words to to put on a slide and and talk about during a podcast, but they're they're harder to prove in an audit. so how how does can you talk to me a little bit on how an auditor evaluates quality culture without turning it into a vague opinion?
Mike Varney (11:36)
Yeah, this is an interesting one. And this is a common theme with verbage couple of the changes that we're expecting in the new standard, where there's some built-in subjectivity now. There has always been a little bit of some historically, but these are a little bit more so than maybe we've been used to in the past. Company culture, quality culture, and ethics have always been requirements in some regard, though relatively vague.
we're anticipating that those are gonna become a lot more rigid. The actual furbage of what that looks like in the standard, I think will shed a lot of light on what that might look like in an audit environment. As of today, what I would make sure to be telling my people in preparation, if I was running an aerospace manufacturing facility, is not only do you need to be aware of
maybe our cultural policy, our ethics policy, our general quality policies, but also we need to be able to understand how those things interact with our day-to-day responsibilities and activities of the business, but also how we're responding to things. So for example, I mentioned ethics there, which these all kind of play together a little bit. If you have a situation where an employee finds something in the workplace unethical,
⁓ Not only do they need to know how to identify that something might be unethical or violate their culture, but also what are they doing to escalate it, right? So not just we notice that something is wrong, but now what are the next steps? Am I supposed to be calling somebody? Am I supposed to be filling something out? Am I supposed to be notifying somebody, you know, some regulatory body? Like, what am I supposed to be doing? And that looks different for a lot of places. You know, every company handles that a little bit differently.
And the leadership side of that is interesting too, because historically, a lot of leadership, and again, this is not everybody, so I might take this the wrong way, but there's a lot of companies out there where leadership come audit time, says, we're going to go on vacation, our quality manager will handle the audit, and will answer any questions that the auditor might have. And that is likely not going to fly like it used to.
⁓ I expect that leadership is probably going to be pulled more into audit environments than they may have been in the past. And they're going to be asked things about how are they enforcing their quality culture, not just how are their employees practicing their quality culture. What is leadership doing with that quality culture? How are they flowing that down? How is that reflected? What are they doing in a situation to just to close the loop here if someone were to bring up an ethical situation, what is leadership now doing about it? How are they handling that?
Christian (13:34)
Okay.
Mike Varney (13:59)
What changes are they making? Are they escalating it beyond themselves? You know, these are things that I expect are going to come up as discussion points and audits that a lot of people probably have not, you know, received questions about in the past, historically, in their audits. So I anticipate that'll be interesting and, ⁓ you know, that might be challenging for some leadership representatives of certain companies, depending on how the companies are structured.
Christian (14:12)
Yeah.
Yeah. Yeah. I that you this is a good answer. You basically ⁓ had my follow up questions, you just answered them kind of right down the line. ⁓ like w the next question was what might leadership be asked that they're not used to answering and you answered that. They they might actually have to be present for the audit one. and but also
Mike Varney (14:28)
You
Yeah, yeah. And I'm hesitant
to harp too much on that. I'm not trying to point fingers at anybody saying, place we go into, leadership leaves. That's not true. I have a lot of clients whose leadership is heavily involved in the audits. But that's not really standardized, and that's not currently a requirement. Leadership has responsibilities, but there's nothing in the standard that says the president of the organization needs to be present in an audit environment.
you know, your management representative does, but your president of the organization doesn't, your general manager doesn't, your ops manager doesn't, you know, whoever it might be. So there's probably going to be a shift there. I'm actually, I'm probably more interested in clause four and clause five, the actual verbiage of what that looks like when it comes out than I am any of the other anticipated changes, because I think the way that's worded is going to play big impact in how it's going to be audited.
Christian (15:05)
Mm-hmm.
Mike Varney (15:31)
you know, because a couple word tweaks in either direction could really impact this.
Christian (15:34)
Yeah, absolutely. Absolutely. I I don't want to say it's a cloud of ambiguity, but to a certain degree it is. ⁓ and yeah, like you said, the the verbiage is is absolutely going to indicate but what but what can be expected in terms of of what that how that plays out in an audit.
Mike Varney (15:51)
Absolutely.
Christian (15:52)
And so
your newer summary calls out a new requirement for information security, in that's organizations being expected to plan, implement, and control information security as a part of the quality management system. obviously we won't pin down an exact subclause number on the record since final numbering is not yet published. but it also calls out remote work, customer, and regulatory data protection, ⁓ business disruption risk, compromised information security.
external provider access to data and and stronger controls for electronic documented information. And so what makes information security more of a QMS topic instead of strictly an IT topic?
Mike Varney (16:32)
So historically, if we think back to when the old standard came out, I say the old standard, I mean either 2015 as we pertain to ISO or Rev-D for AS9100. These came out in 2015 and 2016 respectively, but they were also drafted a year or two or three before that. And back then, a lot of companies were still maintaining a lot of their information in paper copies. There was a lot of physically signed,
job travelers that got retained. They may have been scanned, but there was always paper supporting. We've transitioned pretty dramatically over the last 10, 15 years to digital document control as it pertains to a ton of this stuff. We see way less filing cabinets and audit environments than we used to. And while the standard covers itself well enough in its current state to be able to support
Christian (17:16)
Yeah.
Mike Varney (17:23)
and in the digital era, it's not explicit. And I think that some of the lessons that have been learned, ⁓ not just in aerospace, but all around the world in all different industries with cyber breaches and corrupt documents and things like that, they felt it necessary to embed some language in the new standard that pertains to the security of your documentation.
But not just the security documentation, you brought up a couple of things too, Like remote work. How are we protecting our remote work communications? Are there requirements for that? I know that there's some OEMs out there that require encrypted virtual meeting platforms when they're doing things like zoom.gov. There's some companies that don't. And I don't think necessarily that that's going to be a requirement in itself for Betum.
But I think there's going to be some controls that must be in place when we're supporting things like remote work, access for our customers or our suppliers to our data if we're running a portal. Historically, portals were only run by the big billion dollar companies. But there's a lot of smaller organizations that have been working with over the past couple of years that have integrated their own forms of portals where they can communicate things like their CFCs and C of As to their customers, where their customers can provide prints as part of a purchase order.
Christian (18:37)
Mm-hmm.
Mike Varney (18:40)
How are those things protected, right? That's CUI. Now, again, I don't expect that we're gonna have NIST 800.171 CMMC compliance requirements here. I would be shocked if we did. I think we'd have a lot of upset people if that was the case. ⁓ But I would imagine that this is going to be like an introduction to some of those methodologies.
Christian (18:50)
Mm-hmm.
Yes, absolutely. and from your perspective, what what would a reasonable audit ready information security approach look like for a small aerospace supplier?
Mike Varney (19:07)
That's a great question. you know, practical approach probably would be your basic access controls. You know, a lot of your apps that we use maybe in our personal lives are now starting to require things like dual authentication. You get the pings on your phone, things like that. Most traditional programs now have that, have those features built in. I would anticipate if you're running an ERP system, which a lot of companies now are, that you have appropriate access controls.
⁓ The certain documents that may be accessible by some and not by others, right? Those tools exist. We should be using those tools. If dual authentication is an option, we should be using those tools as well. You know, general information backup. Excuse me, be it offsite backup or cloud storage backup. Again, none of this is new, right? This tech exists. We've experienced it in our personal lives, not just in our work lives.
Christian (19:34)
Mm-hmm.
Mike Varney (19:57)
⁓ I imagine that it would be beneficial for companies to be exercising those tools. They exist for a reason. Let's use them to do our best to protect what we have and also not only to protect sensitive information, but also to protect our employees. There's some inherent employee risk there as well. If someone gains access to somebody else's login profile in our database, there's some inherent risk there.
Christian (19:57)
Mm-hmm.
Mike Varney (20:22)
So we want to make sure that we're using the tools that are available. I'm not telling anybody to go out and spend $100,000 to buy software to try and further protect. But I think a lot of what we're already doing has features that just need to be taken advantage of.
Christian (20:34)
That's a that's a great point. I mean, honestly, as as a as a software provider ourselves at Qt nine here, I I've I've
I've seen that and just in how we've had to ⁓ change our approach in the past, you know, half decade. ⁓ you know, we're we had to become ISO twenty seven thousand one certified and ultimately building that multi factor authentication in and things like that. It's it's but most of them go into settings. ⁓ so if if you're using a software system, I think the chances are pretty good if it's B to B that that those features will be available. Like you're saying, it's just more a matter of utilizing them. ⁓ that's a that's a
Mike Varney (20:46)
Absolutely.
Correct, correct. know, we're
so used to ⁓ clicking past those questions, right? Do you want to enable dual authentication? No, right? We're all guilty of it. ⁓ But those tools exist for a reason, and in a business environment, especially in aerospace and defense, you know, using those safeguards is going to become critical. How that's going to be audited will be kind of interesting. You know, I imagine that auditors are probably going to ask to see, you know, what your plan looks like for your information protection.
Christian (21:13)
Yeah.
Mm-hmm.
Mike Varney (21:33)
⁓ It may be worded just like that. And I would make sure that you at least have an answer for it. Not necessarily it doesn't need to be CMMC compliant. It doesn't need to be the state 171 compliant necessarily. But I want to make sure that we can prove that we're taking it seriously and there are some tools in place.
Christian (21:50)
Absolutely. Absolutely. I think that's a a good a good sum up of it in in terms of the cybersecurity as it relates to to aerospace. Even even ISO. It's it's not automatically ISO twenty seven thousand one. It's not automatically C C level requirements. but IT handles that is probably not not a good enough answer anymore.
Mike Varney (22:09)
leaning on the MSP is not going to fly anymore.
Christian (22:13)
it's yeah, I'm sure it yeah, information security. I mean it it affects QMS records, it affects your customer requirements, traceability, product conformity, even like business continuity. ⁓ and so that
Mike Varney (22:23)
Absolutely. Yeah, there's a lot of inherent
risk there that is relevant, right? We talked, you mentioned continuity, know, your contingency plans, you know, all these things are built around the security and the robustness of your system to protect that information.
Christian (22:39)
Absolutely. Absolutely. And Mike, I think this is a this is a good place to pause. we've kind of we've covered the system level shifts, ISO 9001 Foundation talked about leadership and culture, ethics and information security. and so in in part two of this conversation, we get onto more of the shop floor level. We're gonna talk about product safety, counterfeit parts, which we teased a little bit earlier, and sub-tier suppliers, and how to make your data and measurements.
Credible enough to survive a tougher audit. so if that is your world, purchasing, inspections, operations, make sure you catch the next episode, and we'll be right back.
Share this
- QT9 QMS (8)
- Manufacturing (7)
- QMSR (3)
- FDA 21 CFR 820 (2)
- ISO 13485 (2)
- ISO 9001 (2)
- AS9100 (1)
- Aerospace & Defense (1)
- Analytics & Reporting (1)
- Business Intelligence (1)
- CAPA (1)
- CMMC (1)
- COPQ (1)
- Cannabis (1)
- Change Management (1)
- Continuous Improvement (1)
- Implementation (1)
- Inspections (1)
- QT9 BI Tool (1)
- Quality Culture (1)
- Software Validation (1)