Upgrading from ISO 9001 to AS9100: Don't make these simple mistakes

For many businesses, the move into the aerospace industry starts at a very specific point.

You already have ISO 9001 in place. Your systems are working. The business is running as it should.

Then a customer introduces a new requirement:

At that point, the conversation shifts.

It is no longer a question of whether your business is capable.

In most cases, that has already been proven. The question becomes how to take what you already have and bring it up to a level that the aerospace supply chain can rely on.

You’re Not Starting from Scratch

One of the most important things to understand is that AS9100 is not a complete reset.

If your ISO 9001 system is genuinely embedded, you have already built a significant part of what is required. Core elements such as process-based management, document control, internal audits, management review, and corrective action are all fundamental to AS9100.

That is by design. AS9100 is built on ISO 9001.

The challenge lies not in replacing what you have, but in strengthening it.

What Actually Changes

There is a tendency to describe AS9100 as “ISO 9001 plus a few additional requirements.”

Technically, that is true, practically, it is misleading.

The difference is not just in what is added, but in the level of control expected across day-to-day operations.

In an Aerospace environment, it is no longer enough for processes to exist and be broadly followed.

They must be consistently applied, clearly understood, and capable of withstanding scrutiny from both auditors and customers further up the supply chain.

This becomes particularly visible in a number of key areas.

Traceability, for example, moves from a basic requirement to something far more rigorous. The expectation is that products can be tracked from raw material through to final delivery without ambiguity.

Product safety introduces a need to identify and control risks that could have downstream consequences, even where those risks may not be immediately obvious.

Risk management itself becomes more operational. Rather than existing as a high-level exercise, it is expected to influence how work is planned and carried out.

Supplier control also becomes more demanding, with stronger requirements around approval, monitoring, and the flow-down of requirements through the supply chain.

Alongside this, configuration management introduces a structured approach to controlling changes, ensuring that what is produced remains consistent with what was intended.

Taken together, these elements represent a shift from general quality management to controlled operational assurance.

Where Businesses Typically Struggle

The most common mistake is to treat AS9100 as something that can be added onto an existing ISO 9001 system.

In practice, this often results in a system that looks more complex, but functions less effectively.

Documentation becomes heavier, but not clearer. Processes are written in a way that does not reflect how the business actually operates. Employees are expected to follow procedures that feel disconnected from their day-to-day work.

These gaps tend to surface during audit, not because the business lacks capability, but because the system does not accurately represent what is happening in reality.

AS9100 is not something that can be layered on top of an existing system. It needs to be integrated into how the organisation actually functions.

What a Proper Upgrade Looks Like

When approached correctly, upgrading from ISO 9001 to AS9100 should feel like a refinement rather than a rebuild.

The focus should be on strengthening what already exists.

That means reviewing your current processes and identifying where additional control is genuinely required.

It means improving traceability, clarifying responsibilities, and ensuring that records provide meaningful evidence of what has taken place.

Most importantly, it means aligning the management system with the way the business actually operates.

This is where many upgrades either succeed or fail. If the system reflects reality, it becomes easier to implement, easier to maintain, and far more robust under audit.

If it does not, it creates friction at every stage.

The Typical Upgrade Process

Although every business is different, most ISO 9001 to AS9100 upgrades follow a similar structure.

The first step is a GAP Analysis, where the existing system is reviewed against AS9100 requirements to identify where it falls short. This provides a clear picture of what needs to change.

From there, the system is developed and refined. The emphasis here should be on operational control rather than documentation alone, ensuring that processes are both effective and practical.

Implementation follows, where those changes are embedded into day-to-day activities. This is often the most critical stage, as it determines whether the system will actually be used.

Once implemented, the system is tested through internal audits and management review. This allows any remaining gaps to be identified and addressed before certification.

Finally, the business progresses to the certification audit, which includes both Stage 1 and Stage 2 assessments.

How Long Does It Take?

For organisations that already have ISO 9001 in place, the timeframe is typically shorter than expected.

In many cases, a period of three to six months is sufficient to complete the upgrade, provided the existing system is well established and reflects how the business operates.

Where more significant restructuring is required, the process may take longer. The determining factor is not the size of the organisation, but the maturity and accuracy of its current system.

What Auditors Will Be Looking For

When it comes to certification, auditors are not interested in how well your ISO 9001 system performed in the past.

Their focus is entirely on whether the upgraded system meets the expectations of AS9100.

This means looking for clear evidence of traceability, effective control of processes, a practical understanding of product safety, and robust supplier management.

Above all, they will be assessing whether the system is being followed consistently across the organisation.

This is the point where the quality of the upgrade becomes visible.

A well-integrated system will demonstrate control naturally. A poorly integrated one will expose gaps.

Final Thought

Upgrading from ISO 9001 to AS9100 is not about starting again.

It is about taking an existing foundation and developing it into something that meets the expectations of a high-risk, high-trust industry.

When approached properly, the process strengthens the business. It improves visibility, consistency, and control across operations.

When approached poorly, it tends to introduce complexity without adding real value - which is exactly the situation most businesses want to avoid when facing an external audit.

If you need help with this, we’re more than happy to guide you through the process.