AS9100 has always emphasized the importance of building quality into every layer of aerospace manufacturing. With an upcoming revision, authors of the standard are expanding what “quality” means. The International Aerospace Quality Group (IAQG) is finalizing IA9100, the successor to AS9100 Rev D, with publication targeted for late 2026. For the first time, the aerospace quality management standard will expect your organization to include information security in the QMS. If your quality system and IT department have been operating independently, your organization will have to adapt.
Why Is Cybersecurity Showing Up in an Aerospace Quality Standard?
The short answer is that the two were never as separate as they seemed. Aerospace manufacturers handle sensitive design data, export documentation, and supplier records that move through connected digital systems every day. In the event of a breach that compromises data, an IT headache isn’t the only fallout. It creates a systematic traceability problem, product integrity problem, and certification problem.
Aerospace auditors with their ears on the pavement could have told you the industry has been trending in this direction for a while. Defense suppliers are already managing cybersecurity compliance requirements on parallel tracks. In essence, A9100 officially marks the point where that cybersecurity work formally intersects with your QMS.
Manufacturing environments are universally more connected than they were at the point of the Rev D publication in 2016. New, more connected equipment and systems bears the risk of more exposure. The standard’s catching up to that reality.
What Will IA9100 Information Security Requirements Actually Look Like?
While still not officially published, the direction from the IAQG has been consistent. Organizations should expect formal requirements built on the premise of protecting QMS-related information, both in digital and physical. The goal is data integrity across your entire quality environment, not just IT infrastructure.
In practice, that means having documented controls around who can access quality records, how your systems are protected, and what your organization does when something goes wrong. It’s a meaningful addition, but it’s not a wholesale reinvention of your QMS.
The areas most likely in scope:
- Protection of documented quality records and design data
- Access controls for systems that touch your QMS
- Data integrity requirements tied to traceability
- Response planning for disruptions that affect quality data
- Employee awareness that extends into data responsibility
Cross-Functional Alignment: Why Quality and IT Need to Plan Together
As mentioned before, much of the revision is predicated on the need for more secure and organizational tools. Previously, AS9100 compliance has lived exclusively in the quality department. IA9100’s information security expectations will require quality and IT to work from the same plan, probably for the first time.
Your quality manager needs visibility into which systems handle QMS data. Your IT team needs to understand which of those systems will be auditable. Getting those two groups aligned before the standard publishes is going to be a lot easier than trying to sort it out mid-transition.
Cybersecurity: One Piece of a Larger Overhaul
Cybersecurity represents one facet of a larger shift. IA9100 is also tightening product safety requirements, expanded definitions and expectations surrounding quality culture, new expectations focused on ethics, and tighter supplier controls. None of these changes exist in isolation. Organizations that treat them as separate entities will undoubtedly have a harder transition than those who address them together.
The timeline is worth keeping in mind. IA9100 is expected to publish in late 2026. The transition window will likely be two to three years, but industry experts have flagged that a shorter two-year window is possible. The practical runway is shorter than the calendar makes it look.
How to Start Preparing Your AS9100 QMS for the IA9100 Transition
The standard isn’t final, but there’s enough on the table to start moving. Begin by looking honestly at how your organization currently handles quality records and the systems they live in. That’s where the gaps are most likely to show up when IA9100 auditors come knocking.
Bring IT into that conversation early. The organizations that figure out cross-functional alignment now are going to have a much smoother certification path than those that treat this as a last-minute compliance task.
How APEX QA Helps
For organizations looking to get the wheel turning, APEX QA has two potential offerings that could help you move the needle. First, ISO/IEC 27001:2022 training represents the larger shift into cybersecurity. Internationally recognized, this standard is the most meaningful place to start for individuals looking to educate themselves on the future.
Aside from training, APEX QA is a proud vendor of Factory QA’s expansive QMS software. Getting your team on a unified software is the most full-proof way to synchronize your Quality and IT teams.
Frequently Asked Questions: AS9100, IA9100, and Cybersecurity Compliance
1. What is IA9100 and how is it different from AS9100?
IA9100 is the next revision of AS9100. The name change reflects the standard’s global alignment, and the requirements are being updated to address modern risks including information security.
2. Does AS9100 Rev D currently require cybersecurity compliance?
Not explicitly. Rev D covers risk management and documented information, but stops short of formal information security requirements. IA9100 is expected to close that gap.
3. Will I need a separate cybersecurity certification to comply?
A separate certification isn’t expected to be required. Organizations with existing information security frameworks will have an advantage, but IA9100’s requirements will be built into the QMS rather than bolted on from outside.
4. When does IA9100 publish and how long do I have to transition?
Publication is targeted for late 2026. The transition window is expected to be two to three years, with final rules confirmed by the IAQG closer to publication.
5. Do I need to rebuild my QMS to meet IA9100?
No. The structure of AS9100 carries over. Most organizations will need to extend and update what they already have rather than start from scratch.
