Can we certify ISO 27001 and AS9100 at the same time?

Yes, most organizations can pursue ISO 27001 and AS9100 certification in parallel, and many registrars are able to audit both. However, there is no guarantee that both certificates will be granted, or granted on the same date. Whether it is practical or advisable depends on your current system maturity, documentation, and audit capacity.

What “at the same time” really means

“At the same time” usually means one of the following:

• A single integrated audit event where the registrar evaluates both your AS9100 QMS and ISO 27001 ISMS in the same visit.
• Two audit streams scheduled back to back, potentially with the same registrar and some shared evidence.
• A multi-stage plan where Stage 1/Stage 2 audits for both standards are aligned over a few months, with some combined activities.

In practice, timing is constrained by registrar availability, your readiness, and the need to close findings from one standard before the registrar will recommend certification.

Key dependencies and constraints

• Registrar capability: Not all certification bodies are accredited to issue both AS9100 and ISO 27001. You may need a registrar that is accredited for both and willing to run an integrated program, or coordinate two registrars.
• Scope definition: The scope of your QMS (AS9100) and ISMS (ISO 27001) may not be identical. AS9100 often covers design/production/maintenance processes; ISO 27001 may focus on information and OT/IT assets used in those processes. Misaligned scopes complicate a single combined audit.
• System maturity: Running two first-time certifications in parallel is heavy. If your QMS is immature or your information security controls are still being implemented, a combined push usually increases audit findings rather than reducing effort.
• Evidence and traceability: Both standards require demonstrable, traceable implementation over time (risk assessments, internal audits, management reviews, corrective actions). Trying to stand up both systems quickly just before an audit tends to surface gaps.
• Regulated & aerospace context: Customers and primes may scrutinize AS9100 scope, exclusions, and how information security is handled. Trying to align both certifications without clear ownership and documentation can undermine customer confidence if findings are significant.

Where combining efforts makes sense

Even if the certifications are not literally granted on the same day, there are real synergies:

• Integrated risk framework: AS9100 requires a risk-based approach for quality; ISO 27001 requires formal information security risk management. A single enterprise risk methodology can serve both, with different risk registers.
• Shared governance processes: Management review, internal audit planning, corrective action, document control, and training can be shared across QMS and ISMS rather than duplicated.
• Common controls for production IT/OT: Change control, access management, backup/restore, and incident response for MES, ERP, PLM, and OT assets can be governed by both standards with aligned procedures and records.
• Efficiency in evidence management: A unified approach to records, log retention, and audit trails can support both standards, especially for digital work instructions, nonconformance workflows, and CAPA systems.

Typical tradeoffs and risks

• Complexity vs. speed: Pursuing both certifications together can reduce calendar time but usually increases complexity and risk of findings. A staged approach (e.g., stabilize AS9100 first, then extend to ISO 27001) is often easier to control.
• Resource load: Engineering, operations, IT, and quality will all be drawn into both efforts. In high-mix, low-volume or heavily customized environments, this can conflict with program milestones and customer audits.
• Brownfield realities: Legacy MES/ERP/PLM/QMS, old equipment, and partial segregation between OT and IT make it harder to show clean, ISO 27001-compliant information security while also meeting AS9100 traceability and change control expectations.
• Change control burden: Both standards expect disciplined change management. Rapidly redesigning processes, tools, and organizational structures to “fit” both standards at once can overwhelm existing change control and validation practices.

How to decide if simultaneous certification is sensible

Before committing to a combined path, validate the following:

• Your AS9100 QMS is either already certified or demonstrably close to readiness, with stable core processes and evidence over time.
• Your information security baseline (policies, risk assessment, asset inventory, access control, incident management, business continuity) is designed and at least partially implemented, not just documented.
• IT/OT, quality, and operations leadership agree on scope boundaries, ownership, and how shared systems (MES, ERP, PLM, QMS, data historians) will be governed under both standards.
• You have enough internal audit capacity to run cross-functional audits that cover both QMS and ISMS requirements without slipping into a check-the-box exercise.
• Selected registrars (or a single registrar) have confirmed that they can plan and deliver aligned audits within your operational and downtime constraints.

Practical approach in long-lifecycle, regulated environments

In aerospace, defense, and other long-lifecycle sectors, a staged but integrated strategy is often more robust than a fully simultaneous push:

• Stabilize and, if needed, upgrade AS9100 practices around design control, special processes, configuration management, and production traceability.
• Map information security requirements to existing QMS processes instead of replacing core systems; layer ISO 27001 controls onto current MES/ERP/PLM/QMS and OT infrastructure.
• Treat ISO 27001 as an overlay on top of existing systems, with clear interface controls, rather than trying to swap out legacy platforms to “make certification easier.” Full replacement strategies often fail due to validation cost, downtime risk, and integration complexity.
• Align management reviews, risk discussions, and audit programs so that both QMS and ISMS are reviewed together, even if formal certifications are obtained in sequence.

Bottom line

You can usually pursue ISO 27001 and AS9100 certification in parallel, and it can be efficient if your systems are mature, scopes are well defined, and your registrar supports an integrated plan. However, there is no guarantee of simultaneous certification, and forcing both at once in a complex, regulated, brownfield environment often increases risk. Many organizations in aerospace-grade contexts adopt a phased approach with integrated governance, rather than betting on truly concurrent certifications.