Can we integrate ISO 27001 with our existing AS9100 system?

Yes. ISO 27001 can be integrated with an existing AS9100-based management system, and in aerospace and defense this is common. But it is not a simple overlay. The level of effort, risk, and benefit depend heavily on how your current AS9100 system is designed and implemented.

What “integration” typically means in this context

In practice, integration usually means:

• Using a single, shared management system for quality and information security (common policies, governance, and document control).
• Aligning risk, nonconformance, audit, and corrective action processes so they work for both standards.
• Avoiding conflicting requirements across QMS, IT, and security procedures.
• Consolidating evidence and records to support both AS9100 and ISO 27001 audits.

It does not mean ISO 27001 is automatically covered by AS9100, or that adding some cybersecurity wording to existing procedures is sufficient.

Where ISO 27001 and AS9100 align

ISO 27001 and AS9100 both follow the Annex SL high-level structure. That gives you natural integration points:

• Context, leadership, planning: You can maintain a single set of top-level policies, objectives, and management review that considers both product quality and information security.
• Risk and opportunity: You can extend your existing risk processes to cover information security risks, provided your methods are robust enough for cyber and data risks.
• Support and operation: Training, competence, communication, and document control can usually be shared across both standards.
• Performance evaluation and improvement: Internal audit, KPIs, nonconformity, and CAPA can be expanded to include information security.

Where you already have a reasonably mature, process-based AS9100 system, this alignment can significantly reduce duplication.

Key gaps you will need to address

Even with alignment, ISO 27001 introduces requirements that go beyond a typical AS9100 QMS:

• Information security risk treatment: ISO 27001 requires defined risk assessment and treatment processes focused on information assets, threats, vulnerabilities, and control selection. Your AS9100 risk tools (e.g., FMEA, program risk registers) may not be sufficient without adaptation.
• ISMS scope definition: You must clearly define the scope and boundaries of the Information Security Management System (ISMS), which may not match your existing QMS scope exactly (for example, including specific IT systems, networks, and data centers).
• Annex A / control framework: Implementing and maintaining a control set (technical, physical, and organizational) and showing traceability from risks to controls and to evidence. This is usually the biggest lift.
• IT and OT involvement: ISO 27001 requires active involvement from IT and, often, OT and engineering for production systems. This is a cultural and governance change if your AS9100 system is driven mainly by quality and operations.
• Incident management for information security: You may need to expand beyond production nonconformance and safety events to include security incidents, data breaches, and near misses.

Integration options and tradeoffs

There are several ways to integrate, each with tradeoffs:

1. Single, fully integrated management system

Approach: Extend your existing QMS architecture (policies, procedures, templates, IT tools) to include ISO 27001.

• Advantages: One set of processes, one document control system, easier cross-standard audits, less duplication long term.
• Risks/constraints: Higher design complexity; more stakeholders (IT, security, engineering) embedded into quality-driven processes; harder to change without broad impact; more regression risk when you update anything.
• Brownfield impact: You may need to retrofit legacy workflows and forms, and you can be constrained by old QMS tools or MES/PLM/ERP integrations that were never designed with security in mind.

2. Loosely coupled ISMS alongside the QMS

Approach: Maintain a distinct ISO 27001 ISMS, but align key elements (governance, risk, internal audit, CAPA) with AS9100 where practical.

• Advantages: Lower disruption to existing AS9100 system; allows security and IT to move at a different pace; easier if you already have separate security tooling (GRC, ticketing, SIEM).
• Risks/constraints: Risk of conflicting procedures; duplicate training and audits; more effort to keep policy and risk decisions consistent; more complex to demonstrate integrated governance to customers and auditors.
• Brownfield impact: Often easier in highly constrained plants where changing validated QMS or MES tooling is difficult, but requires disciplined interfaces between QMS and ISMS processes.

3. Incremental, process-by-process integration

Approach: Start by integrating specific processes that naturally overlap (e.g., document control, internal audit, CAPA), then expand.

• Advantages: Lower implementation risk; easier change control; early wins without a system-wide redesign.
• Risks/constraints: Temporarily messy hybrid state; need clear mapping to show auditors how AS9100 and ISO 27001 requirements are met during the transition.
• Brownfield impact: Usually the most realistic approach when you have long-qualified equipment and software that cannot be dramatically reconfigured.

Impact on existing tools and records

In regulated, long-lifecycle environments you rarely replace QMS, MES, ERP, or PLM outright just to support ISO 27001. Instead you:

• Extend your document control system to manage security policies, standards, and procedures under the same change control discipline.
• Reuse your CAPA / nonconformance system for security incidents and corrective actions, possibly with new categories and workflows.
• Integrate with IT or security tools (e.g., ticketing, vulnerability scanners, SIEM) through interfaces or manual evidence capture, acknowledging integration limitations.
• Align configuration management for critical systems so that changes affecting information security go through appropriate review and approval.

Full replacement of core systems just to “integrate” ISO 27001 usually fails in aerospace-grade environments because of validation and qualification costs, constrained downtime, and the need to preserve historical traceability.

Governance, ownership, and change control

Effective integration depends more on governance than on documentation templates:

• Shared leadership: Clarify how quality, operations, IT, and information security share responsibilities for the integrated system. RACI conflicts are a common failure mode.
• Common change control: Changes to IT/OT security controls can have quality, safety, and regulatory implications. Integrate change review so that security and quality impacts are assessed together.
• Traceability: Maintain clear mappings from AS9100 clauses and ISO 27001 clauses to internal processes, owners, and records. This is essential for audits and for managing long-lived systems.

Typical pitfalls and failure modes

• Superficial integration: Renaming existing QMS procedures with “information security” language but not addressing underlying asset inventories, access control, or technical safeguards.
• Overloading quality: Expecting the quality team to own ISO 27001 without sufficient IT and security involvement.
• Tool-centric projects: Buying a security or GRC tool and assuming that equates to an integrated system; auditors will still expect coherent processes and evidence across both standards.
• Neglecting OT and production systems: Treating ISO 27001 as an IT-only exercise while leaving production networks, test stands, and legacy equipment outside of scope without a defensible rationale.

Practical starting steps

If you decide to integrate ISO 27001 with your AS9100 system, a low-risk sequence is:

1. Define and approve ISMS scope relative to your existing AS9100 scope.
2. Perform a gap assessment against ISO 27001 requirements and Annex A controls, mapped to your current QMS processes and records.
3. Decide your integration pattern (single system, side-by-side with alignment, or incremental) based on process maturity and tooling constraints.
4. Align top-level policies, management review, and risk governance first, then drill down into detailed procedures and technical controls.
5. Plan changes with formal change control and validation/qualification considerations, especially where IT/OT changes can impact production or regulated data.

This approach respects existing AS9100 commitments while adding information security discipline in a controlled, auditable way.