top of page

ISO 9001 and AS9100: What They Actually Buy You

  • Writer: Adam Witthauer
    Adam Witthauer
  • 2 days ago
  • 5 min read

If you've spent any time around a machine shop or a manufacturing floor, you've probably heard someone grumble that a quality certification is just a binder full of paperwork nobody reads until an auditor shows up. That reputation isn't entirely undeserved.  A lot of companies implement these standards badly, treating them as a compliance tax rather than a management tool. But when they're implemented well, ISO 9001 and AS9100 aren't paperwork. They're closer to a set of blueprints for how a company runs itself, and create systems that minimize the chances of inadvertently shipping bad parts.



This is the first in a series where I'll break down what these standards actually require and how to implement them without drowning your team in bureaucracy. Before we get into the mechanics, it's worth answering the question a lot of shop owners ask first: why bother?


The Market Access Argument

Start with the most concrete benefit: certification is often the price of admission, not a bonus feature. Many OEMs and prime contractors in aerospace and defense simply won't source from a supplier that isn't AS9100 certified; it's written into their supplier requirements before a purchase order is ever discussed. Think of it like a commercial driver's license. You don't need one to drive a car, but you can't get behind the wheel of a freight truck without it, no matter how good a driver you are. The certification doesn't prove you're the best in your field, it proves you meet the baseline requirement to even compete for the work.


For ISO 9001, the effect is broader and slightly softer. It's less often a hard gate and more a strong signal in RFQs and vendor scorecards, particularly with larger customers who audit their supply base. Either way, the certifications open doors that would otherwise stay shut before a single part gets quoted.


A System, Not a Snapshot

The second advantage is less obvious but arguably more valuable: these standards force you to build a system instead of relying on a handful of people who happen to know how things are supposed to work.


Most small and mid-sized manufacturers run on institutional knowledge:  the shop foreman who's been there 20 years, the quality manager who keeps the "real" process in her head. That works fine until that person takes a vacation, retires, or leaves for a competitor. A properly implemented QMS is like a recipe book for an experienced chef's kitchen: it doesn't replace the chef's judgment, but it means the kitchen keeps producing consistent results even when the chef isn't standing over every dish. ISO 9001 and AS9100 require you to document your processes, define responsibilities, and build in checks that catch problems before they become customer complaints. The result is a business that's less dependent on any single person and more resilient when people move on.


Fewer Fires to Fight

Related to that is the risk-reduction argument. Both standards are built around identifying risk before it becomes a nonconformance, and nonconformances before they become scrap, rework, or worse, a defective part that ships. AS9100 goes further than ISO 9001 here, with explicit requirements around configuration management, first article inspection, and control of special processes, reflecting the higher stakes of aerospace hardware.


None of this eliminates problems. What it does is shift a company's posture from reactive to proactive:  catching issues at incoming inspection instead of at final inspection, or at final inspection instead of in the field. Every step upstream you catch a defect, the cheaper it is to fix. That's not a certification talking point; it's basic quality economics, and it compounds over time into fewer expedited shipments, fewer scrap tags, and fewer awkward phone calls to customers.


The Credibility Dividend

Finally, there's a benefit that's harder to quantify but shows up constantly in practice: credibility. A certificate on the wall, backed by a real system behind it, changes how customers, auditors, and even your own employees relate to your operation. Customers spend less time auditing you because a competent registrar already did. New employees inherit a defined way of doing things instead of having to absorb tribal knowledge by osmosis. And when something does go wrong, because something always eventually does, you have a documented, defensible process for how you responded, which matters enormously if a customer or regulator ever asks "how did this happen, and how do you know it won't happen again?"


What's Next

At a high level, that's the case for certification: it gets you into rooms you couldn't otherwise enter, it builds a business that doesn't live and die with individual employees, it catches problems earlier and cheaper, and it buys you credibility you'd otherwise have to earn one relationship at a time.

In the following posts I’ll cover the difference between compliance and certification, and when either of these options makes the most sense.  This will be followed by a quick tour of each of the major clauses, why they are important, and a quick look at what compliance looks like.  Stay tuned!

 

FAQ

Do I need AS9100, or is ISO 9001 enough? It depends entirely on who you sell to, as well as product complexity. If your customers are aerospace or defense primes, or you want to be eligible for that work, AS9100 is generally the expectation, as it includes all of ISO 9001's requirements plus aerospace-specific additions. While there is a good amount of aerospace and defense work for machine shops with ISO 9001, the bar is often raised to AS9100 for more complex components, particularly that contain features that can’t be directly verified.  If you serve general industrial or commercial customers, ISO 9001 is often sufficient and considerably less demanding to implement and maintain.


How long does certification typically take? For a company starting from scratch, a realistic timeline is somewhere in the range of 6 to 12 months to build the system, run it long enough to generate objective evidence, and pass a certification audit. Shops with some existing structure — documented procedures, a functioning inspection process — can sometimes move faster. Rushing the timeline to hit a customer deadline is one of the more common ways companies end up with a system that looks good on paper but doesn't actually work.


What does it cost? Costs vary widely based on company size, current state of documentation, and whether you bring in outside help. The major cost buckets are typically: internal labor to build and run the system, any consulting support, and registrar fees for the certification audit itself (plus annual surveillance audits after that). Smaller shops should expect this to be a meaningful investment of time as much as money — the registrar fee is often the smallest piece of the total cost.


Can a small shop realistically implement this without a full-time quality department? Yes, and it's one of the more common situations I work with. A right-sized QMS for a 15-person shop looks very different from one at a 500-person supplier — it should. The standards don't dictate headcount; they dictate that certain things happen and can be demonstrated. A lean system run by one person wearing multiple hats can pass an audit just as well as a large dedicated department, as long as it's built to fit the size of the operation instead of copied from a company ten times the size.


Does certification guarantee we won't ship a defective part? No, and any registrar or consultant who implies otherwise is overselling it. Certification demonstrates that you have a system designed to catch and prevent problems and that you're actively using it — it doesn't guarantee perfection. What it does is stack the odds heavily in your favor and give you a documented trail when something does slip through, which matters both for root-causing the issue and for maintaining customer trust.


Once we're certified, are we done? Certification is a starting line, not a finish line. Registrars conduct surveillance audits (typically annually) and a full recertification audit every three years, and the standards expect continual improvement in the meantime — not just maintaining the status quo. A QMS that's left untouched between audits tends to decay into exactly the box-checking exercise this post opened by warning against.


Comments


bottom of page