All posts

Quality Systems

What a Cybersecurity-Ready QMS Looks Like in Practice

IA9100 introduces mandatory information security requirements for QMS. Here is what a cybersecurity-ready quality management system looks like in practice for aerospace and manufacturing businesses.

21 March 2026Big Finish7 min read

Here is a scenario that plays out more often than anyone in aerospace likes to admit.

A quality manager, diligent, experienced, across every clause of AS9100, spends months building a solid QMS. Document control: done. CAPA process: done. Audit schedule: done. The certification audit goes well. Everyone is pleased.

Then someone clicks a phishing email. Or a supplier portal gets compromised. Or an engineer shares a design file over a personal email account because the internal system was being slow that day.

And suddenly the quality system, the one that was audited, certified, and filed neatly in Confluence, is completely irrelevant to the problem at hand.

This is what IA9100 is responding to. And it is why cybersecurity is no longer something you hand off to IT and forget about.

The Standard Has Changed. Has Your Thinking?

The incoming IA9100 standard, expected for release in late 2026 as the replacement for AS9100, introduces a mandatory information security requirement for the first time. Specifically, a new clause is expected to require organisations to safeguard the confidentiality, integrity, and availability of QMS-related information, going well beyond the existing infrastructure requirements in AS9100 Rev D.

Translation: protecting your quality data is now a quality requirement. Not an IT requirement. Not a nice-to-have. A certification requirement.

The numbers explain why. Supply chain attacks in manufacturing surged 51% in 2024, with aerospace firms among the hardest hit. The aviation sector saw a 600% year-on-year increase in cyberattacks between 2024 and early 2025. And in a finding that should make every aerospace quality manager uncomfortable, espionage was the motive in 20% of manufacturing sector breaches in 2025, up from just 3% the previous year.

These are not abstract statistics. This is the threat environment your QMS now has to function inside.

So What Does Cybersecurity-Ready Actually Look Like?

It does not mean turning your quality team into IT security experts. It means designing your QMS so that security and quality are not two separate systems that occasionally nod at each other in the hallway.

Here is what that looks like in practice across the areas that matter most.

Access Control: Who Can See What

The most common gap in digital quality systems is not malicious. It is sloppy. Design data accessible to anyone in the company. Supplier documents sitting in a shared drive with no permissions structure. An NCR record that anyone can edit, with no audit trail.

A cybersecurity-ready QMS controls access by role, enforced by your identity management system. Not by asking people to please not touch files that are not theirs. When someone leaves the company, their access is revoked automatically. When a supplier needs document access, they get exactly the access they need and no more. Every action is logged.

This is not complicated. But it requires designing it deliberately rather than discovering the problem three years in.

Document Integrity: Can You Prove It Has Not Been Tampered With?

Your quality records are only useful to an auditor, or a court, or a regulator, if you can prove they are what they say they are. A document control system where anyone with access can edit a record and leave no trace is not a quality system. It is a spreadsheet with aspirations.

A cybersecurity-ready QMS maintains a tamper-evident audit trail. Every version, every change, every approval: logged, timestamped, attributable to a specific person. Not because your team would tamper with records (they would not), but because the system should make it impossible, and demonstrably so.

Supplier Access: Your Weakest Link Is Probably External

Research into aviation sector breaches found that aviation-specific software and IT vendors scored the lowest on cybersecurity posture, posing the highest third-party risks to their customers. IA9100 is expected to place significantly more emphasis on supply chain cybersecurity, including requirements for how you manage and audit supplier access to your systems.

The practical question is: does your QMS know exactly who among your suppliers can access what, and does it enforce that automatically? Or does it rely on an email to the IT helpdesk that may or may not have been actioned when a supplier relationship ended?

Incident Management: What Happens When It Goes Wrong

Cavendish Scott's analysis of IA9100 requirements notes that organisations will need incident response plans for data breaches and security events, managed as part of the QMS, not separately from it.

This means your NCR and CAPA processes need to be capable of handling a security incident as readily as a dimensional nonconformance. The investigation, the root cause, the corrective action, the evidence: all in the same system, with the same rigour.

The Platform Question

None of this is possible if your QMS lives in a folder structure on a shared drive, or in a legacy system with no integration capability, or (and this is more common than you might think) in a collection of spreadsheets held together by institutional memory and one person who knows where everything is.

A well-configured Atlassian environment, Jira and Confluence with proper permission architecture, integrated with your identity management, can meet all of these requirements. The access control, the audit trail, the incident management, the document integrity. It is not automatic. It requires deliberate design. But the capability is there.

What it requires is someone thinking about the whole system, not just the quality clauses.

The Fractional CIO Question

Here is the honest version of where this often breaks down.

Quality managers are not systems architects. They should not have to be. The decisions around identity management integration, permission scheme design, audit log configuration, and supplier access controls are not quality decisions. They are technology leadership decisions.

In most mid-market aerospace businesses, the person who should be making those decisions either does not exist, or is an IT manager who is already stretched across every system in the business, and whose focus is necessarily on keeping operations running day to day, not designing quality system architecture.

This is exactly the gap that a fractional CTO or CIO fills. Not permanently. Long enough to get the architecture right, make the platform decisions, and build a system that your quality team can actually run without calling IT every time something needs changing.

The Bottom Line

IA9100 is not asking your quality team to become cybersecurity experts. It is asking your organisation to treat the protection of quality data with the same seriousness as the quality data itself.

A cybersecurity-ready QMS is not dramatically different from a well-designed QMS. It just has access control that is enforced rather than aspirational, audit trails that are tamper-evident rather than theoretical, incident management that covers security events as well as quality events, and a platform that was chosen for what it can do, not because someone already had a licence.

The transition window for IA9100 will likely run to 2029. That sounds like plenty of time. It is not, if you are starting from a legacy platform or a system that was built for the audit rather than the operation.

The best time to get this right was when you built your QMS. The second best time is now.

Big Finish works with aerospace and manufacturing businesses to design and implement QMS and operational systems that are built for how the business actually works, not just how the auditor sees it. If you are thinking through your IA9100 readiness, book a discovery call. No pitch. Just a straight conversation.

Sources:

Get In Touch

Let's talk about your systems.

If you are a fast-growing manufacturer trying to figure out how to build it right, or already dealing with systems that do not talk to each other, book a discovery call. No sales pitch. A straight conversation about what you are dealing with and whether we can help.

Book a Discovery Call
+61 493 748 137Gold Coast, Queensland. Available Worldwide.