The new versions of both ISO 9001 and AS9100 (to be rebranded as “IA9100“) will require some means or another to address “ethics.” The current AS9100 standard references this in passing, but it appears they will be emphasizing this more.
Now, both standards are still in draft, but in this case, it doesn’t matter much. Neither standard will impose specific means of addressing ethics, so we can explore ways to meet the upcoming requirements without too much worry of deviating from whatever final language appears in the standards.
(Let’s also ignore the somewhat hilarious hypocrisy of ISO and IAQG imposing “ethics” on the world, as they commit widespread fraud and cripple international trade with their quite unethical practices. Just look away.)
Good news for Oxebridge clients: you’ve been given policies on ethics already, so you should be in good shape and not need to do anything, even when the new standards come out.
Ethics Policies
The first thing I recommend is to develop a policy-level document (not a procedure, although the distinction probably isn’t important) defining what “ethics” means for your organization. If you are a larger organization, or a smaller subsidiary of a larger parent company, you likely have ethical policies already, followed down by your legal division, HR, or some other management function. This is not that.
You should not rely solely on the existing ethical policies. They can help inform this new policy document, but it will be slightly different. In all cases, the new policy document must not contradict the overall company ethics policies, of course.
Instead, let’s focus this new document a bit more: this is about ethics related to the quality management system and related quality activities. It’s a smaller bit of the apple, so a little easier to craft.
In aerospace, we have good guidance. The Aerospace Industries of America (AIA) had published a fine — and compact! — set of ethical guidelines already. Their original links have long since disappeared, but I captured them and have them hosted right here. Feel free to grab that and use it as a basis. By the way, it works for non-aerospace companies, too, so don’t let the name dissuade you.
Then, you want to layer in specific ethical considerations applicable to your industry and company. Keep it light, don’t get too heady, and don’t create scenarios that might present legal problems for you. (If you have a legal department, you should absolutely have them review this before implementing it!) These additional requirements should include short, simple sentences directing staff to act ethically regarding the following activities:
- Not misrepresenting the company or its capabilities to third parties, such as customers
- Not falsifying data or information during the conduct of work
- Not to knowingly ship defective or potentially defective product
- Not to use counterfeit or suspect counterfeit materials in your product
- To participate openly and honestly in QMS audits and related oversight activities
- To agree to uphold and abide by any customer, statutory, and regulatory requirements
As you can see, the list isn’t very long. It doesn’t get into the full spectrum of ethical considerations, such as discrimination, drug policy, etc. Nice and light.
For my clients, I have compiled a really comprehensive template document that collates a lot of requirements from RTX (Raytheon/Pratt/Collins), Boeing and others. This one does include everything and the kitchen sink, from drug free workplace to human trafficking. I give this to them and tell them to delete any that clearly don’t apply or that would already be covered somewhere else, such as in a corporate ethics policy. You can grab that here. But, again, feel free to trim it.
Again, non-aerospace companies will find it equally useful. It is, however, specific to US-based companies and calls out some related regulations, so non-US companies will have to delete or replace those sections.
You may want to have the document signed by top management. I think it’s a good idea, but it’s not required.
Training
Once the policy document is done, you have to train your employees on it. This is not complicated, and can be done quickly:
- Be sure each employee is given a copy of the policy document
- Have them read it
- Answer questions they may have about it
That can be it. A better way, of course, is to have a more formal class session, with a quiz at the end… but you can decide how far to take it.
No matter what, though, keep a record of the training!
I typically don’t require my clients to do QMS refresher training, but in this case, it’s a good idea. I suggest performing annual QMS Ethics Refresher training to go over the policy. This is also useful if the policy has changed over time.
Auditing
Finally, you can ensure your ongoing compliance with the policy during normal internal QMS audits. The, where failings or gaps are found, you use your corrective action system to address them.
Keep in mind, though, that any such problems might not be solved merely by re-training. It could be that the policy was written in a manner that is too complicated to understand, the original training was poor, or the policy was never properly distributed in the first place. Don’t assume your folks are dumb and don’t understand it, or are corrupt and simply ignoring it.
Bonus Points: Whistleblowing
For extra credit, you could implement a corporate whistleblowing tool. These are typically third-party services your company signs up for, which then act as a neutral clearinghouse for employee-submitted reports of unethical activities. Examples are HR Acuity, Resolver, and SpeakUp. I am not endorsing any of them, and have not used them; they just popped up in related Google searches.
I have some doubts about these programs, because at the end of the day, they still answer to whoever pays them (the boss) and may not always be effective. But typically, they are pretty good about masking the employee reporting the issue, so they should be safe.
It’s another wayto show you are serious about ethics, but these tools might not be practical for smaller companies.
Conclusion
Do you need a procedure-level document on ethics, then? I doubt it. The policy level document alone should be sufficient. But do remember that during any ISO 9001 or IA9100 audits, you will be expected to prove that:
- You published the policy
- You implemented the policy
- People know it
- You’re sticking to whatever you wrote
So it is not a “shove it in a drawer” type of thing, nor should it be.
Once the final editions of ISO 9001:2026 and IA9100 2027 are released, you can then tweak them as needed; but (again) I don’t expect any specific language to be imposed on you by either of those standards.
Now, if only we could get ISO and IAQG to be ethical! Imagine that!
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
