What is the primary objective of **BREEAM**?

**BREEAM's primary objective is to provide a science-led sustainability assessment and third-party certification framework for the built environment.** Developed by BRE in 1990, it measures performance across categories like **Management**, **Health & Wellbeing**, **Energy**, **Transport**, **Water**, **Materials**, **Waste**, **Land Use & Ecology**, **Pollution**, and **Innovation**. Credits are weighted and aggregated into ratings from **Pass (≥30%)** to **Outstanding (≥85%)**, enabling comparable benchmarks for buildings, infrastructure, and communities worldwide.

Who is legally or professionally required to comply with **BREEAM**?

**No organizations are legally required to comply with BREEAM, as it is a voluntary certification scheme.** Professionally, it applies to developers, owners, and operators of new construction, refurbishments, in-use assets, communities, and infrastructure seeking verified sustainability credentials. Licensed **BREEAM Assessors** and **Advisory Professionals (APs)** are mandatory for certification, with BRE Global conducting quality audits under UKAS accreditation to ISO/IEC 17065.

Does **BREEAM** require an external audit or third-party certification?

**Yes, BREEAM requires third-party certification via licensed Assessors and BRE Global quality audits.** Assessors compile evidence against scheme manuals and submit for BRE review, including potential site visits. Certification is issued only after QA verification, ensuring impartiality and credibility across schemes like New Construction and In-Use.

How often should an assessment for **BREEAM** be performed?

**BREEAM New Construction assessments occur once per project at design and post-construction stages.** For **BREEAM In-Use**, certifications are valid for **3 years**, requiring reassessment for renewal to verify ongoing performance. Post-occupancy evaluation is recommended to address performance gaps, with Knowledge Base updates monitored continuously.

What are the consequences of non-compliance with **BREEAM**?

**Non-compliance with BREEAM results in denied credits, lower ratings, or failed certification, with no direct legal penalties as it is voluntary.** Indirect consequences include lost market premiums (e.g., up to 25% rental uplift), higher operational costs, planning delays where incentivized, and reduced ESG credibility for investors and tenants.

Can **BREEAM** be mapped to other international frameworks?

**BREEAM does not officially map to other frameworks within its standalone requirements.** However, Version 7 aligns with **EU Taxonomy** on whole-life carbon, net-zero strategies, biodiversity, and resilience, supporting ESG disclosures without formal equivalency mappings.

What is the first step to begin implementing **BREEAM**?

**The first step is to select the appropriate scheme (e.g., New Construction, In-Use) and appoint a licensed BREEAM Assessor early, ideally at project inception.** Conduct a pre-assessment using the technical manual to target ratings, define evidence plans, and integrate categories into design and procurement.

What is the primary objective of **ISO 27018**?

**ISO 27018 provides a code of practice for protecting **Personally Identifiable Information (PII)** in public clouds where the cloud service provider (CSP) acts as a PII processor.** It extends **ISO 27001** and **ISO 27002** with ~25–30 privacy-specific controls addressing multi-tenancy, subprocessor transparency, consent, purpose limitation, data minimization, breach notification, and restrictions on secondary PII use like advertising without consent. The 2025 edition aligns with **ISO 27002:2022**, emphasizing processor obligations across the PII lifecycle.

Who is legally or professionally required to comply with **ISO 27018**?

**ISO 27018 applies to public **CSPs** acting as **PII processors** for customers, including hyperscalers, regional providers, and sector-specific platforms.** It targets any organization processing customer PII in multi-tenant public clouds, regardless of size, but excludes controller-specific duties and private clouds. Controllers use it for vendor due diligence, especially under processor obligations like **GDPR Article 28**, though compliance is voluntary as a code of practice.

Does **ISO 27018** require an external audit or third-party certification?

**ISO 27018 does not support standalone certification; controls are assessed within **ISO 27001** audits by accredited bodies under **ISO/IEC 17021** and **ISO/IEC 27006*.** Auditors validate ~25–30 additional privacy controls via the **Statement of Applicability (SoA)** during Stage 1 (documentation) and Stage 2 (implementation) audits, with certificates referencing both standards.

How often should an assessment for **ISO 27018** be performed?

**ISO 27018 assessments occur annually via surveillance audits and every three years via full recertification within the **ISO 27001** cycle.** Ongoing internal reviews, risk assessments, and continual improvement plans ensure controls adapt to cloud changes, subprocessors, and incidents.

What are the consequences of non-compliance with **ISO 27018**?

**Non-compliance with ISO 27018 risks loss of market trust, procurement delays, cyber insurance issues, and failure to meet processor obligations under laws like **GDPR**, potentially leading to fines up to 4% of global turnover.** As a voluntary code, direct penalties stem from unmet contractual or regulatory expectations, not the standard itself.

Can **ISO 27018** be mapped to other international frameworks?

**Yes, ISO 27018 maps directly to **ISO 27001 Annex A** (93 controls), **ISO 27002:2022**, **ISO 27017** (cloud security), and **ISO 27701** (PIMS for controllers/processors).** It aligns with **GDPR Article 28**, **CCPA**, **HIPAA**, **ISO/IEC 29100**, and OECD guidelines on consent, transparency, and data subject rights.

What is the first step to begin implementing **ISO 27018**?

**Conduct a gap analysis against current **ISMS**, **ISO 27001/27002** controls, and ISO 27018 privacy requirements to identify deficiencies in PII handling.** This involves stakeholder interviews, SoA review, and a prioritized remediation roadmap.

BREEAM vs ISO 27018

Standards Comparison

BREEAM

Voluntary

1990

Sustainability certification framework for built environments

ISO 27018

Voluntary

2019

Code of practice for PII protection in public clouds

Quick Verdict

BREEAM assesses building sustainability for construction worldwide, while ISO 27018 protects PII in public clouds for service providers. Companies adopt BREEAM for ESG ratings and value uplift; ISO 27018 for privacy assurance and regulatory alignment in cloud contracts.

Building Sustainability

BREEAM

Building Research Establishment Environmental Assessment Method

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Third-party certification by BRE Global and assessors
Weighted credits across 10 sustainability categories
Schemes for new construction, in-use, infrastructure
Knowledge Base Compliance Notes for updates
Ratings from Pass to Outstanding for benchmarking

Cloud Privacy

ISO 27018

ISO/IEC 27018:2025 Code of practice for PII protection

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Extends ISO 27001 with cloud PII processor controls
Requires subprocessor transparency and location disclosure
Prohibits PII use for marketing without consent
Mandates breach notification to PII controllers
Supports data subject rights like erasure and portability

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

BREEAM Details

What It Is

BREEAM (Building Research Establishment Environmental Assessment Method) is a science-led certification framework for sustainability in the built environment, launched by BRE in 1990. It assesses new construction, refurbishments, in-use assets, infrastructure, and communities worldwide. Primary purpose: translate sustainability ambitions into measurable credits, weighted scores, and ratings. Key approach: category-based issues with evidence-driven compliance.

Key Components

**10 core categoriesManagement, Health & Wellbeing, Energy, Transport, Water, Materials, Waste, Land Use & Ecology, Pollution, Innovation.
Credits summed and weighted for overall score; ratings: Pass (≥30%) to Outstanding (≥85%).
Built on technical manuals, KBCNs for clarifications.
**Certification modelLicensed assessors submit evidence; BRE Global audits and certifies.

Why Organizations Use It

Value uplift (8-12%), energy savings (22-33%), ESG readiness.
Aligns with EU Taxonomy, net-zero; supports planning incentives.
Reduces risks, boosts tenant appeal, enables benchmarking.
Builds investor trust via third-party verification.

Implementation Overview

Phased: early assessor appointment, design integration, evidence collection, post-construction submission.
Key activities: credit targeting, IAQ plans, energy modelling, POE.
Suits all sizes/industries globally; voluntary, assessor-led process.

ISO 27018 Details

What It Is

ISO/IEC 27018:2025 is a code of practice extending ISO 27001 and ISO 27002 for protecting personally identifiable information (PII) in public clouds where providers act as PII processors. Its primary scope targets cloud-specific privacy risks like multi-tenancy and cross-border flows, using a risk-based, control-oriented approach with ~25-30 additional privacy controls.

Key Components

Core pillars: transparency, accountability, consent, purpose limitation, data minimization, security safeguards.
Builds on ISO 27001 Annex A (93 controls) with cloud PII-specific guidance.
Principles from ISO 29100 and OECD guidelines.
Compliance via ISO 27001 audits; no standalone certification.

Why Organizations Use It

Builds customer trust and accelerates procurement.
Aligns with GDPR Article 28, HIPAA; aids regulatory compliance.
Mitigates privacy risks, supports cyber insurance.
Differentiates CSPs in competitive markets.

Implementation Overview

Gap analysis against existing ISMS, integrate controls into Statement of Applicability.
Key activities: subprocessor disclosure, breach notification setup, staff training.
Suits CSPs of all sizes; global applicability.
Requires accredited third-party audits within ISO 27001 cycle.

Key Differences

Aspect	BREEAM	ISO 27018
Scope	Sustainability in built environment (buildings, infrastructure)	PII protection in public cloud services (privacy controls)
Industry	Construction, real estate, infrastructure worldwide	Cloud service providers, IT globally (processor focus)
Nature	Voluntary sustainability certification framework	Voluntary code of practice extending ISO 27001
Testing	Licensed assessor audits, BRE quality assurance	ISO 27001 audits with privacy control extensions
Penalties	Loss of certification, no legal penalties	Loss of certification, no direct legal penalties

Scope

BREEAM

Sustainability in built environment (buildings, infrastructure)

ISO 27018

PII protection in public cloud services (privacy controls)

Industry

BREEAM

Construction, real estate, infrastructure worldwide

ISO 27018

Cloud service providers, IT globally (processor focus)

Nature

BREEAM

Voluntary sustainability certification framework

ISO 27018

Voluntary code of practice extending ISO 27001

Testing

BREEAM

Licensed assessor audits, BRE quality assurance

ISO 27018

ISO 27001 audits with privacy control extensions

Penalties

BREEAM

Loss of certification, no legal penalties

ISO 27018

Loss of certification, no direct legal penalties

Frequently Asked Questions

Common questions about BREEAM and ISO 27018

BREEAM FAQ

ISO 27018 FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

Demystify NIST CSF 2.0 jargon with plain English tables for Govern, Supply Chain & Core Functions. Actionable steps for risk oversight & vendor management. Empo

NIST CSF 2.0: Key Enhancements and How They Address Evolving Cyber Threats

Explore NIST CSF 2.0 updates: Govern function, supply chain security, SME playbooks for ransomware & AI threats. Boost your cyber defenses now!

Using CIS Controls v8.1 as a ‘Compliance On-Ramp’: Map One Security Program to NIST CSF, ISO 27001, PCI DSS, and NIS2

Use CIS Controls v8.1 as your compliance on-ramp. Map one security program to NIST CSF, ISO 27001, PCI DSS, and NIS2 without duplicating work via practical mapp

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

AEO vs NERC CIP

Compare AEO vs NERC CIP: Key differences in customs security (AEO) & grid cybersecurity standards. Boost compliance, cut risks, streamline ops—expert insights now.

FERPA vs IFS Food

Compare FERPA vs IFS Food: Decode U.S. student privacy law & global food safety standards. Key diffs, compliance strategies, implementation tips for leaders. Dive in!

ITIL vs CE Marking

ITIL vs CE Marking: Compare ITIL's ITSM best practices (SVS, 34 practices) with EU's CE product compliance for safety. Align IT ops & regs for efficiency. Discover now!

BREEAM

ISO 27018

Quick Verdict

BREEAM

Key Features

ISO 27018

Key Features

Detailed Analysis

BREEAM Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 27018 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

BREEAM FAQ

What is the primary objective of BREEAM?

Who is legally or professionally required to comply with BREEAM?

Does BREEAM require an external audit or third-party certification?

How often should an assessment for BREEAM be performed?

What are the consequences of non-compliance with BREEAM?

Can BREEAM be mapped to other international frameworks?

What is the first step to begin implementing BREEAM?

ISO 27018 FAQ

What is the primary objective of ISO 27018?

Who is legally or professionally required to comply with ISO 27018?

Does ISO 27018 require an external audit or third-party certification?

How often should an assessment for ISO 27018 be performed?

What are the consequences of non-compliance with ISO 27018?

Can ISO 27018 be mapped to other international frameworks?

What is the first step to begin implementing ISO 27018?

You Might also be Interested in These Articles...

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

NIST CSF 2.0: Key Enhancements and How They Address Evolving Cyber Threats

Using CIS Controls v8.1 as a ‘Compliance On-Ramp’: Map One Security Program to NIST CSF, ISO 27001, PCI DSS, and NIS2

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

AEO vs NERC CIP

FERPA vs IFS Food

ITIL vs CE Marking