What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for permanent incorporation in construction works. As a harmonized standard under the Construction Products Regulation (CPR), EN 1090-1 enables CE marking via Factory Production Control (FPC) certification, while EN 1090-2 and EN 1090-3 specify technical requirements for steel and aluminium, including materials, welding, tolerances, and inspection scaled by Execution Classes (EXC1–EXC4).

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits placing products on the EEA market must comply with EN 1090 to affix CE marking. This includes fabricators, steelwork contractors, and suppliers of components like beams, trusses, and assemblies for buildings, bridges, and industrial structures, as mandated by CPR for market access.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates third-party certification of the Factory Production Control (FPC) system by a Notified Body. This involves initial inspection, technical documentation review (including ITT/ITC), certificate issuance, and ongoing surveillance audits to verify constancy of performance under AVCP systems.

How often should an assessment for EN 1090 be performed?

EN 1090 requires initial certification followed by continuous surveillance audits by the Notified Body, typically annually. Frequency aligns with Execution Class (EXC), prior audit results, and EN 1090-1 Table B.3, with internal audits ongoing to maintain FPC effectiveness and address changes or non-conformities.

What are the consequences of non-compliance with EN 1090?

Non-compliance with EN 1090 prevents lawful CE marking, risking market exclusion, product withdrawal, certificate suspension, and legal liability under CPR. Notified Bodies publicly report suspensions for major non-conformities, exposing firms to fines, recalls, contractual penalties, and civil claims from structural failures.

An EN 1090 be mapped to other international frameworks?

EN 1090 integrates with standards like ISO 3834 for welding quality and ISO 9001 for quality management, serving as a foundation for FPC. It aligns with Eurocodes for design but stands as the primary CPR harmonized route; mappings support but do not substitute EN 1090 certification for CE marking.

What is the first step to begin implementing EN 1090?

Conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Classes (EXC1–EXC4) for product families. This identifies scope, risks, and priorities like welding coordination and traceability before Notified Body engagement.

What is the primary objective of CIS Controls?

The primary objective of CIS Controls is to provide a prioritized set of 18 cybersecurity best practices across 153 actionable Safeguards to reduce organizational attack surface and mitigate the most common cyber threats. CIS Controls v8.1, developed by the Center for Internet Security, focuses on pragmatic measures like asset inventory and vulnerability management, organized into Implementation Groups (IG1–IG3) for scalable adoption by organizations of all sizes.

Who is legally or professionally required to comply with CIS Controls?

No organization is universally legally required to comply with CIS Controls, as they represent voluntary, consensus-driven best practices rather than a mandated regulation. Professionally, CIS Controls apply to all industries and sizes—from SMBs targeting IG1's 56 essential Safeguards to enterprises pursuing IG3—particularly CISOs, IT managers, and compliance officers in sectors like finance, healthcare, and critical infrastructure seeking to demonstrate reasonable cybersecurity hygiene.

Does CIS Controls require an external audit or third-party certification?

CIS Controls does not require external audits or third-party certification, as it is a self-assessed framework without formal certification. Organizations use tools like CIS Controls Navigator for internal gap analysis and maturity assessment, with optional validation through penetration testing (Control 18) or mappings to certified frameworks, but assurance relies on internal metrics and KPIs such as asset inventory coverage.

How often should an assessment for CIS Controls be performed?

CIS Controls assessments should be performed continuously with formal reviews at least annually, using automated tools for ongoing monitoring. Implementation involves baseline gap analysis via CIS RAM, quarterly KPI checks (e.g., vulnerability remediation SLAs), and reassessment upon major changes like cloud migrations, aligning with phased roadmaps targeting IG1–IG3 progression.

What are the consequences of non-compliance with CIS Controls?

Non-compliance with CIS Controls exposes organizations to heightened breach risk, regulatory findings, and operational disruptions rather than direct legal penalties. Consequences include increased vulnerability to common attacks (e.g., ransomware via unpatched assets), litigation leverage in U.S. states citing "reasonable security" gaps, higher insurance premiums, and lost contracts, as poor hygiene enables 85% of exploits per CIS data.

An CIS Controls be mapped to other international frameworks?

Yes, CIS Controls v8.1 provides official mappings to over 25 frameworks including NIST CSF 2.0, PCI DSS, HIPAA, and ISO 27001. The CIS Controls Navigator automates crosswalks, enabling IG1–IG3 Safeguards to serve as an implementation layer—e.g., Controls 1–2 align with NIST Identify, Control 15 with PCI DSS 12.8—streamlining multi-framework compliance.

What is the first step to begin implementing CIS Controls?

The first step to implement CIS Controls is to secure executive sponsorship and conduct a baseline maturity assessment using CIS RAM or Controls Navigator to select the target Implementation Group. Phase 0 then defines scope, inventories critical assets (Controls 1–2), and prioritizes IG1's 56 Safeguards for quick wins like MFA and vulnerability scanning.

Standards Comparison

EN 1090 vs CIS Controls

EN 1090

Mandatory

2009

European standard for steel/aluminium structures execution and CE marking

CIS Controls

Voluntary

2021

Prioritized cybersecurity controls framework for cyber resilience.

Quick Verdict

EN 1090 mandates CE marking for EU structural steel/aluminium via FPC certification, ensuring market access. CIS Controls provide voluntary cybersecurity hygiene for all organizations, reducing breach risks through prioritized safeguards.

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Mandates certified Factory Production Control for CE marking
Risk-based Execution Classes (EXC1-EXC4) scale requirements
Detailed technical execution rules for steel structures
Requires welding quality per ISO 3834 integration
Ensures full material traceability and NDT inspection

Cybersecurity

CIS Controls

CIS Critical Security Controls v8.1

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

18 prioritized controls with 153 actionable safeguards
Implementation Groups (IG1-IG3) for scalability
Offense-informed from real attack data
Mappings to NIST, ISO 27001, PCI DSS
Free tools like Benchmarks and Navigator

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). It enables CE marking via a risk-based framework scaling requirements by Execution Classes (EXC1-EXC4).

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
**EN 1090-2/-3Technical rules for steel/aluminium (materials, welding, tolerances, corrosion, inspection/NDT).
Core principles: Traceability, welding per ISO 3834, notified body certification, ongoing surveillance.

Why Organizations Use It

Mandatory for EU market access with load-bearing components.
Reduces liability, ensures quality, unlocks high-risk projects.
Builds trust via certified FPC and traceability; competitive edge in tenders.

Implementation Overview

Phased: Gap analysis, FPC build, personnel training (welding coordinator), ITT/ITC, notified body audits. Applies to fabricators; 6-12 months typical; requires certification and surveillance.

CIS Controls Details

What It Is

CIS Critical Security Controls v8.1 is a community-driven, prescriptive cybersecurity framework of prioritized best practices to reduce attack surfaces and enhance resilience. It applies to all industries and sizes via Implementation Groups (IG1–IG3), focusing on actionable Safeguards derived from real-world threats.

Key Components

18 Controls across asset management, access control, vulnerability management, monitoring, and incident response.
153 Safeguards grouped into IG1 (56 essentials), IG2, IG3 for scalability.
Built on offense-informed prioritization; maps to NIST, ISO 27001, PCI DSS.
No formal certification; self-assessed compliance with tools like Controls Navigator.

Why Organizations Use It

Mitigates 85% of common attacks, cuts breach costs, accelerates multi-framework compliance.
Builds trust with insurers, partners; enables Safe Harbor in some U.S. states.
Delivers ROI via efficiency, reduced MTTR, competitive differentiation.

Implementation Overview

Phased roadmap: governance, discovery, foundational (IG1 3–9 months), expansion (IG2/3 6–18 months), validation.
Applies universally; SMBs target IG1, enterprises IG3.
Involves automation, metrics, cross-functional teams; no mandatory audits.

Key Differences

Aspect	EN 1090	CIS Controls
Scope	Structural steel/aluminium fabrication & conformity	Cybersecurity best practices across IT environments
Industry	Construction, manufacturing (EU/EEA focus)	All industries worldwide, technology-agnostic
Nature	Harmonized EU standard, mandatory CE marking	Voluntary cybersecurity framework, best practices
Testing	FPC certification, notified body audits/surveillance	Self-assessment, implementation groups, no certification
Penalties	Market exclusion, legal liability without CE mark	No legal penalties, increased breach risk

Scope

EN 1090

Structural steel/aluminium fabrication & conformity

CIS Controls

Cybersecurity best practices across IT environments

Industry

EN 1090

Construction, manufacturing (EU/EEA focus)

CIS Controls

All industries worldwide, technology-agnostic

Nature

EN 1090

Harmonized EU standard, mandatory CE marking

CIS Controls

Voluntary cybersecurity framework, best practices

Testing

EN 1090

FPC certification, notified body audits/surveillance

CIS Controls

Self-assessment, implementation groups, no certification

Penalties

EN 1090

Market exclusion, legal liability without CE mark

CIS Controls

No legal penalties, increased breach risk

Frequently Asked Questions

Common questions about EN 1090 and CIS Controls

EN 1090 FAQ

CIS Controls FAQ

You Might also be Interested in These Articles...

Scaling Compliance: How Modern Tools Transform Lean Teams into Regulatory Powerhouses

Discover how compliance monitoring tools empower lean teams to automate real-time checks, ensure GDPR/HIPAA/SOC 2 compliance, and scale oversight efficiently. T

The Tool Landscape for Reaching and Maintaining ISO 27001 Compliance

Discover top ISO 27001 compliance tools, their pros/cons, implementation steps, costs, and benefits. Streamline your path to certification and ongoing complianc

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EN 1090 and CIS Controls compare against other standards

Other EN 1090 Comparisons

Other CIS Controls Comparisons

What It Is

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).

**EN 1090-2/-3Technical rules for steel/aluminium (materials, welding, tolerances, corrosion, inspection/NDT).

Core principles: Traceability, welding per ISO 3834, notified body certification, ongoing surveillance.

What It Is

Key Components

18 Controls across asset management, access control, vulnerability management, monitoring, and incident response.

153 Safeguards grouped into IG1 (56 essentials), IG2, IG3 for scalability.

Built on offense-informed prioritization; maps to NIST, ISO 27001, PCI DSS.

No formal certification; self-assessed compliance with tools like Controls Navigator.

Aspect

EN 1090

CIS Controls

Scope

Structural steel/aluminium fabrication & conformity

Cybersecurity best practices across IT environments

Industry

Construction, manufacturing (EU/EEA focus)

All industries worldwide, technology-agnostic

Nature

Harmonized EU standard, mandatory CE marking

Voluntary cybersecurity framework, best practices

Testing

FPC certification, notified body audits/surveillance

Self-assessment, implementation groups, no certification

Penalties

Market exclusion, legal liability without CE mark

No legal penalties, increased breach risk