EN 1090 vs ISO 27017
EN 1090
European standards for steel and aluminium structures execution
ISO 27017
International code of practice for cloud security controls
Quick Verdict
EN 1090 mandates CE marking and FPC for structural metal fabrication in EU construction, while ISO 27017 provides voluntary cloud security guidance extending ISO 27001. Fabricators adopt EN 1090 for market access; CSPs use ISO 27017 for trust and compliance.
EN 1090
EN 1090 Execution of steel and aluminium structures
Key Features
- Risk-based Execution Classes (EXC1-EXC4) scaling requirements
- Factory Production Control (FPC) with Notified Body certification
- Enables mandatory CE marking for structural components
- Integrates ISO 3834 for welding quality management
- Full traceability of materials, processes, and inspections
ISO 27017
ISO/IEC 27017:2015 Code of practice for cloud controls
Key Features
- Clarifies shared responsibilities between CSPs and CSCs
- Adds 7 cloud-specific controls for multi-tenancy risks
- Provides guidance on 37 ISO 27002 controls for cloud
- Addresses VM hardening and segregation in virtual environments
- Enables customer monitoring of cloud service activities
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
EN 1090 Details
What It Is
EN 1090 is a harmonized European standard family (EN 1090-1/2/3) for execution and conformity assessment of structural steel and aluminium components. It implements the EU Construction Products Regulation (CPR), enabling CE marking. Primary scope covers fabrication, assembly, and placement on the EEA market. Key approach is risk-based via Execution Classes (EXC1-EXC4) linking consequence, service, and production categories to stringent requirements.
Key Components
- **EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
- **EN 1090-2/3Technical rules for steel/aluminium (materials, welding, tolerances, corrosion, NDT).
- Integrates ISO 3834 for welding; risk-scaled inspection/traceability.
- **Certification modelNotified Body audits FPC, initial inspection, ongoing surveillance.
Why Organizations Use It
Mandatory for market access in EU/EEA; reduces liability, ensures safety. Drives traceability, quality consistency, rework reduction. Builds stakeholder trust via CE marking; enables high-risk projects (EXC3/4).
Implementation Overview
Phased: gap analysis, FPC build, welding quals, NB certification (3-12 months). Applies to fabricators globally targeting Europe; suits SMEs to enterprises with welding focus.
ISO 27017 Details
What It Is
ISO/IEC 27017:2015 is a code of practice extending ISO/IEC 27002 with cloud-specific guidance for information security controls. It targets cloud services across IaaS, PaaS, and SaaS in public, private, or hybrid models. Its risk-based approach adapts general controls to cloud risks like multi-tenancy and shared responsibilities between cloud service providers (CSPs) and customers (CSCs).
Key Components
- Guidance on 37 ISO/IEC 27002 controls plus 7 new cloud-specific CLD controls (e.g., shared roles, VM segregation, asset removal).
- Covers 14 domains mirroring ISO 27002 (e.g., access control, operations security).
- Built on ISO 27001 ISMS; no standalone certification—integrated into ISO 27001 audits.
Why Organizations Use It
- Meets procurement demands and regulatory alignment (e.g., GDPR support via ISO 27018 pairing).
- Clarifies shared responsibility, reducing cloud incident risks (e.g., misconfigurations).
- Builds trust, differentiates CSPs, and enables competitive SLAs.
Implementation Overview
- Extend existing ISO 27001 ISMS via risk assessment, control mapping, and cloud configurations.
- Key activities: shared responsibility matrices, VM hardening, logging enablement.
- Suits CSPs, CSCs of all sizes globally; audited jointly with ISO 27001 (9-12 months typical).
Key Differences
| Aspect | EN 1090 | ISO 27017 |
|---|---|---|
| Scope | Structural steel/aluminium fabrication and CE marking | Cloud-specific information security controls |
| Industry | Construction, fabrication (EU/EEA) | Cloud services, IT (global) |
| Nature | Harmonized standard under CPR, mandatory CE | Voluntary guidance extending ISO 27001/27002 |
| Testing | FPC certification, notified body audits/surveillance | Integrated into ISO 27001 audits, no standalone cert |
| Penalties | Market exclusion, legal liability without CE | No legal penalties, loss of audit scope conformity |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about EN 1090 and ISO 27017
EN 1090 FAQ
ISO 27017 FAQ
You Might also be Interested in These Articles...
The Reasons Why NIS2 is Fundamental for Cyber Resilience in Europe
Uncover why NIS2 transcends compliance burdens, delivering real cyber resilience value through enforced measurements and activities. Explore insights via our pa
Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows
Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for
You Guide on how to Start Implementing NIS2 in Your Organization
Master NIS2 implementation with our detailed guide. Learn requirements, risk assessment, supply chain security, and compliance steps for your organization. Star
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Explore More Comparisons
See how EN 1090 and ISO 27017 compare against other standards