What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity assessment including certified **Factory Production Control (FPC)** and **Declaration of Performance (DoP)**, **EN 1090-2** for steel technical requirements (welding, tolerances, inspection), and **EN 1090-3** for aluminium. Risk-based **Execution Classes (EXC1–EXC4)** scale requirements based on **Consequence Class (CC1–CC3)**, **Service Category (SC1–SC2)**, and **Production Category (PC1–PC2)**, enabling lawful market placement in the EEA.

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in construction works must comply with EN 1090 to affix CE marking.** This applies to fabricators, steelwork contractors, and suppliers targeting EU/EEA markets, covering applications like buildings, bridges, and industrial structures. EXC assignment determines FPC rigor; non-structural or non-metallic elements are excluded.

Oes **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the FPC system by a notified body under AVCP systems 2+.** This includes initial factory inspection, technical documentation review (ITT/ITC), certificate issuance, and continuous surveillance audits. Responsible Welding Coordinators (rWC) and welding per **ISO 3834** must be evidenced; certification enables DoP and CE marking.

How often should an assessment for **EN 1090** be performed?

**FPC surveillance audits by notified bodies occur initially within one year of certification, then per EN 1090-1 Table B.3 based on EXC and performance.** Higher EXC (e.g., EXC4) demand more frequent/intense audits. Manufacturers must conduct internal audits continuously, with records for personnel qualifications, traceability, and non-conformities supporting ongoing constancy of performance.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance prevents CE marking, blocking EEA market access and risking product withdrawal, fines, or liability under CPR.** Notified bodies may suspend/revoke FPC certificates for major non-conformities (e.g., poor traceability, unqualified welding), publicizing status. Structural failures expose manufacturers to civil claims, rework costs, and reputational damage.

An **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality, but direct mappings to non-EU frameworks are limited by its CPR harmonization.** Execution classes align with Eurocodes for design; FPC leverages ISO 9001 structures. No formal equivalences exist, requiring case-by-case adaptation for global markets.

What is the first step to begin implementing **EN 1090**?

**Conduct a product scope assessment to confirm EN 1090 applicability and determine Execution Class via CC/SC/PC matrix.** Default to **EXC2** if unspecified; document rationale, then perform gap analysis of FPC against EN 1090-1, prioritizing welding coordination and traceability.

Who is legally or professionally required to comply with **ISO 27017**?

**No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice.** Professionally, **CSPs** and **CSCs** with significant cloud footprints adopt it to demonstrate due diligence, meet procurement demands, and enhance **ISMS** under ISO 27001, particularly amid 94% cloud adoption and 61% incident rates.

Does **ISO 27017** require an external audit or third-party certification?

**ISO 27017 does not support standalone third-party certification or external audit.** It is implemented within an **ISO 27001 ISMS**, with auditors assessing its 7 **CLD controls** and 37 extended controls during ISO 27001 Stage 1/2 audits; certificates may reference ISO 27017 as an extension.

How often should an assessment for **ISO 27017** be performed?

**ISO 27017 assessments occur during annual ISO 27001 surveillance audits and triennial re-certification.** Controls must align with ongoing **ISMS** risk reviews, with revisions anticipated in the 2025 second edition; continuous monitoring via CSPM tools supports audit readiness.

What are the consequences of non-compliance with **ISO 27017**?

**Non-compliance with ISO 27017 carries no direct legal penalties, as it is non-mandatory.** Indirect risks include failed procurement RFPs, regulatory scrutiny for cloud incidents (e.g., misconfigurations causing data breaches), elevated risk exposure from unaddressed multi-tenancy/segregation gaps, and competitive disadvantage for CSPs lacking verifiable cloud controls.

An **ISO 27017** be mapped to other international frameworks?

**Yes, ISO 27017 maps directly to ISO 27001/27002 controls and aligns with frameworks like NIST SP 800-53 and CSA STAR.** Its 7 **CLD controls** extend ISO 27002's 93 controls (2022 edition), enabling unified evidence for multi-framework compliance, with 70% of CSPs mapping to NIST for cross-regional use.

What is the first step to begin implementing **ISO 27017**?

**Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls.** Define ISMS scope including cloud services, document **shared responsibilities** (CLD.6.3.1), update the **Statement of Applicability** for 37 extended and 7 **CLD controls**, then map to existing processes.

EN 1090 vs ISO 27017

Q: What is the primary objective of **ISO 27017**?

**ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4).** Published in 2015, it addresses shared responsibilities between **cloud service providers (CSPs)** and **cloud service customers (CSCs)**, covering multi-tenancy segregation, virtual machine hardening, asset removal/return, administrative operations, customer monitoring, and network security alignment in IaaS, PaaS, and SaaS environments.

Standards Comparison

EN 1090

Mandatory

2009

European standards for steel and aluminium structures execution

ISO 27017

Voluntary

2015

International code of practice for cloud security controls

Quick Verdict

EN 1090 mandates CE marking and FPC for structural metal fabrication in EU construction, while ISO 27017 provides voluntary cloud security guidance extending ISO 27001. Fabricators adopt EN 1090 for market access; CSPs use ISO 27017 for trust and compliance.

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4) scaling requirements
Factory Production Control (FPC) with Notified Body certification
Enables mandatory CE marking for structural components
Integrates ISO 3834 for welding quality management
Full traceability of materials, processes, and inspections

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud controls

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and CSCs
Adds 7 cloud-specific controls for multi-tenancy risks
Provides guidance on 37 ISO 27002 controls for cloud
Addresses VM hardening and segregation in virtual environments
Enables customer monitoring of cloud service activities

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1/2/3) for execution and conformity assessment of structural steel and aluminium components. It implements the EU Construction Products Regulation (CPR), enabling CE marking. Primary scope covers fabrication, assembly, and placement on the EEA market. Key approach is risk-based via Execution Classes (EXC1-EXC4) linking consequence, service, and production categories to stringent requirements.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
**EN 1090-2/3Technical rules for steel/aluminium (materials, welding, tolerances, corrosion, NDT).
Integrates ISO 3834 for welding; risk-scaled inspection/traceability.
**Certification modelNotified Body audits FPC, initial inspection, ongoing surveillance.

Why Organizations Use It

Mandatory for market access in EU/EEA; reduces liability, ensures safety. Drives traceability, quality consistency, rework reduction. Builds stakeholder trust via CE marking; enables high-risk projects (EXC3/4).

Implementation Overview

Phased: gap analysis, FPC build, welding quals, NB certification (3-12 months). Applies to fabricators globally targeting Europe; suits SMEs to enterprises with welding focus.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice extending ISO/IEC 27002 with cloud-specific guidance for information security controls. It targets cloud services across IaaS, PaaS, and SaaS in public, private, or hybrid models. Its risk-based approach adapts general controls to cloud risks like multi-tenancy and shared responsibilities between cloud service providers (CSPs) and customers (CSCs).

Key Components

Guidance on 37 ISO/IEC 27002 controls plus 7 new cloud-specific CLD controls (e.g., shared roles, VM segregation, asset removal).
Covers 14 domains mirroring ISO 27002 (e.g., access control, operations security).
Built on ISO 27001 ISMS; no standalone certification—integrated into ISO 27001 audits.

Why Organizations Use It

Meets procurement demands and regulatory alignment (e.g., GDPR support via ISO 27018 pairing).
Clarifies shared responsibility, reducing cloud incident risks (e.g., misconfigurations).
Builds trust, differentiates CSPs, and enables competitive SLAs.

Implementation Overview

Extend existing ISO 27001 ISMS via risk assessment, control mapping, and cloud configurations.
Key activities: shared responsibility matrices, VM hardening, logging enablement.
Suits CSPs, CSCs of all sizes globally; audited jointly with ISO 27001 (9-12 months typical).

Key Differences

Aspect	EN 1090	ISO 27017
Scope	Structural steel/aluminium fabrication and CE marking	Cloud-specific information security controls
Industry	Construction, fabrication (EU/EEA)	Cloud services, IT (global)
Nature	Harmonized standard under CPR, mandatory CE	Voluntary guidance extending ISO 27001/27002
Testing	FPC certification, notified body audits/surveillance	Integrated into ISO 27001 audits, no standalone cert
Penalties	Market exclusion, legal liability without CE	No legal penalties, loss of audit scope conformity

Scope

EN 1090

Structural steel/aluminium fabrication and CE marking

ISO 27017

Cloud-specific information security controls

Industry

EN 1090

Construction, fabrication (EU/EEA)

ISO 27017

Cloud services, IT (global)

Nature

EN 1090

Harmonized standard under CPR, mandatory CE

ISO 27017

Voluntary guidance extending ISO 27001/27002

Testing

EN 1090

FPC certification, notified body audits/surveillance

ISO 27017

Integrated into ISO 27001 audits, no standalone cert

Penalties

EN 1090

Market exclusion, legal liability without CE

ISO 27017

No legal penalties, loss of audit scope conformity

Frequently Asked Questions

Common questions about EN 1090 and ISO 27017

EN 1090 FAQ

ISO 27017 FAQ

You Might also be Interested in These Articles...

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

Discover 5 ways modern compliance software turns evolving regulations into strategic advantage. Automate monitoring, cut 3x non-compliance costs, stay audit-rea

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Unlock human-AI synergy with modern compliance tools. Automate monitoring, cut non-compliance risks 3x, and boost strategic decision-making. Elevate your team's

Real-World ISO 27701 Success: Synthesized Case Studies, Metrics, and Lessons for Privacy Resilience

Real-world ISO 27701 success from Tribeca, Kocho: DSAR efficiency gains, risk score reductions, certification ROI. Synthesized metrics prove privacy resilience

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

NIST CSF vs OSHA

Compare NIST CSF vs OSHA: Uncover key differences in cybersecurity frameworks and workplace safety standards. Optimize risk management, ensure compliance—read now to protect your organization!

ISO 37301 vs NIST 800-53

Compare ISO 37301 vs NIST 800-53: Certifiable CMS meets federal security controls. Uncover key differences, alignments & integration for risk-based compliance. Optimize now!

CE Marking vs NERC CIP

Discover CE Marking vs NERC CIP: EU product safety certification meets US grid cybersecurity standards. Unlock key differences, compliance strategies & expert insights for global ops.

EN 1090

ISO 27017

Quick Verdict

EN 1090

Key Features

ISO 27017

Key Features

Detailed Analysis

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 27017 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Oes EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

An EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

ISO 27017 FAQ

What is the primary objective of ISO 27017?

Who is legally or professionally required to comply with ISO 27017?

Does ISO 27017 require an external audit or third-party certification?

How often should an assessment for ISO 27017 be performed?

What are the consequences of non-compliance with ISO 27017?

An ISO 27017 be mapped to other international frameworks?

What is the first step to begin implementing ISO 27017?

You Might also be Interested in These Articles...

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Real-World ISO 27701 Success: Synthesized Case Studies, Metrics, and Lessons for Privacy Resilience

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

NIST CSF vs OSHA

ISO 37301 vs NIST 800-53

CE Marking vs NERC CIP