EN 1090 vs ISO 27018
EN 1090
European standard for execution of structural steel and aluminium
ISO 27018
International standard for PII protection in public clouds.
Quick Verdict
EN 1090 mandates CE marking for structural steel/aluminium in EU construction via FPC certification, while ISO 27018 extends ISO 27001 with voluntary PII privacy controls for cloud processors. Fabricators ensure market access; CSPs build trust and procurement ease.
EN 1090
EN 1090 Execution of steel and aluminium structures
Key Features
- Risk-based Execution Classes (EXC1-EXC4) scaling requirements
- Mandatory Factory Production Control (FPC) certification
- Enables CE marking for structural steel/aluminium components
- Welding quality management via ISO 3834 alignment
- Comprehensive material traceability and NDT inspection regimes
ISO 27018
ISO/IEC 27018:2025 PII protection in public clouds
Key Features
- Privacy controls for PII processors in public clouds
- Subprocessor transparency and disclosure requirements
- Breach notification obligations to customers
- Support for data subject rights handling
- Prohibits unauthorized PII use like marketing
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
EN 1090 Details
What It Is
EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). Its primary purpose is ensuring safe fabrication, assembly, and market placement via CE marking. It employs a risk-based approach through Execution Classes (EXC1-EXC4).
Key Components
- **EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
- **EN 1090-2/-3Technical rules for steel/aluminium (welding, tolerances, corrosion protection, NDT).
- Core principles: traceability, qualified welding (ISO 3834), inspection scaled by EXC.
- Certification model: Notified Body audits FPC with ongoing surveillance.
Why Organizations Use It
Mandated for EU/EEA market access; reduces liability, ensures structural integrity. Benefits include risk mitigation, rework reduction, and competitive tendering. Builds stakeholder trust via certified quality.
Implementation Overview
Phased: gap analysis, FPC development, personnel training, NB certification. Applies to fabricators globally targeting Europe; 3-12 months typical, with surveillance.
ISO 27018 Details
What It Is
ISO/IEC 27018 is a code of practice extending ISO 27001 and ISO 27002 for protecting personally identifiable information (PII) in public clouds where providers act as PII processors. Its primary scope targets cloud-specific privacy risks like multi-tenancy and cross-border data flows. It uses a risk-based, control-oriented approach with ~25-30 additional privacy controls.
Key Components
- Core pillars: transparency, consent, purpose limitation, data minimization, security safeguards, accountability.
- Builds on ISO 27001 Annex A (93 controls) with cloud PII-specific guidance.
- Principles from ISO 29100 and OECD guidelines.
- Assessed via ISO 27001 audits; no standalone certification.
Why Organizations Use It
- Demonstrates processor compliance (e.g., GDPR Article 28).
- Accelerates procurement, builds customer trust, aids cyber insurance.
- Manages risks in global cloud operations; competitive differentiation for CSPs.
Implementation Overview
- Gap analysis against existing ISMS, integrate controls into Statement of Applicability.
- Key activities: subprocessor disclosure, breach notification, staff training.
- Suits CSPs of all sizes; global applicability.
- Requires third-party audits tied to ISO 27001 certification (3-year cycle).
Key Differences
| Aspect | EN 1090 | ISO 27018 |
|---|---|---|
| Scope | Structural steel/aluminium execution and CE marking | PII protection in public cloud services |
| Industry | Construction, fabrication (EU/EEA focus) | Cloud services, IT (global applicability) |
| Nature | Harmonized standard, mandatory for CE marking | Voluntary code of practice, ISO 27001 extension |
| Testing | FPC certification, notified body audits/surveillance | ISO 27001 audits with privacy control assessment |
| Penalties | Market exclusion, legal liability without CE | Loss of certification, no direct legal penalties |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about EN 1090 and ISO 27018
EN 1090 FAQ
ISO 27018 FAQ
You Might also be Interested in These Articles...
NIST SP 800-53 Rev 5.1 Private Sector Tailoring Blueprint: First 5 Steps to Overlay-Driven Compliance with Infographic
Step-by-step blueprint for private sector NIST SP 800-53 Rev 5.1 tailoring using overlays for AI & supply chain risks. Infographic + first 5 steps for ROI-drive
Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages
Uncover top 5 unseen complexities modern compliance software manages effortlessly—from sensitive data mapping to real-time regulatory shifts. Automate audits, i
5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage
Discover 5 ways modern compliance software turns evolving regulations into strategic advantage. Automate monitoring, cut 3x non-compliance costs, stay audit-rea
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Explore More Comparisons
See how EN 1090 and ISO 27018 compare against other standards