GRADUM
    Standards Comparison

    EN 1090

    Mandatory
    2009

    European standard for execution of structural steel and aluminium

    VS

    ISO 27018

    Voluntary
    2019

    International standard for PII protection in public clouds.

    Quick Verdict

    EN 1090 mandates CE marking for structural steel/aluminium in EU construction via FPC certification, while ISO 27018 extends ISO 27001 with voluntary PII privacy controls for cloud processors. Fabricators ensure market access; CSPs build trust and procurement ease.

    Structural Metalwork

    EN 1090

    EN 1090 Execution of steel and aluminium structures

    Cost
    €€€€
    Complexity
    High
    Implementation Time
    6-12 months

    Key Features

    • Risk-based Execution Classes (EXC1-EXC4) scaling requirements
    • Mandatory Factory Production Control (FPC) certification
    • Enables CE marking for structural steel/aluminium components
    • Welding quality management via ISO 3834 alignment
    • Comprehensive material traceability and NDT inspection regimes
    Cloud Privacy

    ISO 27018

    ISO/IEC 27018:2025 PII protection in public clouds

    Cost
    €€€
    Complexity
    Medium
    Implementation Time
    6-12 months

    Key Features

    • Privacy controls for PII processors in public clouds
    • Subprocessor transparency and disclosure requirements
    • Breach notification obligations to customers
    • Support for data subject rights handling
    • Prohibits unauthorized PII use like marketing

    Detailed Analysis

    A comprehensive look at the specific requirements, scope, and impact of each standard.

    EN 1090 Details

    What It Is

    EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). Its primary purpose is ensuring safe fabrication, assembly, and market placement via CE marking. It employs a risk-based approach through Execution Classes (EXC1-EXC4).

    Key Components

    • **EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
    • **EN 1090-2/-3Technical rules for steel/aluminium (welding, tolerances, corrosion protection, NDT).
    • Core principles: traceability, qualified welding (ISO 3834), inspection scaled by EXC.
    • Certification model: Notified Body audits FPC with ongoing surveillance.

    Why Organizations Use It

    Mandated for EU/EEA market access; reduces liability, ensures structural integrity. Benefits include risk mitigation, rework reduction, and competitive tendering. Builds stakeholder trust via certified quality.

    Implementation Overview

    Phased: gap analysis, FPC development, personnel training, NB certification. Applies to fabricators globally targeting Europe; 3-12 months typical, with surveillance.

    ISO 27018 Details

    What It Is

    ISO/IEC 27018 is a code of practice extending ISO 27001 and ISO 27002 for protecting personally identifiable information (PII) in public clouds where providers act as PII processors. Its primary scope targets cloud-specific privacy risks like multi-tenancy and cross-border data flows. It uses a risk-based, control-oriented approach with ~25-30 additional privacy controls.

    Key Components

    • Core pillars: transparency, consent, purpose limitation, data minimization, security safeguards, accountability.
    • Builds on ISO 27001 Annex A (93 controls) with cloud PII-specific guidance.
    • Principles from ISO 29100 and OECD guidelines.
    • Assessed via ISO 27001 audits; no standalone certification.

    Why Organizations Use It

    • Demonstrates processor compliance (e.g., GDPR Article 28).
    • Accelerates procurement, builds customer trust, aids cyber insurance.
    • Manages risks in global cloud operations; competitive differentiation for CSPs.

    Implementation Overview

    • Gap analysis against existing ISMS, integrate controls into Statement of Applicability.
    • Key activities: subprocessor disclosure, breach notification, staff training.
    • Suits CSPs of all sizes; global applicability.
    • Requires third-party audits tied to ISO 27001 certification (3-year cycle).

    Key Differences

    Scope

    EN 1090
    Structural steel/aluminium execution and CE marking
    ISO 27018
    PII protection in public cloud services

    Industry

    EN 1090
    Construction, fabrication (EU/EEA focus)
    ISO 27018
    Cloud services, IT (global applicability)

    Nature

    EN 1090
    Harmonized standard, mandatory for CE marking
    ISO 27018
    Voluntary code of practice, ISO 27001 extension

    Testing

    EN 1090
    FPC certification, notified body audits/surveillance
    ISO 27018
    ISO 27001 audits with privacy control assessment

    Penalties

    EN 1090
    Market exclusion, legal liability without CE
    ISO 27018
    Loss of certification, no direct legal penalties

    Frequently Asked Questions

    Common questions about EN 1090 and ISO 27018

    EN 1090 FAQ

    ISO 27018 FAQ

    You Might also be Interested in These Articles...

    CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

    CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

    Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

    TISAX Tabletop Exercises for ADAS Suppliers: Simulating Prototype IP Leaks and Ransomware in Hybrid Supply Chains (2025 Edition with Hero Scenario Visual)

    TISAX Tabletop Exercises for ADAS Suppliers: Simulating Prototype IP Leaks and Ransomware in Hybrid Supply Chains (2025 Edition with Hero Scenario Visual)

    Master TISAX 'Very High' tabletop exercises for ADAS suppliers with 2024 breach simulations like CAD leaks and ransomware. Get scripts, AAR templates, hybrid ti

    SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

    SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

    Decode AICPA Trust Services Criteria from auditor jargon to plain English with side-by-side tables, analogies & TL;DRs. CISOs & founders: implement SOC 2 contro

    Run Maturity Assessments with GRADUM

    Transform your compliance journey with our AI-powered assessment platform

    Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

    100+ Standards & Regulations
    AI-Powered Insights
    Collaborative Assessments
    Actionable Recommendations

    Check out these other Gradum.io Standards Comparison Pages

    DORA vs J-SOX

    Discover DORA vs J-SOX: EU finance resilience vs Japan's ICFR rules. Unpack differences, compliance deadlines, & strategies for global firms. Compare now!

    PIPL vs ISA 95

    Compare PIPL vs ISA 95: China's GDPR-like privacy law meets manufacturing's enterprise-control standard. Unlock compliance strategies, risks, and integration tips for global ops. Dive in!

    CAA vs ISO 21001

    Unlock CAA vs ISO 21001: Contrast Clean Air Act emission standards with ISO 21001's learner-centric management system. Key differences, compliance tips & strategies for executives. Dive in now!