What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 (conformity assessment via Factory Production Control, FPC), EN 1090-2 (steel execution requirements like welding, tolerances, traceability), and EN 1090-3 (aluminium execution). Risk-based Execution Classes (EXC1–EXC4) scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling lawful market placement in the EEA.

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent construction works must comply with EN 1090 to affix CE marking. This includes fabricators supplying to EU/EEA markets, such as steelwork contractors for buildings, bridges, and stadia. FPC certification by a Notified Body is mandatory; non-compliance blocks market access under CPR.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates third-party certification of the FPC system by a Notified Body under AVCP systems. This involves initial inspection, type testing/calculation (ITT/ITC), and issuance of an FPC certificate enabling CE marking and Declaration of Performance (DoP). Ongoing surveillance audits ensure continued conformity.

How often should an assessment for EN 1090 be performed?

EN 1090 requires initial FPC certification followed by continuous surveillance audits by the Notified Body, typically annually. Frequency scales with Execution Class (EXC); higher EXC (e.g., EXC4) demands more intensive monitoring per EN 1090-1 Table B.3. Internal audits support ongoing FPC maintenance.

What are the consequences of non-compliance with EN 1090?

Non-compliance with EN 1090 prevents CE marking, resulting in market exclusion, product withdrawal, and CPR enforcement. Notified Bodies may suspend/revoke FPC certificates for major non-conformities, exposing manufacturers to fines, liability, recalls, and reputational damage.

An EN 1090 be mapped to other international frameworks?

EN 1090 integrates with standards like ISO 3834 for welding quality and Eurocodes for design. EN 1090-1 references ISO 3834 levels by EXC; FPC often builds on ISO 9001. No formal mappings exist, but alignment supports compliance efficiency.

What is the first step to begin implementing EN 1090?

Conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Class (EXC) for product families. Classify by CC/SC/PC matrix, defaulting to EXC2 if unspecified, then engage a Notified Body for scope confirmation.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security. The 2022 edition (ISO 28000:2022) provides a risk-based framework using the PDCA cycle to identify threats, vulnerabilities, and interdependencies across supply chains, protecting people, assets, goods, infrastructure, and information. It emphasizes leadership commitment, risk assessment per ISO 31000 guidance, operational controls, performance evaluation via internal audits and management reviews, and continual improvement through corrective actions.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary and not legally mandatory but becomes professionally required through contracts, tenders, or programs like customs facilitation. It applies scalably to all organization sizes—from micro-enterprises to multinationals—in sectors including logistics, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers. C-suite executives (COO/CRO/CSO), supply chain directors, security managers, risk officers, and procurement teams are most affected when driven by commercial obligations, insurance demands, or supplier qualifications.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 supports but does not require external audits or third-party certification; conformity can be verified internally or externally. Certification follows ISO/IEC TS 17021-8 requirements for bodies providing audit and certification, typically via accredited Certification Bodies (e.g., ANAB). The process includes Stage 1 (readiness review) and Stage 2 (implementation audit), with 3-year validity and annual surveillance audits to demonstrate ongoing SMS effectiveness.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained and reviewed at planned intervals or when significant changes occur. Internal audits occur via a risk-based program at planned intervals, considering process importance and prior results. Management reviews happen at planned intervals, with continual improvement addressing nonconformities. Sample KPIs like incident rates per 1,000 shipments support ongoing monitoring.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 exposes organizations to operational disruptions, financial losses, and lost opportunities rather than direct legal penalties. Risks include theft, sabotage, fraud, supply outages, insurance premium increases, contract penalties, market exclusion from tenders, and reputational damage. Without certification, firms may lose trade facilitation benefits or supplier preferences in high-risk sectors.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the High Level Structure (HLS) for integration with other ISO management system standards. Its PDCA cycle and clauses (4–10) enable mapping to frameworks with similar structures, supporting combined audits, shared risk registers, and unified governance while focusing on supply chain-specific security risks.

What is the first step to begin implementing ISO 28000?

The first step is securing executive sponsorship, scoping the SMS, and conducting a gap analysis. Appoint a Senior Responsible Owner, map supply chains, review current controls against clauses, and produce a risk register and project charter to baseline maturity and prioritize actions.

Standards Comparison

EN 1090 vs ISO 28000

EN 1090

Mandatory

2009

European standard for structural steel/aluminium execution and CE marking

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

EN 1090 mandates CE marking for structural steel/aluminium via FPC and execution classes for EU construction market access. ISO 28000 provides voluntary security management for global supply chains. Fabricators choose EN 1090 for legal compliance; logistics firms adopt ISO 28000 for resilience.

Structural Metalwork

EN 1090

Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4) scaling requirements
Mandatory Factory Production Control (FPC) certification
Enables CE marking for EU market access
Comprehensive welding quality via ISO 3834 alignment
Full material traceability and NDT inspection regimes

Supply Chain Security

ISO 28000

ISO 28000:2022 Security Management Systems Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle for continual improvement and resilience
Scalable to all organization sizes and industries
Integrates with ISO 9001, 22301, 27001 standards
Supplier and third-party security governance controls

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1/2/3) for execution of steel and aluminium structural components. It provides a risk-based framework under the Construction Products Regulation (CPR) enabling CE marking for load-bearing components in construction works. Primary scope covers fabrication, assembly, and conformity assessment.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
**EN 1090-2/3Technical rules for steel/aluminium (welding, tolerances, corrosion protection, NDT).
Execution Classes (EXC1-4) based on consequence, service, production categories.
Certification via Notified Body audits and ongoing surveillance.

Why Organizations Use It

Mandatory for EU market access and CE marking.
Reduces liability, ensures traceability, minimizes rework.
Builds trust with clients, enables high-risk projects.

Implementation Overview

Phased approach: gap analysis, FPC development, welding qualification, NB certification. Applies to fabricators globally targeting EEA; 3-12 months typical, high complexity for EXC3/4.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It uses a risk-based, PDCA (Plan-Do-Check-Act) approach to protect people, assets, goods, infrastructure, and information.

Key Components

Core clauses: context, leadership, planning, support, operation, performance evaluation, improvement.
Emphasizes risk assessment, security strategies, incident response, supplier controls.
Aligned with ISO High Level Structure for integration with ISO 9001, 22301, 27001.
Optional certification via accredited bodies per ISO/IEC TS 17021-8.

Why Organizations Use It

Reduces supply chain disruptions, theft, sabotage risks.
Meets contractual, regulatory drivers (e.g., C-TPAT equivalents).
Lowers insurance costs, enables trade facilitation.
Builds stakeholder trust, competitive edge in logistics, manufacturing.

Implementation Overview

Phased: scoping, gap analysis, risk treatment, deployment, audit, certification.
Scalable for SMEs to multinationals across industries.
Involves mapping, training, KPIs, continual improvement.

Key Differences

Aspect	EN 1090	ISO 28000
Scope	Execution and conformity of steel/aluminium structures	Supply chain security management system
Industry	Construction, steel/aluminium fabrication (EU/EEA)	Logistics, manufacturing, all supply chains (global)
Nature	Harmonized standard, mandatory CE marking (CPR)	Voluntary management system standard
Testing	FPC certification, ITT/ITC, notified body surveillance	Internal audits, management review, optional certification
Penalties	Market exclusion, legal liability without CE mark	No legal penalties, loss of certification/trust

Scope

EN 1090

Execution and conformity of steel/aluminium structures

ISO 28000

Supply chain security management system

Industry

EN 1090

Construction, steel/aluminium fabrication (EU/EEA)

ISO 28000

Logistics, manufacturing, all supply chains (global)

Nature

EN 1090

Harmonized standard, mandatory CE marking (CPR)

ISO 28000

Voluntary management system standard

Testing

EN 1090

FPC certification, ITT/ITC, notified body surveillance

ISO 28000

Internal audits, management review, optional certification

Penalties

EN 1090

Market exclusion, legal liability without CE mark

ISO 28000

No legal penalties, loss of certification/trust

Frequently Asked Questions

Common questions about EN 1090 and ISO 28000

EN 1090 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

Decode PDPC Thailand's 1,048 complaints & 610 breaches. Uncover consent/security violations, project 2025 enforcement. Risk heatmap, self-assessment & playbook

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

The Reasons Why NIS2 is Fundamental for Cyber Resilience in Europe

Uncover why NIS2 transcends compliance burdens, delivering real cyber resilience value through enforced measurements and activities. Explore insights via our pa

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EN 1090 and ISO 28000 compare against other standards

Other EN 1090 Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).

**EN 1090-2/3Technical rules for steel/aluminium (welding, tolerances, corrosion protection, NDT).

Execution Classes (EXC1-4) based on consequence, service, production categories.

Certification via Notified Body audits and ongoing surveillance.

What It Is

Key Components

Core clauses: context, leadership, planning, support, operation, performance evaluation, improvement.

Emphasizes risk assessment, security strategies, incident response, supplier controls.

Aligned with ISO High Level Structure for integration with ISO 9001, 22301, 27001.

Optional certification via accredited bodies per ISO/IEC TS 17021-8.

Aspect

EN 1090

ISO 28000

Scope

Execution and conformity of steel/aluminium structures

Supply chain security management system

Industry

Construction, steel/aluminium fabrication (EU/EEA)

Logistics, manufacturing, all supply chains (global)

Nature

Harmonized standard, mandatory CE marking (CPR)

Voluntary management system standard

Testing

FPC certification, ITT/ITC, notified body surveillance

Internal audits, management review, optional certification

Penalties

Market exclusion, legal liability without CE mark

No legal penalties, loss of certification/trust