What is the primary objective of **ISO 37301**?

**The primary objective of ISO 37301 is to specify requirements for establishing, implementing, maintaining, and continually improving an effective compliance management system (CMS).** Published on 13 April 2021 as the first certifiable edition replacing guidance-only ISO 19600, it provides a systematic, risk-based approach using the Plan-Do-Check-Act (PDCA) cycle and High-Level Structure (HLS) to identify compliance obligations, assess risks, embed integrity culture, and support certification.

Who is legally or professionally required to comply with **ISO 37301**?

**No organizations are legally required to comply with ISO 37301, as it is a voluntary international standard applicable to all sizes, types, and sectors.** Professionally, adoption is driven by stakeholders seeking third-party certification for demonstrable CMS effectiveness, including large enterprises like Kingspan (multiple sites certified) and those facing regulatory complexity, ESG demands, or supply chain expectations.

Does **ISO 37301** require an external audit or third-party certification?

**ISO 37301 enables but does not require external audit or third-party certification.** As a certifiable standard, organizations may pursue accreditation through bodies like ANAB-accredited certification bodies, involving initial conformity assessment and surveillance audits in a typical three-year cycle to provide external validation of CMS conformance.

How often should an assessment for **ISO 37301** be performed?

**Assessments for ISO 37301 should be performed continually through monitoring, measurement, internal audits at planned intervals, and management reviews.** Certification involves initial audits followed by surveillance audits, commonly on a three-year cycle, with performance evaluation ensuring ongoing effectiveness per the PDCA cycle and ISO 37302 guidance for maturity models.

What are the consequences of non-compliance with **ISO 37301**?

**Non-compliance with ISO 37301 results in loss of certification, if pursued, but no direct legal penalties as it is voluntary.** Internal consequences include heightened exposure to regulatory breaches, fines, litigation, reputational damage, and resource inefficiencies; certification withdrawal signals inadequate CMS to stakeholders, potentially impacting investor confidence and market access.

An **ISO 37301** be mapped to other international frameworks?

**Yes, ISO 37301 follows the High-Level Structure (HLS), enabling seamless mapping and integration with other ISO management system standards.** Its PDCA framework and clauses (context, leadership, planning, support, operation, performance evaluation, improvement) align with companion standards like ISO 37302 (effectiveness), ISO 37303 (competence), and ISO 37002 (whistleblowing) for modular compliance ecosystems.

What is the first step to begin implementing **ISO 37301**?

**The first step to implement ISO 37301 is to secure top management commitment and perform contextual analysis.** Determine internal/external issues, interested parties' expectations, and CMS scope; inventory compliance obligations into a centralized register, prioritizing material risks to establish a risk-based foundation per clauses 4 and 5.

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of steel and aluminium structural components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity assessment including certified **Factory Production Control (FPC)** and **Declaration of Performance (DoP)**, **EN 1090-2** for steel structures technical requirements (welding, tolerances, inspection), and **EN 1090-3** for aluminium (heat treatment, joining). Risk scales via **Execution Classes (EXC1–EXC4)** based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium components and kits for permanent incorporation in EU construction works must comply with EN 1090 to affix CE marking.** This applies to fabricators, steelwork contractors, and suppliers targeting EEA markets; non-compliance blocks market access. Applies to products like beams, trusses, stairs, bridges; excludes non-structural items.

Oes **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the FPC system by a notified body via AVCP systems (e.g., 2+), including initial inspection, type testing/calculation (ITT/ITC), and ongoing surveillance audits.** Certification enables DoP issuance and CE marking; surveillance verifies continued performance constancy.

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires initial FPC certification followed by notified body surveillance audits, typically annually for the first year then per EN 1090-1 Table B.3 based on EXC and performance.** Internal audits occur continuously within FPC; changes (e.g., processes, rWC) trigger re-assessments.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance prevents CE marking, leading to market exclusion, product withdrawal, fines under CPR, certificate suspension/withdrawal, and liability for structural failures.** Notified bodies publicize suspensions; manufacturers face rework costs, reputational damage, and civil claims.

An **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality, ISO 9001 for QMS, and Eurocodes for design, but has no formal mappings to unrelated frameworks.** FPC leverages these for efficiency; execution aligns with EN 1090-specific requirements.

What is the first step to begin implementing **EN 1090**?

**Conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Class (EXC) for product families using CC/SC/PC matrix.** Default to **EXC2** if unspecified; appoint Responsible Welding Coordinator (rWC).

ISO 37301 vs EN 1090

Standards Comparison

ISO 37301

Voluntary

2021

International certifiable standard for compliance management systems

EN 1090

Mandatory

2009

EU standard for steel and aluminium structural execution.

Quick Verdict

ISO 37301 provides certifiable compliance management for all organizations globally, fostering risk-based governance. EN 1090 mandates CE marking for EU structural steel/aluminium via FPC. Companies adopt ISO 37301 for integrity culture; EN 1090 for legal market access.

Compliance Management

ISO 37301

ISO 37301:2021 Compliance management systems – Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Certifiable requirements replacing guidance-only ISO 19600
High-Level Structure aligns with other ISO standards
Leadership commitment builds compliance culture
Risk-based planning addresses obligations and risks
Robust whistleblowing protections prevent retaliation

Structural Metalwork

EN 1090

EN 1090: Execution of steel structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Factory Production Control (FPC) certification required
Risk-based Execution Classes (EXC1-4) scaling
CE marking for EU market access
Welding quality aligned with ISO 3834
Full material and process traceability

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37301 Details

What It Is

ISO 37301:2021 is a certifiable international standard specifying requirements with guidance for establishing, implementing, maintaining, and improving Compliance Management Systems (CMS). It applies universally across organizations, using a risk-based, PDCA (Plan-Do-Check-Act) approach aligned with the ISO High-Level Structure (HLS).

Key Components

Core pillars: context analysis, leadership, planning, support, operation, performance evaluation, improvement.
Emphasizes leadership commitment, risk assessment, whistleblowing channels, internal audits, and continual improvement.
Built on HLS for integration; companion standards like ISO 37302 for metrics.
Supports third-party certification via accredited bodies.

Why Organizations Use It

Drives regulatory compliance, reduces risks/fines, enhances stakeholder trust and reputation. Meets investor/ESG demands, provides certification for competitive edge. Mitigates reputational harm through proactive culture.

Implementation Overview

Phased: gap analysis, obligation register, training, audits. Scalable for SMEs/enterprises, all sectors/geographies. Requires accredited certification (3-year cycle); integrates with ISO 9001/27001.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) under the Construction Products Regulation (CPR). It governs execution and conformity assessment of structural steel and aluminium components for construction works. Primary purpose: ensure safe fabrication, assembly, and CE marking via risk-based Execution Classes (EXC1-4).

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification.
**EN 1090-2/-3Technical rules for steel/aluminium (welding, tolerances, corrosion protection).
Core pillars: FPC, welding per ISO 3834, material traceability, NDT inspection.
AVCP systems with Notified Body oversight; no fixed control count, scales by EXC.

Why Organizations Use It

Mandatory CE marking for EU market access.
Mitigates liability, reduces rework via disciplined processes.
Builds trust, enables high-risk projects (bridges, stadia).
Strategic: differentiates via certified quality, traceability.

Implementation Overview

Phased: gap analysis, FPC build, personnel training, NB certification, surveillance.
Targets fabricators in EU/EEA; all sizes, heavy on welding shops.
Involves audits, ITT/ITC; 6-12 months typical for EXC2.

Key Differences

Aspect	ISO 37301	EN 1090
Scope	Compliance management systems across all obligations	Execution of steel/aluminium structural components
Industry	All sectors, global applicability	Construction/metal fabrication, EU/EEA market
Nature	Voluntary certifiable management standard	Mandatory for CE marking under CPR
Testing	Internal audits, management reviews	FPC certification, NB surveillance audits
Penalties	Loss of certification, no legal fines	Market exclusion, fines, product recalls

Scope

ISO 37301

Compliance management systems across all obligations

EN 1090

Execution of steel/aluminium structural components

Industry

ISO 37301

All sectors, global applicability

EN 1090

Construction/metal fabrication, EU/EEA market

Nature

ISO 37301

Voluntary certifiable management standard

EN 1090

Mandatory for CE marking under CPR

Testing

ISO 37301

Internal audits, management reviews

EN 1090

FPC certification, NB surveillance audits

Penalties

ISO 37301

Loss of certification, no legal fines

EN 1090

Market exclusion, fines, product recalls

Frequently Asked Questions

Common questions about ISO 37301 and EN 1090

ISO 37301 FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

SOC 2 Audit Survival Guide: 10 Red Flags Auditors Flag and Model Answers for Walkthroughs

Master SOC 2 Type 2 audits with our guide: 10 red flags like incomplete logs/vendor gaps, model walkthrough answers, psychology tips. Pass first-time with <5% e

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

Translate CIS Controls v8.1 to cloud-native: Kubernetes patterns for IAM, logging, vuln mgmt, hardening on AWS, Azure, GCP + IaC. Practical playbook for teams.

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

UAE PDPL vs J-SOX

Compare UAE PDPL vs J-SOX: UAE's GDPR-like privacy law meets Japan's ICFR regime. Uncover key differences, compliance strategies & implementation for global firms. (152 characters)

PRINCE2 vs MLPS 2.0 (Multi-Level Protection Scheme)

Compare PRINCE2 vs MLPS 2.0: Project governance mastery meets China's cybersecurity graded protection. Gain compliance strategies, tailoring tips & implementation insights for success. Explore now!

ISO 27032 vs SOC 2

Discover ISO 27032 vs SOC 2: Global Internet cybersecurity guidelines vs AICPA TSC for SaaS trust. Compare scopes, audits, implementation & choose your compliance edge now.

ISO 37301

EN 1090

Quick Verdict

ISO 37301

Key Features

EN 1090

Key Features

Detailed Analysis

ISO 37301 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

ISO 37301 FAQ

What is the primary objective of ISO 37301?

Who is legally or professionally required to comply with ISO 37301?

Does ISO 37301 require an external audit or third-party certification?

How often should an assessment for ISO 37301 be performed?

What are the consequences of non-compliance with ISO 37301?

An ISO 37301 be mapped to other international frameworks?

What is the first step to begin implementing ISO 37301?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Oes EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

An EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

SOC 2 Audit Survival Guide: 10 Red Flags Auditors Flag and Model Answers for Walkthroughs

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

UAE PDPL vs J-SOX

PRINCE2 vs MLPS 2.0 (Multi-Level Protection Scheme)

ISO 27032 vs SOC 2