What is the primary objective of **WELL**?

**The primary objective of WELL is to design, operate, and measure buildings and spaces to advance human health and well-being through evidence-based performance outcomes.** Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across **10 concepts**—**Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community**—plus **Innovation**. It mandates **24 Preconditions** (pass/fail minimums) and offers **102 Optimizations** (point-earning strategies), verified via on-site testing of air quality (e.g., **CO₂ ≤900 ppm**), water, lighting, acoustics, and thermal conditions.

Who is legally or professionally required to comply with **WELL**?

**WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification to demonstrate occupant health performance.** Applicable to owners, developers, and operators of new/existing buildings via pathways like **WELL Certification** (owner-controlled), **WELL Core** (≥75% leased), and **WELL for Residential**. Corporate real estate, facilities, HR, and ESG leaders in offices, hospitality, education, and healthcare adopt it for talent retention, ESG reporting, and market differentiation across billions of certified square feet globally.

Does **WELL** require an external audit or third-party certification?

**Yes, WELL requires third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents.** Projects undergo preliminary/final reviews (20-25 business days for full certification) plus PV testing for air (e.g., **PM2.5, CO₂**), water, light, sound, and thermal comfort at ≥50% occupancy. Certification levels—**Bronze (40 points), Silver (50, min 1/concept), Gold (60, min 2/concept), Platinum (80, min 3/concept)**—are awarded post-verification.

How often should an assessment for **WELL** be performed?

**WELL certification requires recertification every three years, with annual reporting for select features like air quality monitoring.** Ongoing assessments via continuous monitoring (e.g., **CO₂ recalibration annually**, data updated every 15 minutes) support compliance. Performance verification occurs once pre-certification, with recertification including updated documentation, testing, and fees tied to project scope.

What are the consequences of non-compliance with **WELL**?

**Non-compliance results in certification denial, additional curative review fees, and delayed timelines.** Failed Preconditions block all levels; verification gaps trigger rework or appeals. Operationally, it risks reputational damage, lost ESG value, tenant churn, and unverified health claims—no direct fines, as WELL is voluntary, but portfolio devaluation and remediation costs apply.

Can **WELL** be mapped to other international frameworks?

**Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED.** Alignments reduce duplication (e.g., Air Preconditions with LEED IAQ credits), enabling dual certification. Skybridge tools map v1-to-v2 features and addenda, streamlining upgrades and portfolio strategies without independent verification.

What is the first step to begin implementing **WELL**?

**The first step is project enrollment/registration on the IWBI digital platform and scorecard development.** Identify pathways, target levels, and features; conduct Precondition gap analysis and optional pre-testing (e.g., air/water near pollution sources). Assemble cross-functional team (facilities, HR, design) for feasibility.

What is the primary objective of **APRA CPS 234**?

**APRA CPS 234 requires APRA-regulated entities to maintain an information security capability commensurate with threats and vulnerabilities to their information assets.** This enables continued sound operation by minimising the likelihood and impact of incidents on confidentiality, integrity, or availability, including assets managed by related parties or third parties (paragraphs 1, 15-16). Effective from 1 July 2019, it mandates Board oversight, policy frameworks, asset classification, controls, testing, and APRA notifications.

Who is legally or professionally required to comply with **APRA CPS 234**?

**APRA CPS 234 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers, and RSE licensees.** It extends group-wide where an entity is the Head of a group, covering non-regulated subsidiaries (paragraphs 2-4). Foreign ADIs, Category C insurers, and eligible foreign life companies comply for Australian branches only. Boards and senior management hold ultimate accountability (paragraph 13).

Does **APRA CPS 234** require an external audit or third-party certification?

**APRA CPS 234 does not mandate external audit or third-party certification but requires internal audit to review information security control design and effectiveness, including third-party controls (paragraphs 32-34).** Testing must use appropriately skilled, functionally independent specialists (paragraph 30), often external for penetration testing. Entities relying on third-party assurance must assess its adequacy (paragraph 34).

How often should an assessment for **APRA CPS 234** be performed?

**APRA CPS 234 requires systematic testing of control effectiveness with frequency commensurate to threat changes, asset criticality, sensitivity, and consequences (paragraph 27).** The testing program must be reviewed at least annually or upon material changes (paragraph 31). Incident response plans require annual review and testing (paragraph 26).

What are the consequences of non-compliance with **APRA CPS 234**?

**Non-compliance with APRA CPS 234 triggers APRA's prudential powers, including remediation directions, enforcement notices, penalties, heightened supervision, and potential license restrictions.** Entities must notify APRA within 72 hours of material incidents (paragraph 35) or 10 business days of unremediable material control weaknesses (paragraph 36), risking reputational harm, operational disruption, and litigation from affected stakeholders.

Can **APRA CPS 234** be mapped to other international frameworks?

**Yes, APRA CPS 234's outcomes-based requirements for governance, controls, testing, and third-party oversight map effectively to frameworks like ISO 27001 and NIST Cybersecurity Framework.** Its focus on Board accountability, asset classification (paragraph 20), commensurate controls (paragraph 21), and assurance aligns with NIST's Identify-Protect-Detect-Respond-Recover functions and ISO 27001's ISMS structure, enabling integrated compliance.

What is the first step to begin implementing **APRA CPS 234**?

**The first step for implementing APRA CPS 234 is securing explicit Board approval and sponsorship, establishing governance including defined roles and responsibilities (paragraphs 13-14).** This includes baseline evidence collection, scoping legal entities and third-party arrangements, and mapping current capabilities against requirements for a proportionate gap analysis.

WELL vs APRA CPS 234

Standards Comparison

WELL

Voluntary

2014

Performance-based certification for occupant health in buildings

APRA CPS 234

Mandatory

2019

Australian prudential standard for information security resilience

Quick Verdict

WELL certifies healthy buildings globally via performance verification for occupant well-being. APRA CPS 234 mandates information security for Australian financial entities with strict testing and notifications. Organizations adopt WELL for ESG/branding, CPS 234 for regulatory compliance.

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Requires mandatory on-site performance verification testing
Organized around 10 core health concepts
Preconditions mandatory plus point-earning Optimizations
Tiered certification Bronze to Platinum levels
Supports continuous monitoring compliance pathways

Information Security

APRA CPS 234

APRA Prudential Standard CPS 234 Information Security

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Ultimate Board accountability for information security
Commensurate controls based on asset criticality and sensitivity
Systematic independent testing and assurance of controls
72-hour APRA notification for material incidents
Third-party capability assessment and oversight obligations

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

WELL Details

What It Is

WELL Building Standard v2 is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies. Its people-first approach emphasizes measurable indoor environmental quality and organizational policies across new and existing structures.

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions (mandatory pass/fail) and 102 Optimizations (point-earning).
Built on public health research; certification via Bronze (40 points), Silver (50), Gold (60), Platinum (80) with concept minimums at higher tiers.
Relies on on-site performance verification and continuous monitoring.

Why Organizations Use It

Drives occupant health, productivity, and ESG reporting; complements LEED for dual benefits. Mitigates risks like poor IEQ; boosts rents, retention, and reputation through verified outcomes.

Implementation Overview

Phased: gap analysis, scorecard, documentation, third-party review, testing, recertification every 3 years. Applies to offices, residential, portfolios; cross-functional teams essential for operations and verification.

APRA CPS 234 Details

What It Is

APRA Prudential Standard CPS 234 (Information Security) is a binding prudential regulation from the Australian Prudential Regulation Authority, effective 1 July 2019. It requires APRA-regulated entities—banks, insurers, super funds—to maintain information security capabilities commensurate with threats and vulnerabilities to information assets, minimizing impacts on confidentiality, integrity, and availability. The risk-based approach demands proportionate governance, controls, and assurance.

Key Components

Board ultimate accountability and defined roles/responsibilities
Asset identification, classification by criticality/sensitivity
Commensurate controls across asset lifecycle, including third-parties
Systematic testing, independent internal audit assurance
Incident response plans with annual testing; 72-hour APRA notification for material incidents, 10-day for control weaknesses Built on CIA principles; no fixed control count; compliance via demonstrable evidence.

Why Organizations Use It

Mandatory compliance avoids APRA enforcement, penalties, license risks
Builds operational resilience, reduces incident impacts
Enhances customer trust, enables partnerships, cost efficiencies
Strategic differentiation in regulated financial services

Implementation Overview

Phased: gap analysis, governance/policies, asset register, controls/testing, monitoring. Applies Australia-wide to regulated entities of all sizes; proportionate to threats. Internal audit required; APRA supervisory review.

Key Differences

Aspect	WELL	APRA CPS 234
Scope	Occupant health across 10 concepts (air, water, mind)	Information security governance and cyber resilience
Industry	All buildings globally (offices, residential)	Australian financial services (banks, insurers)
Nature	Voluntary performance-based certification	Mandatory prudential regulation with enforcement
Testing	On-site performance verification, continuous monitoring	Systematic independent control testing, annual reviews
Penalties	Loss of certification, no legal penalties	Regulatory sanctions, fines, license restrictions

Scope

WELL

Occupant health across 10 concepts (air, water, mind)

APRA CPS 234

Information security governance and cyber resilience

Industry

WELL

All buildings globally (offices, residential)

APRA CPS 234

Australian financial services (banks, insurers)

Nature

WELL

Voluntary performance-based certification

APRA CPS 234

Mandatory prudential regulation with enforcement

Testing

WELL

On-site performance verification, continuous monitoring

APRA CPS 234

Systematic independent control testing, annual reviews

Penalties

WELL

Loss of certification, no legal penalties

APRA CPS 234

Regulatory sanctions, fines, license restrictions

Frequently Asked Questions

Common questions about WELL and APRA CPS 234

WELL FAQ

APRA CPS 234 FAQ

You Might also be Interested in These Articles...

From Data Fragments to Strategic Insight: Powering Intelligent Risk Management with Integrated Compliance Monitoring

Transform data fragments into strategic insights with integrated compliance monitoring. Automate real-time risk management, ensure GDPR & SOC 2 compliance, and

Top 5 Reasons Automation Tools Like Vanta Slash SOC 2 Type 2 Timelines from Months to Weeks

Automation tools like Vanta cut SOC 2 Type 2 prep from 6 months to 6 weeks, saving 70% costs. See SignWell examples, AWS/Okta/GitHub integrations. CISOs: Get fi

SOC 2 for Fintech Startups: First 5 Steps to Compliance with Confidentiality Criterion Infographic

First 5 steps to SOC 2 compliance with Confidentiality for fintech SaaS. Infographic maps controls to risks like encryption & TPRM. Integrates GLBA/PCI DSS over

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 13485 vs ISO 28000

Compare ISO 13485 vs ISO 28000: Medical QMS rigor meets supply chain security resilience. Uncover differences, overlaps & tips for seamless compliance—boost your ops now!

SOC 2 vs CAA

Discover SOC 2 vs CAA: Compare security controls for SaaS with Clean Air Act emissions regs. Key differences, compliance tips & strategies for enterprise success.

GMP vs ISA 95

Discover GMP vs ISA 95: Compare pharma quality regs with enterprise-control integration models. Unlock compliance, efficiency & digital transformation benefits today!

WELL

APRA CPS 234

Quick Verdict

WELL

Key Features

APRA CPS 234

Key Features

Detailed Analysis

WELL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

APRA CPS 234 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

WELL FAQ

What is the primary objective of WELL?

Who is legally or professionally required to comply with WELL?

Does WELL require an external audit or third-party certification?

How often should an assessment for WELL be performed?

What are the consequences of non-compliance with WELL?

Can WELL be mapped to other international frameworks?

What is the first step to begin implementing WELL?

APRA CPS 234 FAQ

What is the primary objective of APRA CPS 234?

Who is legally or professionally required to comply with APRA CPS 234?

Does APRA CPS 234 require an external audit or third-party certification?

How often should an assessment for APRA CPS 234 be performed?

What are the consequences of non-compliance with APRA CPS 234?

Can APRA CPS 234 be mapped to other international frameworks?

What is the first step to begin implementing APRA CPS 234?

You Might also be Interested in These Articles...

From Data Fragments to Strategic Insight: Powering Intelligent Risk Management with Integrated Compliance Monitoring

Top 5 Reasons Automation Tools Like Vanta Slash SOC 2 Type 2 Timelines from Months to Weeks

SOC 2 for Fintech Startups: First 5 Steps to Compliance with Confidentiality Criterion Infographic

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 13485 vs ISO 28000

SOC 2 vs CAA

GMP vs ISA 95