What is the primary objective of WELL?

The primary objective of WELL is to advance human health and well-being in the built environment through performance-based design, operations, and policies. Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across 10 concepts—Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community—plus Innovation, with 24 mandatory Preconditions and 84 optional Optimizations earning points toward certification tiers.

Who is legally or professionally required to comply with WELL?

WELL is voluntary and not legally mandated for any organization. It is professionally pursued by building owners, developers, facility managers, and corporate real estate leaders seeking verified health outcomes for competitive advantage, ESG reporting, and occupant satisfaction across new and existing buildings, including offices, residential, and hospitality via pathways like WELL Certification and WELL Core.

Does WELL require an external audit or third-party certification?

Yes, WELL mandates third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents. PV includes testing for air pollutants (e.g., CO₂ ≤900 ppm), water quality, lighting, acoustics, and thermal comfort, typically at 50% occupancy, alongside two rounds of IWBI platform documentation review for Preconditions and scored Optimizations.

How often should an assessment for WELL be performed?

WELL certification requires recertification every three years, with annual reporting for select features like air quality monitoring. Ongoing assessments via continuous monitoring pathways (e.g., calibrated sensors for PM2.5, CO₂) and occupant surveys sustain compliance between PV events, supporting tiers from Bronze (40 points) to Platinum (80 points, min 3 points per concept).

What are the consequences of non-compliance with WELL?

Non-compliance with WELL results in certification denial, additional curative review fees, and delayed timelines, with no statutory penalties as it is voluntary. Operationally, failed PV (e.g., exceeding CO₂ thresholds) necessitates remediation, potentially increasing costs for testing, upgrades, and recertification, while eroding ESG credibility and market differentiation.

Can WELL be mapped to other international frameworks?

Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED. These align overlapping strategies (e.g., air filtration, materials), enabling streamlined dual certification, reduced documentation duplication, and integrated ESG reporting without altering WELL's 10-concept structure or Preconditions/Optimizations requirements.

What is the first step to begin implementing WELL?

The first step is project enrollment on the IWBI digital platform and scorecard development targeting a certification tier. This identifies applicable Preconditions and Optimizations (e.g., 40 points for Bronze), followed by gap analysis, pre-testing high-risk features (e.g., air near highways), and cross-functional team formation for documentation and PV readiness.

What is the primary objective of CIS Controls?

The primary objective of CIS Controls is to provide a prioritized set of 18 cybersecurity best practices across 153 actionable safeguards to reduce organizational attack surface and cyber risk. CIS Controls v8, developed by the Center for Internet Security, targets common threats through Implementation Groups (IG1–IG3), with IG1's 56 safeguards delivering essential hygiene for all organizations.

Who is legally or professionally required to comply with CIS Controls?

No organization is universally legally required to comply with CIS Controls, as it is a voluntary, consensus-driven framework. Professionally, CISOs, IT managers, compliance officers, and auditors across all industries and sizes—from SMBs to enterprises—adopt it for baseline hygiene; U.S. states like Connecticut and Louisiana reference it for "reasonable security" safe harbor in breach litigation.

Does CIS Controls require an external audit or third-party certification?

CIS Controls does not require external audits or third-party certification. Organizations self-assess using tools like CIS Controls Navigator or CIS-CAT against 18 controls and IG1–IG3 safeguards; external validation occurs via CIS Benchmarks assessments or acceptance by insurers, regulators, and partners as evidence of hygiene.

How often should an assessment for CIS Controls be performed?

CIS Controls assessments should be performed continuously with automated tools, supplemented by quarterly reviews and annual full reassessments. Leverage CIS-CAT for configuration checks, Navigator for safeguard mapping, and metrics like asset coverage and vulnerability remediation SLAs to track progress across 153 safeguards.

What are the consequences of non-compliance with CIS Controls?

Non-compliance with CIS Controls exposes organizations to heightened breach risk, regulatory findings, and operational disruptions without legal penalties, as it is voluntary. Gaps in 18 controls enable exploits like unpatched vulnerabilities or weak access, leading to data breaches, litigation leverage, insurance denials, and lost contracts.

Can CIS Controls be mapped to other international frameworks?

Yes, CIS Controls v8 provides official mappings to over 25 frameworks including NIST CSF 2.0, PCI DSS, HIPAA, and ISO 27001. The Controls Navigator automates crosswalks from 153 safeguards to regulatory requirements, enabling unified compliance programs.

What is the first step to begin implementing CIS Controls?

The first step is to secure executive sponsorship and conduct a baseline maturity assessment using CIS Controls Navigator or CIS RAM against IG1's 56 safeguards. Prioritize Controls 1–2 for asset and software inventories to establish foundational visibility.

Standards Comparison

WELL vs CIS Controls

WELL

Voluntary

2014

Certification for buildings prioritizing occupant health well-being

CIS Controls

Voluntary

2021

Prioritized cybersecurity best practices framework

Quick Verdict

WELL certifies buildings for occupant health via 10 concepts and on-site testing, while CIS Controls provide prioritized cybersecurity safeguards across 18 areas. Companies adopt WELL for wellness/ESG appeal and CIS for breach prevention and compliance alignment.

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandatory on-site performance verification testing
10 core concepts for human health outcomes
Preconditions mandatory plus point-earning Optimizations
Certification tiers Bronze Silver Gold Platinum
Continuous monitoring pathways for compliance

Cybersecurity

CIS Controls

CIS Critical Security Controls v8

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

18 prioritized controls with 153 actionable safeguards
Implementation Groups IG1-IG3 for scalable maturity
Mappings to NIST, PCI DSS, HIPAA frameworks
Asset and software inventory automation emphasis
Community-driven updates based on attack data

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

WELL Details

What It Is

WELL Building Standard v2 is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being. Scope covers new/existing buildings across types like offices, residential, healthcare. Key approach: evidence-based Preconditions (mandatory) and Optimizations (points for tiers).

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (+Innovation).
24 Preconditions, 84 Optimizations; total ~110 points max.
Built on public health/building science research.
Certification model: all Preconditions + points for Bronze (40), Silver (50), Gold (60), Platinum (80) tiers, with concept minimums.

Why Organizations Use It

Drives productivity, retention, ESG reporting; complements LEED. Mitigates health risks, boosts rents/values. Builds stakeholder trust via verified outcomes. Voluntary but tenant-demanded.

Implementation Overview

Phased: gap analysis, scorecard, documentation, on-site verification, recertification (3 years). Cross-functional (facilities, HR, design). Applies globally to all sizes; requires third-party testing.

CIS Controls Details

What It Is

CIS Critical Security Controls (CIS Controls) v8 is a community-driven, prescriptive cybersecurity framework of prioritized best practices to reduce attack surfaces and enhance resilience. It applies across industries and organization sizes, using an asset-centric, safeguard-based approach with Implementation Groups (IG1–IG3) for risk-based scaling.

Key Components

18 Controls with 153 Safeguards, covering asset inventory, data protection, access management, vulnerability handling, monitoring, and incident response.
Built on real-world attack data; core principles include prioritization, measurability, and automation.
No formal certification; compliance via self-assessment, audits, and mappings to NIST, PCI DSS, HIPAA.

Why Organizations Use It

Mitigates 85% of common attacks, cuts breach costs, accelerates regulatory compliance.
Builds trust with insurers, partners; enables efficiency via automation.
Strategic ROI: operational resilience, competitive edge in cyber hygiene.

Implementation Overview

Phased roadmap: governance, gap analysis, IG1 foundational controls (3–9 months), expansion to IG2/IG3.
Activities: asset inventories, secure configs, MFA, logging; tools like CIS Benchmarks.
Suits all sizes/industries; global applicability, no certification needed. (178 words)

Key Differences

Aspect	WELL	CIS Controls
Scope	Occupant health, 10 concepts (Air, Water, etc.)	Cybersecurity, 18 controls (assets, access, etc.)
Industry	All buildings, global, new/existing	All industries, global, all sizes
Nature	Voluntary performance certification	Voluntary cybersecurity best practices
Testing	On-site performance verification, 3-year recert	Self-assess, automated tools, continuous
Penalties	No certification, no legal penalties	No formal penalties, increased breach risk

Scope

WELL

Occupant health, 10 concepts (Air, Water, etc.)

CIS Controls

Cybersecurity, 18 controls (assets, access, etc.)

Industry

WELL

All buildings, global, new/existing

CIS Controls

All industries, global, all sizes

Nature

WELL

Voluntary performance certification

CIS Controls

Voluntary cybersecurity best practices

Testing

WELL

On-site performance verification, 3-year recert

CIS Controls

Self-assess, automated tools, continuous

Penalties

WELL

No certification, no legal penalties

CIS Controls

No formal penalties, increased breach risk

Frequently Asked Questions

Common questions about WELL and CIS Controls

WELL FAQ

CIS Controls FAQ

You Might also be Interested in These Articles...

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

Discover 5 ways modern compliance software turns evolving regulations into strategic advantage. Automate monitoring, cut 3x non-compliance costs, stay audit-rea

Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

Decode PDPC Thailand's 1,048 complaints & 610 breaches. Uncover consent/security violations, project 2025 enforcement. Risk heatmap, self-assessment & playbook

CMMC Level 2 Implementation Guide for Small DIB Contractors: First 5 Steps to C3PAO Certification with Infographic

Actionable CMMC Level 2 guide for small DIB contractors: 5-step roadmap to C3PAO certification with infographic on timelines, costs & POA&Ms. Achieve DoD compli

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how WELL and CIS Controls compare against other standards

Other WELL Comparisons

Other CIS Controls Comparisons

What It Is

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (+Innovation).

24 Preconditions, 84 Optimizations; total ~110 points max.

Built on public health/building science research.

Certification model: all Preconditions + points for Bronze (40), Silver (50), Gold (60), Platinum (80) tiers, with concept minimums.

What It Is

Key Components

18 Controls with 153 Safeguards, covering asset inventory, data protection, access management, vulnerability handling, monitoring, and incident response.

Built on real-world attack data; core principles include prioritization, measurability, and automation.

No formal certification; compliance via self-assessment, audits, and mappings to NIST, PCI DSS, HIPAA.

Aspect

WELL

CIS Controls

Scope

Occupant health, 10 concepts (Air, Water, etc.)

Cybersecurity, 18 controls (assets, access, etc.)

Industry

All buildings, global, new/existing

All industries, global, all sizes

Nature

Voluntary performance certification

Voluntary cybersecurity best practices

Testing

On-site performance verification, 3-year recert

Self-assess, automated tools, continuous

Penalties

No certification, no legal penalties

No formal penalties, increased breach risk