What is the primary objective of **WELL**?

**The primary objective of WELL is to advance human health and well-being in the built environment through performance-based design, operations, and policies.** Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across **10 concepts**—**Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community**—with **24 mandatory Preconditions** and **102 optional Optimizations** plus **Innovation** features. Projects must meet all Preconditions via on-site verification and earn points (e.g., 40 for Bronze, 80 for Platinum) for certification levels, emphasizing measurable outcomes like CO₂ ≤900 ppm and continuous monitoring.

Who is legally or professionally required to comply with **WELL**?

**WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification to enhance occupant health, ESG reporting, and market differentiation.** Applicable to owners, developers, and operators of new/existing buildings via pathways like **WELL Certification** (owner-controlled), **WELL Core** (base buildings with ≥75% leased space), and **WELL for Residential**. Corporate real estate, facilities, HR, and design teams in sectors like offices, education, healthcare, and hospitality adopt it for verified IEQ metrics, with billions of sq ft certified globally.

Does **WELL** require an external audit or third-party certification?

**Yes, WELL mandates third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents.** The process includes enrollment, scorecard development, two rounds of review (preliminary/final), and PV testing for air, water, light, sound, and thermal comfort at ≥50% occupancy. Certification (Bronze to Platinum) is awarded post-verification; continuous monitoring pathways support compliance.

How often should an assessment for **WELL** be performed?

**WELL requires recertification every three years, with annual reporting for select features like air quality monitoring.** Ongoing assessments via continuous monitoring (e.g., CO₂, PM2.5) and occupant surveys ensure sustained performance; full PV and documentation updates occur at recertification, with addenda integrating evolving requirements.

What are the consequences of non-compliance with **WELL**?

**Non-compliance results in certification denial, additional curative review fees, and delayed recertification.** Failed Preconditions block all levels; PV failures require remediation or appeals. Operationally, it risks reputational damage, lost ESG value, tenant churn, and unverified health claims, without direct fines as WELL is voluntary.

Can **WELL** be mapped to other international frameworks?

**Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED.** These align overlapping strategies (e.g., air filtration, materials), reducing duplication for dual certifications and streamlining ESG reporting across environmental and health metrics.

What is the first step to begin implementing **WELL**?

**The first step is project enrollment/registration on the IWBI digital platform and scorecard development.** Identify pathways, baseline Preconditions, target points (e.g., 50 for Silver with ≥1 point/concept), and conduct pre-testing for high-risk features like air/water to de-risk PV.

What is the primary objective of **ISO 27017**?

**ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4).** Published in 2015, it addresses shared responsibilities between **cloud service providers (CSPs)** and **cloud service customers (CSCs)**, covering multi-tenancy segregation, virtual machine hardening, asset removal/return, administrative operations, customer monitoring, and network alignment in IaaS, PaaS, and SaaS models.

Who is legally or professionally required to comply with **ISO 27017**?

**No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice.** Professionally, **CSPs** and **CSCs** with significant cloud footprints adopt it to demonstrate due diligence, especially in regulated sectors or procurement demanding cloud security assurance; ~94% of organizations use cloud, with 61% reporting incidents, driving its use within ISO 27001 ISMS.

Does **ISO 27017** require an external audit or third-party certification?

**ISO 27017 does not support standalone certification or require separate external audits.** It is assessed as an extension within **ISO 27001** audits by accredited certification bodies, where auditors evaluate implementation of its 37+7 controls in the ISMS scope, often noted in combined certificates.

How often should an assessment for **ISO 27017** be performed?

**ISO 27017 assessments occur as part of annual ISO 27001 surveillance audits and triennial re-certification.** Continuous monitoring of cloud controls (e.g., configurations, logs) is required via risk-based internal reviews, aligning with ISO 27001 clause 9 performance evaluation.

What are the consequences of non-compliance with **ISO 27017**?

**Non-compliance with ISO 27017 carries no direct legal penalties, as it is non-mandatory.** Indirect consequences include failed ISO 27001 certification, lost procurement opportunities, heightened breach risks from unaddressed cloud gaps (e.g., multi-tenancy failures), and regulatory scrutiny under data laws if cloud incidents occur.

Can **ISO 27017** be mapped to other international frameworks?

**Yes, ISO 27017 controls map directly to ISO 27001/27002 and extend to frameworks like NIST SP 800-53 and CSA STAR.** Its 37+7 controls align with shared-responsibility models in FedRAMP and PCI-DSS cloud requirements, enabling unified evidence for multi-framework compliance.

What is the first step to begin implementing **ISO 27017**?

**Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls.** Define scope for cloud services, document shared responsibilities (CLD.6.3.1), and update the Statement of Applicability to include the 37 ISO 27002 guidance areas and 7 CLD controls.

WELL vs ISO 27017

Standards Comparison

WELL

Voluntary

2014

Certification framework for building occupant health

ISO 27017

Voluntary

2015

International code of practice for cloud security controls

Quick Verdict

WELL certifies buildings for occupant health via 10 concepts and on-site testing, while ISO 27017 extends ISO 27001 with cloud-specific security controls. Companies adopt WELL for wellness differentiation and ISO 27017 for cloud risk management and procurement trust.

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandatory on-site performance verification testing
10 core concepts for occupant health
Preconditions plus point-earning Optimizations
Evidence-based air, water, light strategies
Bronze-to-Platinum tiers with balanced scoring

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and CSCs
Adds seven cloud-specific CLD security controls
Provides guidance for multi-tenancy and VM segregation
Extends 37 ISO 27002 controls for cloud environments
Enables customer monitoring of cloud service activities

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

WELL Details

What It Is

WELL Building Standard v2 is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies. Its people-first approach uses 10 core concepts like Air, Water, and Mind, with a methodology blending mandatory Preconditions and optional Optimizations for tiered certification.

Key Components

**10 conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions and 102 Optimizations totaling up to 110 points.
Built on public health research; requires on-site performance verification.
Certification model: Bronze (40 points), Silver (50), Gold (60), Platinum (80), with concept balance rules.

Why Organizations Use It

Drives occupant productivity, reduces absenteeism, enhances ESG reporting, and boosts rents/asset values. Voluntary but complements LEED for dual benefits; manages health risks and builds stakeholder trust via verified outcomes.

Implementation Overview

Phased: gap analysis, scorecard, documentation, third-party review, on-site testing, recertification every 3 years. Applies to new/existing buildings across industries; cross-functional teams handle design, operations, policies.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice providing cloud-specific guidance for information security controls. It extends ISO/IEC 27002 for cloud services (IaaS, PaaS, SaaS), using a risk-based approach within an ISO 27001 ISMS to address shared responsibilities and multi-tenancy.

Key Components

Additional implementation guidance for 37 ISO 27002 controls
7 cloud-specific CLD controls (e.g., segregation, VM hardening, asset removal)
Built on ISO 27001 ISMS framework
No standalone certification; integrated into ISO 27001 audits

Why Organizations Use It

Clarifies CSP-CSC responsibilities for procurement and contracts
Supports regulatory alignment (GDPR, CCPA indirectly)
Mitigates cloud risks like misconfigurations and data leakage
Provides competitive differentiation for CSPs
Builds stakeholder trust via auditable cloud security

Implementation Overview

Extend existing ISO 27001 ISMS with cloud risk assessments
Map controls, update SoA, implement technical measures
Applies to CSPs and CSCs globally, all sizes/industries
Audited jointly with ISO 27001 (9-12 months typical)

Key Differences

Aspect	WELL	ISO 27017
Scope	Occupant health, 10 concepts (air, water, mind)	Cloud-specific security controls, 7 CLD controls
Industry	Buildings, real estate, all sectors globally	Cloud providers/customers, IT/tech globally
Nature	Voluntary performance certification standard	Voluntary cloud security code of practice
Testing	On-site performance verification, continuous monitoring	ISO 27001 audits with cloud control assessment
Penalties	Loss of certification, no legal penalties	Loss of certification, no legal penalties

Scope

WELL

Occupant health, 10 concepts (air, water, mind)

ISO 27017

Cloud-specific security controls, 7 CLD controls

Industry

WELL

Buildings, real estate, all sectors globally

ISO 27017

Cloud providers/customers, IT/tech globally

Nature

WELL

Voluntary performance certification standard

ISO 27017

Voluntary cloud security code of practice

Testing

WELL

On-site performance verification, continuous monitoring

ISO 27017

ISO 27001 audits with cloud control assessment

Penalties

WELL

Loss of certification, no legal penalties

ISO 27017

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about WELL and ISO 27017

WELL FAQ

ISO 27017 FAQ

You Might also be Interested in These Articles...

CMMC Level 3 Implementation Guide: Integrating NIST SP 800-172 Enhanced Controls for APT Defense

Step-by-step CMMC Level 3 guide for DIB contractors. Implement 24 NIST SP 800-172 controls on Level 2. Prep for DIBCAC, C3PAO scoping & 180-day POA&Ms. Boost cy

Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

Decode PDPC Thailand's 1,048 complaints & 610 breaches. Uncover consent/security violations, project 2025 enforcement. Risk heatmap, self-assessment & playbook

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 14064 vs EN 1090

Explore ISO 14064 vs EN 1090: Compare GHG emissions standards with steel/aluminium fabrication rules—achieve expert compliance, cut risks, boost credibility now!

K-PIPA vs AEO

Discover K-PIPA vs AEO: Korea's strict data privacy law meets global trade security standards. Key differences, compliance tips & strategies for businesses—master both now!

NIST 800-53 vs ISO 27701

Discover NIST 800-53 vs ISO 27701: Compare 20 control families, baselines, RMF integration vs PIMS for privacy. Optimize compliance & risk mgmt today!

WELL

ISO 27017

Quick Verdict

WELL

Key Features

ISO 27017

Key Features

Detailed Analysis

WELL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 27017 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

WELL FAQ

What is the primary objective of WELL?

Who is legally or professionally required to comply with WELL?

Does WELL require an external audit or third-party certification?

How often should an assessment for WELL be performed?

What are the consequences of non-compliance with WELL?

Can WELL be mapped to other international frameworks?

What is the first step to begin implementing WELL?

ISO 27017 FAQ

What is the primary objective of ISO 27017?

Who is legally or professionally required to comply with ISO 27017?

Does ISO 27017 require an external audit or third-party certification?

How often should an assessment for ISO 27017 be performed?

What are the consequences of non-compliance with ISO 27017?

Can ISO 27017 be mapped to other international frameworks?

What is the first step to begin implementing ISO 27017?

You Might also be Interested in These Articles...

CMMC Level 3 Implementation Guide: Integrating NIST SP 800-172 Enhanced Controls for APT Defense

Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 14064 vs EN 1090

K-PIPA vs AEO

NIST 800-53 vs ISO 27701