What is the primary objective of WELL?

The primary objective of WELL is to advance human health and well-being in the built environment through performance-based design, operations, and policies. Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across 10 concepts—Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community—with 24 mandatory Preconditions and 102 optional Optimizations plus Innovation features. Projects must meet all Preconditions via on-site verification and earn points (e.g., 40 for Bronze, 80 for Platinum) for certification levels, emphasizing measurable outcomes like CO₂ ≤900 ppm and continuous monitoring.

Who is legally or professionally required to comply with WELL?

WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification to enhance occupant health, ESG reporting, and market differentiation. Applicable to owners, developers, and operators of new/existing buildings via pathways like WELL Certification (owner-controlled), WELL Core (base buildings with ≥75% leased space), and WELL for Residential. Corporate real estate, facilities, HR, and design teams in sectors like offices, education, healthcare, and hospitality adopt it for verified IEQ metrics, with billions of sq ft certified globally.

Does WELL require an external audit or third-party certification?

Yes, WELL mandates third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents. The process includes enrollment, scorecard development, two rounds of review (preliminary/final), and PV testing for air, water, light, sound, and thermal comfort at ≥50% occupancy. Certification (Bronze to Platinum) is awarded post-verification; continuous monitoring pathways support compliance.

How often should an assessment for WELL be performed?

WELL requires recertification every three years, with annual reporting for select features like air quality monitoring. Ongoing assessments via continuous monitoring (e.g., CO₂, PM2.5) and occupant surveys ensure sustained performance; full PV and documentation updates occur at recertification, with addenda integrating evolving requirements.

What are the consequences of non-compliance with WELL?

Non-compliance results in certification denial, additional curative review fees, and delayed recertification. Failed Preconditions block all levels; PV failures require remediation or appeals. Operationally, it risks reputational damage, lost ESG value, tenant churn, and unverified health claims, without direct fines as WELL is voluntary.

Can WELL be mapped to other international frameworks?

Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED. These align overlapping strategies (e.g., air filtration, materials), reducing duplication for dual certifications and streamlining ESG reporting across environmental and health metrics.

What is the first step to begin implementing WELL?

The first step is project enrollment/registration on the IWBI digital platform and scorecard development. Identify pathways, baseline Preconditions, target points (e.g., 50 for Silver with ≥1 point/concept), and conduct pre-testing for high-risk features like air/water to de-risk PV.

What is the primary objective of ISO 27017?

ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4). Published in 2015, it addresses shared responsibilities between cloud service providers (CSPs) and cloud service customers (CSCs), covering multi-tenancy segregation, virtual machine hardening, asset removal/return, administrative operations, customer monitoring, and network alignment in IaaS, PaaS, and SaaS models.

Who is legally or professionally required to comply with ISO 27017?

No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice. Professionally, CSPs and CSCs with significant cloud footprints adopt it to demonstrate due diligence, especially in regulated sectors or procurement demanding cloud security assurance; ~94% of organizations use cloud, with 61% reporting incidents, driving its use within ISO 27001 ISMS.

Does ISO 27017 require an external audit or third-party certification?

ISO 27017 does not support standalone certification or require separate external audits. It is assessed as an extension within ISO 27001 audits by accredited certification bodies, where auditors evaluate implementation of its 37+7 controls in the ISMS scope, often noted in combined certificates.

How often should an assessment for ISO 27017 be performed?

ISO 27017 assessments occur as part of annual ISO 27001 surveillance audits and triennial re-certification. Continuous monitoring of cloud controls (e.g., configurations, logs) is required via risk-based internal reviews, aligning with ISO 27001 clause 9 performance evaluation.

What are the consequences of non-compliance with ISO 27017?

Non-compliance with ISO 27017 carries no direct legal penalties, as it is non-mandatory. Indirect consequences include failed ISO 27001 certification, lost procurement opportunities, heightened breach risks from unaddressed cloud gaps (e.g., multi-tenancy failures), and regulatory scrutiny under data laws if cloud incidents occur.

Can ISO 27017 be mapped to other international frameworks?

Yes, ISO 27017 controls map directly to ISO 27001/27002 and extend to frameworks like NIST SP 800-53 and CSA STAR. Its 37+7 controls align with shared-responsibility models in FedRAMP and PCI-DSS cloud requirements, enabling unified evidence for multi-framework compliance.

What is the first step to begin implementing ISO 27017?

Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls. Define scope for cloud services, document shared responsibilities (CLD.6.3.1), and update the Statement of Applicability to include the 37 ISO 27002 guidance areas and 7 CLD controls.

Standards Comparison

WELL vs ISO 27017

WELL

Voluntary

2014

Certification framework for building occupant health

ISO 27017

Voluntary

2015

International code of practice for cloud security controls

Quick Verdict

WELL certifies buildings for occupant health via 10 concepts and on-site testing, while ISO 27017 extends ISO 27001 with cloud-specific security controls. Companies adopt WELL for wellness differentiation and ISO 27017 for cloud risk management and procurement trust.

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandatory on-site performance verification testing
10 core concepts for occupant health
Preconditions plus point-earning Optimizations
Evidence-based air, water, light strategies
Bronze-to-Platinum tiers with balanced scoring

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and CSCs
Adds seven cloud-specific CLD security controls
Provides guidance for multi-tenancy and VM segregation
Extends 37 ISO 27002 controls for cloud environments
Enables customer monitoring of cloud service activities

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

WELL Details

What It Is

WELL Building Standard v2 is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies. Its people-first approach uses 10 core concepts like Air, Water, and Mind, with a methodology blending mandatory Preconditions and optional Optimizations for tiered certification.

Key Components

**10 conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions and 102 Optimizations totaling up to 110 points.
Built on public health research; requires on-site performance verification.
Certification model: Bronze (40 points), Silver (50), Gold (60), Platinum (80), with concept balance rules.

Why Organizations Use It

Drives occupant productivity, reduces absenteeism, enhances ESG reporting, and boosts rents/asset values. Voluntary but complements LEED for dual benefits; manages health risks and builds stakeholder trust via verified outcomes.

Implementation Overview

Phased: gap analysis, scorecard, documentation, third-party review, on-site testing, recertification every 3 years. Applies to new/existing buildings across industries; cross-functional teams handle design, operations, policies.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice providing cloud-specific guidance for information security controls. It extends ISO/IEC 27002 for cloud services (IaaS, PaaS, SaaS), using a risk-based approach within an ISO 27001 ISMS to address shared responsibilities and multi-tenancy.

Key Components

Additional implementation guidance for 37 ISO 27002 controls
7 cloud-specific CLD controls (e.g., segregation, VM hardening, asset removal)
Built on ISO 27001 ISMS framework
No standalone certification; integrated into ISO 27001 audits

Why Organizations Use It

Clarifies CSP-CSC responsibilities for procurement and contracts
Supports regulatory alignment (GDPR, CCPA indirectly)
Mitigates cloud risks like misconfigurations and data leakage
Provides competitive differentiation for CSPs
Builds stakeholder trust via auditable cloud security

Implementation Overview

Extend existing ISO 27001 ISMS with cloud risk assessments
Map controls, update SoA, implement technical measures
Applies to CSPs and CSCs globally, all sizes/industries
Audited jointly with ISO 27001 (9-12 months typical)

Key Differences

Aspect	WELL	ISO 27017
Scope	Occupant health, 10 concepts (air, water, mind)	Cloud-specific security controls, 7 CLD controls
Industry	Buildings, real estate, all sectors globally	Cloud providers/customers, IT/tech globally
Nature	Voluntary performance certification standard	Voluntary cloud security code of practice
Testing	On-site performance verification, continuous monitoring	ISO 27001 audits with cloud control assessment
Penalties	Loss of certification, no legal penalties	Loss of certification, no legal penalties

Scope

WELL

Occupant health, 10 concepts (air, water, mind)

ISO 27017

Cloud-specific security controls, 7 CLD controls

Industry

WELL

Buildings, real estate, all sectors globally

ISO 27017

Cloud providers/customers, IT/tech globally

Nature

WELL

Voluntary performance certification standard

ISO 27017

Voluntary cloud security code of practice

Testing

WELL

On-site performance verification, continuous monitoring

ISO 27017

ISO 27001 audits with cloud control assessment

Penalties

WELL

Loss of certification, no legal penalties

ISO 27017

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about WELL and ISO 27017

WELL FAQ

ISO 27017 FAQ

You Might also be Interested in These Articles...

The 2026 Cyber Essentials Hybrid Audit Checklist: Gathering Unassailable Proof Across M365, AWS, and Azure

Build an evidence vault that passes Cyber Essentials Plus audits in 2026. Practical guidance on firewalls, secure configuration, and malware protection across M

The 'Black Box' Risk: Why Human-in-the-Loop is the Ultimate Fail-Safe for 2026 Security Operations

Uncover the black box AI risk in security ops. Learn why human-in-the-loop auditing is crucial for 2026. Upskill analysts to ensure data privacy and robust secu

Top 5 Reasons TISAX Tabletop Exercises Prevent €10M+ Supply Chain Breaches for ADAS Tier 1 Suppliers in 2025

Unlock top 5 reasons TISAX tabletop exercises deliver 4:1 ROI preventing €10M+ supply chain breaches for ADAS Tier 1 suppliers. ENX case studies & VDA ISA contr

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how WELL and ISO 27017 compare against other standards

Other WELL Comparisons

Other ISO 27017 Comparisons

What It Is

Key Components

**10 conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).

24 Preconditions and 102 Optimizations totaling up to 110 points.

Built on public health research; requires on-site performance verification.

Certification model: Bronze (40 points), Silver (50), Gold (60), Platinum (80), with concept balance rules.

What It Is

Key Components

Additional implementation guidance for 37 ISO 27002 controls
7 cloud-specific CLD controls (e.g., segregation, VM hardening, asset removal)
Built on ISO 27001 ISMS framework
No standalone certification; integrated into ISO 27001 audits

Why Organizations Use It

Clarifies CSP-CSC responsibilities for procurement and contracts
Supports regulatory alignment (GDPR, CCPA indirectly)
Mitigates cloud risks like misconfigurations and data leakage
Provides competitive differentiation for CSPs
Builds stakeholder trust via auditable cloud security

Implementation Overview

Extend existing ISO 27001 ISMS with cloud risk assessments
Map controls, update SoA, implement technical measures
Applies to CSPs and CSCs globally, all sizes/industries
Audited jointly with ISO 27001 (9-12 months typical)

Aspect

WELL

ISO 27017

Scope

Occupant health, 10 concepts (air, water, mind)

Cloud-specific security controls, 7 CLD controls

Industry

Buildings, real estate, all sectors globally

Cloud providers/customers, IT/tech globally

Nature

Voluntary performance certification standard

Voluntary cloud security code of practice

Testing

On-site performance verification, continuous monitoring

ISO 27001 audits with cloud control assessment

Penalties

Loss of certification, no legal penalties