What is the primary objective of **WELL**?

**The primary objective of WELL is to design, operate, and verify buildings that advance human health and well-being through evidence-based performance outcomes.** Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across **10 concepts**—**Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community**—plus **Innovation**. It mandates **24 Preconditions** (pass/fail minimums) and offers **102 Optimizations** for points toward certification tiers: **Bronze (40 points)**, **Silver (50 points, min 1 per concept)**, **Gold (60 points, min 2 per concept)**, and **Platinum (80 points, min 3 per concept)**. Unlike design-only standards, WELL requires **on-site performance verification** for air quality (e.g., CO₂ ≤900 ppm), water testing, lighting, acoustics, and thermal comfort to ensure measurable occupant health.

Who is legally or professionally required to comply with **WELL**?

**WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification or tenant-specified health performance.** Applicable to owners, developers, and operators of new/existing buildings via pathways like **WELL Certification** (owner-controlled), **WELL Core** (base buildings leasing ≥75% space), and **WELL for Residential**. Corporate real estate executives, facilities managers, and ESG leaders adopt it for credibility, with billions of sq ft certified globally across offices, healthcare, education, and hospitality. Tenants often contractually require it for leasing.

Does **WELL** require an external audit or third-party certification?

**Yes, WELL mandates third-party documentation review and on-site performance verification by authorized WELL Performance Testing Agents.** Process includes IWBI platform enrollment, scorecard development, two rounds of documentation review (preliminary/final), and site testing at ≥50% occupancy for air, water, light, sound, and thermal metrics. WELL AP credentialed professionals assist, ensuring independence (e.g., no conflict if pre-testing involves consulting).

How often should an assessment for **WELL** be performed?

**WELL requires recertification every three years, with annual reporting for select features like air quality monitoring.** Ongoing continuous monitoring pathways (e.g., CO₂ data, calibrated sensors recalibrated annually) support compliance. Performance verification occurs once per cycle; pre-testing is recommended pre-certification for high-risk features (e.g., Air near highways).

What are the consequences of non-compliance with **WELL**?

**Non-compliance results in certification denial, additional curative review fees, and delayed timelines, with no statutory penalties as WELL is voluntary.** Failed **Preconditions** block all tiers; verification failures (e.g., exceeding CO₂ thresholds) require remediation or appeals. Operationally, it risks reputational damage, lost ESG value, and tenant disputes, but no fines—focus is performance credibility.

Can **WELL** be mapped to other international frameworks?

**Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED.** Alignments reduce duplication (e.g., Air filtration with LEED IEQ credits), enabling dual certification. Skybridge tools map v1 to v2/addenda, supporting portfolio-scale efficiency without independent validation here.

What is the first step to begin implementing **WELL**?

**The first step is project enrollment/registration on the IWBI digital platform and scorecard development.** Identify pathway (e.g., WELL Certification), target tier, and features; conduct gap analysis prioritizing **24 Preconditions**. Assemble cross-functional team (facilities, HR, design) for feasibility.

What is the primary objective of **ISO 27018**?

**ISO 27018 provides a code of practice for protecting **Personally Identifiable Information (PII)** in public clouds where the provider acts as a PII processor.** It extends **ISO 27001** and **ISO 27002** with ~25–30 privacy-specific controls addressing cloud risks like multi-tenancy, subprocessor transparency, consent, purpose limitation, data minimization, breach notification, and restrictions on secondary PII use (e.g., no marketing without consent). The 2025 edition aligns with **ISO 27002:2022**, emphasizing processor obligations across the PII lifecycle.

Who is legally or professionally required to comply with **ISO 27018**?

**ISO 27018 applies to public cloud service providers (CSPs) acting as PII processors, not controllers.** Targeted at hyperscalers, regional CSPs, and sector-specific platforms (e.g., health, finance), it is a professional best practice for demonstrating privacy stewardship amid regulatory pressures like GDPR Article 28. Controllers use it for vendor due diligence; no legal mandate exists, but adoption accelerates procurement and cyber insurance.

Does **ISO 27018** require an external audit or third-party certification?

**ISO 27018 does not offer standalone certification; controls are assessed via external **ISO 27001** audits by accredited bodies under **ISO/IEC 17021** and **ISO/IEC 27006**.** Auditors review **ISO 27018** implementation in the **Statement of Applicability (SoA)** during Stage 1 (documents) and Stage 2 (effectiveness) audits. Certificates reference **ISO 27018** alongside **ISO 27001**, valid for 3 years with annual surveillance.

How often should an assessment for **ISO 27018** be performed?

**ISO 27018 assessments occur through annual surveillance audits and full recertification every 3 years as part of the **ISO 27001** cycle.** Certified CSPs like Microsoft conduct at least yearly third-party audits covering **ISO 27018** controls. Internal gap analyses and continual improvement plans address changes in cloud services, subprocessors, or regulations.

What are the consequences of non-compliance with **ISO 27018**?

**Non-compliance with ISO 27018 risks loss of market trust, procurement delays, and regulatory exposure under laws like GDPR, but incurs no direct ISO penalties.** CSPs face rejected contracts, higher cyber insurance premiums, and weakened due diligence evidence. Auditors may issue non-conformities, potentially revoking **ISO 27001** certification; reputational damage amplifies in regulated sectors.

Can **ISO 27018** be mapped to other international frameworks?

**Yes, ISO 27018 maps closely to frameworks like **ISO 27017** (cloud security), **ISO 27701** (PIMS), **ISO 29100** (privacy framework), and OECD guidelines.** Controls align with GDPR Article 28 processor obligations (e.g., subprocessor disclosure, breach notification). It complements **ISO 27001 Annex A**'s 93 controls, integrating privacy into organizational, people, physical, and technological themes.

What is the first step to begin implementing **ISO 27018**?

**Conduct a structured gap analysis against current **ISMS** practices and **ISO 27018** controls.** Engage stakeholders for discovery, review documentation/SoA/contracts, identify deficiencies in transparency, subprocessors, data subject rights, and breach procedures, then develop a prioritized roadmap integrated into **ISO 27001**. This assumes an existing **ISO 27001** foundation.

WELL vs ISO 27018

Standards Comparison

WELL

Voluntary

2014

Certification for building occupant health and well-being

ISO 27018

Voluntary

2019

International code for PII protection in public clouds.

Quick Verdict

WELL certifies healthy buildings via performance testing for occupant well-being; ISO 27018 extends ISO 27001 for cloud PII privacy. Companies adopt WELL for ESG and productivity gains, ISO 27018 for procurement trust and regulatory alignment.

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandatory on-site performance verification testing
10 core concepts from Air to Community
24 Preconditions plus 102 point-earning Optimizations
Tiered certifications Bronze to Platinum via points
Continuous monitoring pathways for compliance

Cloud Privacy

ISO 27018

ISO/IEC 27018: Code of practice for PII in public clouds

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

PII protection controls for public cloud processors
Subprocessor transparency and disclosure requirements
Breach notification obligations to customers
Support for data subject rights in clouds
Prohibits secondary PII use without consent

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

WELL Details

What It Is

WELL Building Standard v2 is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being outcomes across environmental, behavioral, and policy domains. Its evidence-based approach uses preconditions (mandatory) and optimizations (optional points) structured around 10 core concepts.

Key Components

**10 conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions and 102 Optimizations totaling up to 110 points.
Built on public health research and building science.
**Tiered certificationBronze (40 points), Silver (50), Gold (60), Platinum (80), with concept minimums at higher levels.

Why Organizations Use It

Drives occupant productivity, reduces absenteeism, enhances ESG reporting, and commands higher rents. Complements LEED for people-first health metrics. Builds stakeholder trust via verified performance; voluntary but tenant-demanded.

Implementation Overview

Multi-phase: gap analysis, scorecard development, documentation, on-site verification, recertification every 3 years. Applies to new/existing buildings, all sizes/industries globally. Requires third-party review and testing.

ISO 27018 Details

What It Is

ISO/IEC 27018 is a code of practice extending ISO 27001 and ISO 27002 for protecting personally identifiable information (PII) in public clouds where providers act as PII processors. Published in 2014, revised 2019 and 2025, it uses a risk-based approach with ~25-30 additional privacy-specific controls tailored to cloud challenges like multi-tenancy and cross-border data flows.

Key Components

Core pillars: consent, purpose limitation, data minimization, transparency, accountability.
Control areas: subprocessor disclosure, breach notification, data subject rights support, secure PII lifecycle handling.
Built on ISO 27001 ISMS; not standalone certification—assessed during ISO 27001 audits.

Why Organizations Use It

Builds customer trust, accelerates procurement via Statement of Applicability.
Aligns with GDPR, HIPAA for processor obligations.
Reduces risk, aids cyber insurance, differentiates CSPs in competitive markets.

Implementation Overview

Layer on existing ISO 27001; gap analysis, policy updates, technical controls.
Applies to CSPs of all sizes; third-party audits annual, recertify every 3 years.

Key Differences

Aspect	WELL	ISO 27018
Scope	Occupant health, well-being in buildings	PII protection in public cloud processing
Industry	Real estate, all building types globally	Cloud service providers worldwide
Nature	Voluntary performance-based certification	Voluntary code of practice extension
Testing	On-site performance verification testing	ISO 27001 audits with privacy controls
Penalties	Loss of certification, no legal penalties	Loss of certification, no legal penalties

Scope

WELL

Occupant health, well-being in buildings

ISO 27018

PII protection in public cloud processing

Industry

WELL

Real estate, all building types globally

ISO 27018

Cloud service providers worldwide

Nature

WELL

Voluntary performance-based certification

ISO 27018

Voluntary code of practice extension

Testing

WELL

On-site performance verification testing

ISO 27018

ISO 27001 audits with privacy controls

Penalties

WELL

Loss of certification, no legal penalties

ISO 27018

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about WELL and ISO 27018

WELL FAQ

ISO 27018 FAQ

You Might also be Interested in These Articles...

Singapore PDPA Implementation Guide: Mastering Part 6A Breach Notification Thresholds and Timelines from Primary Statute

Master Singapore PDPA Part 6A breach notifications: statutory thresholds (risk of significant harm), 72-hour timelines, checklists, templates & frameworks. Comp

Image this: What if GDPR would have NOT been implemented by the EU

What if the EU never implemented GDPR? Explore this hypothetical: consumer data protection in Dec 2025, key differences, pros/cons for users & companies. Read t

Proving CIS Controls v8.1 Works: A KPI & Evidence Framework for Board Reporting, Audits, and Continuous Assurance

Prove CIS Controls v8.1 effectiveness with KPI catalog, evidence checklist & reporting cadence. Ideal for board reports, audits & cyber-insurance. Measure outco

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

SAFe vs Australian Privacy Act

Compare SAFe vs Australian Privacy Act: Scale agile teams with APP 11 security, NDB compliance & trust-but-verify. Boost agility in regulated IT—expert guide now.

CMMC vs HITRUST CSF

Compare CMMC vs HITRUST CSF: DoD's NIST-based tiers for DIB security vs healthcare's harmonized, certifiable controls. Uncover differences, levels & pick your compliance path now.

HIPAA vs GRI

Discover HIPAA vs GRI: Compare privacy/security rules vs sustainability standards. Unlock key insights for compliance, risk management & impact reporting. Optimize now!

WELL

ISO 27018

Quick Verdict

WELL

Key Features

ISO 27018

Key Features

Detailed Analysis

WELL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 27018 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

WELL FAQ

What is the primary objective of WELL?

Who is legally or professionally required to comply with WELL?

Does WELL require an external audit or third-party certification?

How often should an assessment for WELL be performed?

What are the consequences of non-compliance with WELL?

Can WELL be mapped to other international frameworks?

What is the first step to begin implementing WELL?

ISO 27018 FAQ

What is the primary objective of ISO 27018?

Who is legally or professionally required to comply with ISO 27018?

Does ISO 27018 require an external audit or third-party certification?

How often should an assessment for ISO 27018 be performed?

What are the consequences of non-compliance with ISO 27018?

Can ISO 27018 be mapped to other international frameworks?

What is the first step to begin implementing ISO 27018?

You Might also be Interested in These Articles...

Singapore PDPA Implementation Guide: Mastering Part 6A Breach Notification Thresholds and Timelines from Primary Statute

Image this: What if GDPR would have NOT been implemented by the EU

Proving CIS Controls v8.1 Works: A KPI & Evidence Framework for Board Reporting, Audits, and Continuous Assurance

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

SAFe vs Australian Privacy Act

CMMC vs HITRUST CSF

HIPAA vs GRI