What is the primary objective of **WELL**?

**The primary objective of WELL is to design, operate, and verify buildings that advance human health and well-being through evidence-based performance outcomes.** Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across **10 concepts**—**Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community**—plus **Innovation**. It mandates **24 Preconditions** (pass/fail minimums) and enables points from **102 Optimizations** for certification tiers: **Bronze (40 points)**, **Silver (50 points, min 1 per concept)**, **Gold (60 points, min 2 per concept)**, **Platinum (80 points, min 3 per concept)**. Unlike sustainability standards, WELL prioritizes occupant metrics like **CO₂ ≤900 ppm** via on-site verification.

Who is legally or professionally required to comply with **WELL**?

**WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification to demonstrate occupant health performance.** It applies to building owners, developers, and operators of new/existing buildings via pathways like **WELL Certification** (owner-controlled), **WELL Core** (base buildings leasing ≥75% to tenants), and **WELL for Residential**. Corporate real estate executives, facilities managers, and ESG leaders adopt it for tenant demands, productivity gains, and ESG reporting across offices, hospitality, education, and healthcare.

Does **WELL** require an external audit or third-party certification?

**Yes, WELL mandates third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents.** PV tests air (e.g., **CO₂, PM2.5**), water, light, sound, and thermal comfort at ≥50% occupancy. Two review rounds (preliminary/final) occur via IWBI's platform, with certification awarded post-verification. Pre-testing is recommended to de-risk failures.

How often should an assessment for **WELL** be performed?

**WELL requires recertification every three years, with annual reporting for monitored features like air quality.** Ongoing continuous monitoring (e.g., **CO₂ sensors recalibrated annually**) supports compliance. Performance verification occurs once per cycle; addenda updates may trigger reassessments.

What are the consequences of non-compliance with **WELL**?

**Non-compliance results in certification denial, additional curative review fees, and delayed timelines.** Failed Preconditions block all tiers; PV failures require remediation or appeals. No statutory fines exist, but reputational/operational risks include lost ESG credibility, tenant churn, and unrealized productivity gains.

Can **WELL** be mapped to other international frameworks?

**Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED.** This streamlines dual certification by aligning evidence (e.g., air filtration, materials), reducing duplication for portfolios pursuing integrated ESG outcomes.

What is the first step to begin implementing **WELL**?

**The first step is project enrollment in IWBI's digital platform and scorecard development targeting Preconditions and certification tier.** Conduct a gap analysis/pre-testing for high-risk features (e.g., Air near highways, Water in legacy pipes) with cross-functional teams (facilities, HR, design).

What is the primary objective of **SAMA CSF**?

**SAMA CSF's primary objective is to create a common approach for addressing cybersecurity across Member Organizations, achieve an appropriate maturity level of cybersecurity controls, and ensure cybersecurity risks are properly managed.** Version 1.0 (May 2017) prescribes principles, objectives, and control considerations across four domains—Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, and Third Party Cyber Security—using a six-level maturity model targeting at least Level 3 (Structured and formalized).

Who is legally or professionally required to comply with **SAMA CSF**?

**SAMA CSF is mandatory for all SAMA-regulated financial institutions, including banks, insurance and reinsurance companies, financing companies, credit bureaus, and financial market infrastructure providers operating in Saudi Arabia.** All domains apply fully to banks; non-banks may exclude certain subdomains (e.g., payment systems unless handling cardholder data or SWIFT). Boards, senior management, CISOs, and third-party providers must ensure alignment.

Does **SAMA CSF** require an external audit or third-party certification?

**SAMA CSF does not require external third-party certification but mandates periodic self-assessments using SAMA-provided questionnaires and independent internal audits.** SAMA conducts supervisory reviews and audits; internal audits follow accepted standards, with evidence from policies, KRIs, and control testing. External auditors may assist, but compliance is verified directly by SAMA.

How often should an assessment for **SAMA CSF** be performed?

**SAMA CSF requires periodic self-assessments using SAMA questionnaires, with annual reviews of critical information assets and penetration testing for customer-facing services.** Maturity levels are evaluated ongoing via KPIs (Level 3) and KRIs (Level 4+); full self-assessments support SAMA reviews, alongside routine internal audits and post-incident evaluations for continuous improvement.

What are the consequences of non-compliance with **SAMA CSF**?

**Non-compliance with SAMA CSF triggers regulatory enforcement, including supervisory actions, remediation demands, heightened scrutiny, audit findings, and potential operational restrictions.** As a mandated framework, violations fall under SAMA's broader supervisory powers; weak maturity below Level 3 risks formal interventions, reputational damage, and systemic impacts without specified fines in the CSF document.

Can **SAMA CSF** be mapped to other international frameworks?

**Yes, SAMA CSF aligns conceptually with international frameworks such as NIST CSF, ISO 27001, PCI-DSS, and BASEL, enabling control mappings for integrated compliance.** Its principle-based structure and maturity model map to NIST functions (Identify-Protect-Detect-Respond-Recover) and ISO 27001's ISMS; regulated entities leverage these for efficiency while meeting SAMA-specific requirements like payment systems and data residency.

What is the first step to begin implementing **SAMA CSF**?

**The first step to implement SAMA CSF is to secure Board and Senior Management sponsorship, establish a project charter, and conduct a control-level gap analysis against the framework's maturity model.** Inventory applicable domains/subdomains, perform initial maturity assessment (targeting Level 3 baseline), and produce a gap register to inform the phased roadmap.

WELL vs SAMA CSF

Standards Comparison

WELL

Voluntary

2014

Certification standard for occupant health in buildings

SAMA CSF

Mandatory

2017

Saudi framework for financial cybersecurity compliance

Quick Verdict

WELL advances building health via 10 concepts and on-site verification for global organizations seeking wellness certification. SAMA CSF mandates cybersecurity maturity for Saudi financial firms through governance and audits. Companies adopt WELL for ESG/occupant benefits; SAMA CSF for regulatory compliance.

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandatory on-site performance verification testing
10 core concepts with Preconditions and Optimizations
Point-based certification tiers Bronze to Platinum
Continuous monitoring pathways for compliance
People-first health outcomes beyond sustainability

Cybersecurity

SAMA CSF

SAMA Cyber Security Framework Version 1.0

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Six-level maturity model with Level 3 baseline
Four core domains covering governance to third-parties
Principle-based risk management approach
Board-level accountability and CISO requirements
Detailed controls for IAM, incident response, payments

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

WELL Details

What It Is

WELL Building Standard v2 is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies. Its concept-based approach organizes requirements into mandatory Preconditions and optional point-earning Optimizations.

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions and 102 Optimizations totaling up to 110 points.
Built on public health research; certification via Bronze (40 pts), Silver (50), Gold (60), Platinum (80) with concept minimums.

Why Organizations Use It

Drives occupant productivity, reduces absenteeism, enhances ESG reporting, and boosts rents/asset value. Voluntary but complements LEED; manages health risks, builds tenant trust.

Implementation Overview

Phased: gap analysis, scorecard, documentation, on-site verification, recertification every 3 years. Applies to new/existing buildings across industries; requires third-party testing and cross-functional teams.

SAMA CSF Details

What It Is

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF), Version 1.0 (May 2017), is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia. It provides a principle-based, risk-oriented blueprint to govern cybersecurity, focusing on detecting, resisting, responding to, and recovering from threats across information assets.

Key Components

Four principal **domainsLeadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Security.
Numerous subdomains with principles, objectives, and control considerations.
Six-level maturity model (Level 3 baseline: structured policies, standards, procedures monitored by KPIs).
Aligned with NIST, ISO 27001; enforced via self-assessments and SAMA audits.

Why Organizations Use It

Mandatory compliance for banks, insurers, etc., avoiding penalties and scrutiny.
Enhances resilience, reduces incidents, improves efficiency.
Builds trust, enables partnerships, supports Vision 2030 digital growth.

Implementation Overview

Phased: gap analysis, risk assessment, control deployment, monitoring.
Targets financial sector in Saudi Arabia; scalable by entity size.
Requires self-assessments; no external certification but SAMA reviews.

Key Differences

Aspect	WELL	SAMA CSF
Scope	10 concepts: Air, Water, health, well-being	4 domains: Governance, risk, operations, third-party
Industry	All buildings globally, any sector	Saudi financial institutions only
Nature	Voluntary performance certification	Mandatory regulatory framework
Testing	On-site performance verification, continuous monitoring	Self-assessments, SAMA audits, maturity reviews
Penalties	Loss of certification, no legal penalties	Fines, license suspension, enforcement actions

Scope

WELL

10 concepts: Air, Water, health, well-being

SAMA CSF

4 domains: Governance, risk, operations, third-party

Industry

WELL

All buildings globally, any sector

SAMA CSF

Saudi financial institutions only

Nature

WELL

Voluntary performance certification

SAMA CSF

Mandatory regulatory framework

Testing

WELL

On-site performance verification, continuous monitoring

SAMA CSF

Self-assessments, SAMA audits, maturity reviews

Penalties

WELL

Loss of certification, no legal penalties

SAMA CSF

Fines, license suspension, enforcement actions

Frequently Asked Questions

Common questions about WELL and SAMA CSF

WELL FAQ

SAMA CSF FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0 Deep Dive: Mastering the Updated Framework Core Functions

Unpack NIST CSF 2.0's enhanced Core Functions: Govern, Identify, Protect, Detect, Respond, Recover. Get SME playbooks, governance shifts & strategies for cyber

Your Compliance Command Center: How Modern Tools Orchestrate Cross-Departmental Adherence

Unlock your compliance command center with modern tools for real-time monitoring, automation & integrations across IT, HR, Legal & Finance. Slash non-compliance

Top 10 Reasons CMMC Level 3 Certification Unlocks Competitive Edge for Primes Handling Critical DoD Programs

Discover top 10 reasons CMMC Level 3 certification unlocks competitive edge for DoD primes. Reduced APT risks, procurement prefs, NIST 800-172 compliance via v2

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 50001 vs Australian Privacy Act

Compare ISO 50001 vs Australian Privacy Act: Unlock insights on energy management systems and data privacy standards. Key differences, compliance strategies, and business benefits await. Explore now!

AS9120B vs ISO 56002

Discover AS9120B vs ISO 56002: Aerospace distributor QMS meets innovation guidance. Unlock differences in traceability, risk, leadership for compliance & growth. Compare now!

OSHA vs CCPA

Compare OSHA safety standards vs CCPA privacy laws: Key differences, compliance tips, penalties & strategies. Safeguard your workplace & data—expert guide inside!

WELL

SAMA CSF

Quick Verdict

WELL

Key Features

SAMA CSF

Key Features

Detailed Analysis

WELL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

SAMA CSF Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

WELL FAQ

What is the primary objective of WELL?

Who is legally or professionally required to comply with WELL?

Does WELL require an external audit or third-party certification?

How often should an assessment for WELL be performed?

What are the consequences of non-compliance with WELL?

Can WELL be mapped to other international frameworks?

What is the first step to begin implementing WELL?

SAMA CSF FAQ

What is the primary objective of SAMA CSF?

Who is legally or professionally required to comply with SAMA CSF?

Does SAMA CSF require an external audit or third-party certification?

How often should an assessment for SAMA CSF be performed?

What are the consequences of non-compliance with SAMA CSF?

Can SAMA CSF be mapped to other international frameworks?

What is the first step to begin implementing SAMA CSF?

You Might also be Interested in These Articles...

NIST CSF 2.0 Deep Dive: Mastering the Updated Framework Core Functions

Your Compliance Command Center: How Modern Tools Orchestrate Cross-Departmental Adherence

Top 10 Reasons CMMC Level 3 Certification Unlocks Competitive Edge for Primes Handling Critical DoD Programs

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 50001 vs Australian Privacy Act

AS9120B vs ISO 56002

OSHA vs CCPA