ISO 31000 risk management framework

A practical, plain-English guide to implementing ISO 31000:2018 — the international standard for enterprise risk management — without enterprise GRC bloat.

What ISO 31000 actually is

ISO 31000:2018 is the international standard for risk management. Unlike ISO 27001 or 9001, it is not certifiable — there is no auditor stamp at the end. It is a set of principles, a framework, and a process that any organisation, of any size, in any sector, can adopt to make risk decisions consistently.

Most teams encounter ISO 31000 because another standard points to it. ISO 27001, 9001, 42001 and 20000-1 all expect a defined risk method, and ISO 31000 is the most widely accepted house methodology.

The three pillars: principles, framework, process

ISO 31000 is structured around three connected ideas. Auditors and assessors look for evidence of all three when they review your risk programme.

Principles — risk management is integrated, structured, customised, inclusive, dynamic, evidence-based and continually improving.
Framework — leadership commitment, integration into governance, design, implementation, evaluation and improvement of the programme.
Process — communication and consultation, scope and context, risk assessment (identification, analysis, evaluation), risk treatment, monitoring, recording and reporting.

The risk management process, step by step

Step 1

Establish scope, context and criteria

Define what the programme covers, who owns it, and what makes a risk acceptable vs. unacceptable. Your risk criteria — appetite, tolerance, scoring scale — must be written down before you start scoring, or the results will not be comparable.

Step 2

Identify risks

Capture sources, events, causes and consequences. Use workshops, threat catalogues, loss data and incident history. Aim for completeness over precision at this stage.

Step 3

Analyse and evaluate

Score each risk for likelihood and impact (a 5×5 matrix is standard). Compare the result to your criteria to decide whether it needs treatment, monitoring or formal acceptance.

Step 4

Treat the risk

Pick one: avoid, reduce, share (insurance, contracts) or retain. Document the rationale — the justification is your evidence.

Step 5

Monitor, record, report

Risks change. Review at planned intervals and on significant change. Keep an audit trail of decisions, owners and dates — this is what reviewers check first.

Stop fighting the spreadsheet

An ISO 31000 programme is straightforward on paper and painful in Excel. Linking risks to controls, tracking owner sign-off and surfacing what changed since last quarter is where most teams stall.

ISO-STANDARD.app ships a ready-to-adopt ISO 31000 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.

Start free See pricing Talk to us

Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.

Frequently asked questions

Is ISO 31000 certifiable?

No. ISO 31000 is a guidance standard, not a certifiable management system. You adopt its framework and process to demonstrate sound risk practice, often as the underpinning method for an ISO 27001, 9001 or 42001 certification.

How does ISO 31000 differ from ISO 27005?

ISO 31000 is the generic enterprise risk standard. ISO 27005 applies the same principles specifically to information security risk within an ISO 27001 ISMS. Use 31000 as your house methodology and 27005 as the lens for InfoSec risks.

What scoring model does ISO 31000 prescribe?

None. The standard requires a defined, repeatable methodology but leaves the scale to you. A 5×5 likelihood × impact matrix is the most widely adopted because it balances granularity with usability.

How often should risks be reviewed?

Continuously for new and emerging risks, quarterly for review of existing risks, and a full re-assessment annually or on significant change (new product, supplier, regulation, incident).

← Back to FAQ Home →