ISO 31000: A Practical Guide to Enterprise Risk Management
Everything you need to know about the ISO 31000 framework and how to prepare for the certification exam.
Quick answer: what is ISO 31000 and who should get certified?
ISO 31000:2018 is the international standard for enterprise risk management. Unlike COSO ERM, it is non-prescriptive — it provides principles and a process that adapt to any organization, regardless of size, sector, or geography. ISO 31000 certification validates your ability to design, implement, and assess a risk management program aligned with the standard.
You should pursue ISO 31000 certification if you operate in Europe, the Middle East, Asia-Pacific, or any multinational context where ISO standards are the regulatory reference, or if you work in industries (insurance, energy, financial services, government, manufacturing) where ISO frameworks dominate.
The rest of this guide covers the standard's structure, the certification path, what the exam tests, and how ISO 31000 compares to COSO ERM — the other major framework you'll see in practice.
A short history
ISO 31000 was first published in 2009 as a deliberate response to the fragmentation of risk management standards across countries and industries. Before 2009, organizations operating in multiple jurisdictions had to navigate AS/NZS 4360 (Australia/New Zealand), CAN/CSA-Q850 (Canada), JIS Q 2001 (Japan), and various sector-specific frameworks — often with conflicting terminology.
The 2009 version brought a common vocabulary and structure. The 2018 revision simplified it further:
- Clearer principles (reduced from 11 to 8)
- Stronger emphasis on leadership and commitment
- Better integration with strategic planning
- Reduced overlap with ISO 9001 (quality) and ISO 27001 (information security)
The 2018 version is the current standard and the basis for all certification exams in 2026.
The three pillars of ISO 31000:2018
ISO 31000 is built on three integrated components. Get these right and you understand the standard.
1. The 8 Principles
The principles describe what effective risk management looks like. They are the lens through which auditors and external assessors evaluate a program.
| # | Principle | What it means in practice |
|---|---|---|
| 1 | Integrated | Risk management is part of all organizational activities, not a separate function |
| 2 | Structured and comprehensive | Consistent approach across the organization |
| 3 | Customized | Tailored to organizational context and objectives |
| 4 | Inclusive | Stakeholders' knowledge, views, and perceptions are considered |
| 5 | Dynamic | Anticipates, detects, acknowledges, and responds to changes |
| 6 | Best available information | Decisions use current, clear, and timely information |
| 7 | Human and cultural factors | Behavior and culture significantly influence risk management |
| 8 | Continual improvement | Improved through learning and experience |
These are the principles you'll be tested on. Memorize them in order — the exam often asks you to identify which principle is being violated or applied in a scenario.
2. The Framework
The framework is the organizational scaffolding that lets the principles be operationalized. It follows a leadership-driven cycle:
- Leadership and commitment — top management endorses and resources the framework
- Integration — the framework attaches to existing governance structures
- Design — context, stakeholders, scope, resources, communication
- Implementation — the framework goes live, with clear roles
- Evaluation — periodic measurement against objectives
- Improvement — continuous adjustment
The framework is iterative, not linear. You don't finish "design" and move on to "implementation"; the two interact continuously.
3. The Process
The process is what risk managers and auditors actually execute. It has seven steps, organized around a continuous communication-and-consultation backbone:
- 1Communication and consultation (continuous)
- 2Scope, context, and criteria — define what risk we're managing and against what
- 3Risk assessment:
- 4Risk treatment — decide how to act (avoid, transfer, mitigate, accept) and implement
- 5Monitoring and review (continuous)
- 6Recording and reporting (continuous)
ISO 31000 vs COSO ERM: how they differ
These are the two dominant enterprise risk frameworks. They overlap but aren't interchangeable. We cover this in depth in our COSO ERM vs ISO 31000 framework comparison, but here's the short version:
| Dimension | ISO 31000 | COSO ERM (2017) |
|---|---|---|
| Origin | International Organization for Standardization | Committee of Sponsoring Organizations (US) |
| Style | Principles-based | Components and principles |
| Certifiable? | Yes (via PECB, EXIN, others) | Generally no (no formal certification) |
| Strategic emphasis | Strong, in 2018 update | Very strong — strategy-and-performance focus |
| Geographic preference | EU, UK, APAC, Middle East | North America |
| Industry preference | Insurance, energy, government | Banking, public companies, US financial services |
| Length | ~16 pages (compact) | ~200 pages (detailed) |
| Update cadence | ~10 years | 5–10 years |
The shorthand: ISO 31000 is for organizations that want flexibility and global recognition; COSO ERM is for organizations that want detailed, North-America-aligned guidance.
The ISO 31000 certification path
There are multiple bodies that issue ISO 31000 certifications. The most recognized are PECB (Canada-based, global reach), EXIN (Netherlands-based, EU-strong), and CQI/IRCA (UK-based, audit-focused).
Available certifications
| Cert | Level | Who it's for | Exam length |
|---|---|---|---|
| ISO 31000 Foundation | Entry | Anyone wanting baseline knowledge | 1 hour, 40 MCQs |
| ISO 31000 Risk Manager | Intermediate | Practitioners implementing the standard | 3 hours, scenario-based |
| ISO 31000 Lead Risk Manager | Advanced | Program leads, consultants | 3 hours, scenario + essay |
| ISO 31000 Lead Auditor | Advanced | External auditors of risk programs | 3 hours, scenario + audit case |
For most GRC professionals, Lead Risk Manager (or PECB equivalent) is the target. It demonstrates ability to implement and operate a program — not just understand it.
What the Lead Risk Manager exam tests
Approximate domain weights (PECB version, 2026):
| Domain | Weight |
|---|---|
| Fundamental concepts and principles | 15% |
| Risk management framework | 20% |
| Risk assessment | 25% |
| Risk treatment | 15% |
| Monitoring, review, and continuous improvement | 15% |
| Recording, reporting, and communication | 10% |
Note that risk assessment + risk treatment together = 40% of the exam. That's where to concentrate your preparation.
Study strategy that works
A realistic plan for the Lead Risk Manager exam:
Weeks 1–2 (15 hours): Read ISO 31000:2018 cover to cover (it's short). Build flashcards for the 8 principles and the framework components.
Weeks 3–4 (20 hours): Risk assessment deep dive. Practice qualitative and quantitative methods. Memorize the difference between likelihood, probability, and frequency — exam writers love this distinction.
Weeks 5–6 (15 hours): Risk treatment options and decision criteria. Scenario practice.
Weeks 7–8 (15 hours): Monitoring, review, communication, recording. Mock exams.
Total: ~65 hours over 8 weeks at 8 hours/week.
Regional relevance in 2026
ISO 31000 has become the de facto global standard for organizations that are not US-anchored. Specific 2026 drivers:
- EU CSDDD (Corporate Sustainability Due Diligence Directive) — explicit alignment with ISO 31000 principles for due diligence on human rights and environmental impact.
- APAC supervisory expectations — Singapore MAS, Hong Kong HKMA, and Japan FSA reference ISO 31000 vocabulary in recent risk-governance guidance.
- ISO 27005:2022 (information security risk) — built directly on the ISO 31000 process; learning one substantially accelerates the other.
- DORA (EU Digital Operational Resilience Act) — financial entities are expected to map their operational risk frameworks against ISO 31000 vocabulary.
If you operate in the EU, UK, Middle East, or APAC, ISO 31000 is now table stakes for senior risk roles.
Where ISO 31000 ends — and where you have to do more
ISO 31000 is deliberately non-prescriptive. That's a feature, not a bug — but it has consequences.
- How to score risks (it offers options; you pick)
- What risk treatments are appropriate for which risks (judgment)
- What KRIs to track (industry-dependent)
- How to govern risk appetite at board level (organizational design choice)
These gaps mean ISO 31000 certification proves you understand the grammar of risk management. Operating a real program requires you to combine ISO 31000 with industry-specific frameworks (ISO 22301 for resilience, ISO 27001 for infosec, Basel III for banking, Solvency II for insurance) and your organization's own context.
Frequently asked questions
Is ISO 31000 better than COSO ERM?
Neither is universally better. ISO 31000 wins on flexibility, global recognition, and compactness. COSO ERM wins on detail, strategic emphasis, and North American regulatory alignment. Many global organizations use both — ISO 31000 as the operating framework, COSO as the strategic overlay. See our COSO vs ISO 31000 comparison for the detailed argument.
Can I be certified without a degree?
Yes. Unlike CIA or CISA, ISO 31000 certification has no formal education prerequisite. The certifying bodies expect practical experience but don't audit it.
How long is the certification valid?
PECB certifications are valid for 3 years, renewable through CPE credits (usually 100 hours over the period). Other issuers vary; check the specific certification body.
Is ISO 31000 useful for cybersecurity professionals?
Yes, especially in tandem with ISO 27005. The risk management process in ISO 31000 is the parent of ISO 27005's information security risk process. Holding both is common for senior cyber risk leads in EU/APAC.
What's the difference between ISO 31000 and ISO 31010?
ISO 31000 is the standard for risk management. ISO 31010 is the companion document listing techniques (about 30 of them: bow-tie, FMEA, Monte Carlo, etc.). ISO 31010 is referenced but not itself certifiable.
Is the ISO 31000 exam multiple-choice or essay?
Foundation is multiple-choice. Risk Manager and Lead Risk Manager are scenario-based with short answers and (at Lead level) essay elements. The Lead exam is significantly harder than Foundation.
Verdict
ISO 31000 is the standard you want if you operate internationally, work in non-US-anchored industries, or your organization has already chosen ISO as its standards family (27001, 22301, 9001, etc.).
For US-listed public companies in banking and financial services, COSO ERM is more often the reference. Many practitioners hold both: ISO 31000 for the operating framework, COSO for the audit committee conversation.
If you're early in your risk management career and based outside North America, ISO 31000 Lead Risk Manager is one of the highest-ROI certifications you can pursue — globally recognized, modest study time, and increasingly tied to regulatory expectations.