Skip to main content
Contact Us

ISO 31000 Risk Management Framework

The complete guide to ISO 31000 — what it is, how the three pillars (principles, framework, process) work together, and how Australian organisations apply AS/NZS ISO 31000:2018 to manage risk across every domain.

What Is ISO 31000?

ISO 31000:2018 is the international standard for risk management. Published by the International Organization for Standardization (ISO), it provides principles, a framework, and a process that organisations can use to manage risk of any type — financial, operational, strategic, environmental, safety, or cyber.

Unlike standards such as ISO 27001 (information security) or ISO 9001 (quality), ISO 31000 is a guidelines standard, not a requirements standard. This means organisations cannot be "certified" against ISO 31000. Instead, it provides a best-practice framework that organisations adapt to their specific context, risk appetite, and governance structure.

The standard is deliberately generic — it applies equally to a hospital managing clinical risks, a bank managing credit risks, a government agency managing cyber risks, or a construction firm managing safety risks. This universality is its strength: ISO 31000 gives every organisation a common language and structured methodology for identifying, analysing, evaluating, and treating risk.

ISO 31000 in Australia

Australia has a long history with risk management standards. The original AS/NZS 4360 (first published in 1995) was one of the world's first national risk management standards and heavily influenced the development of ISO 31000. Today, Australia has adopted ISO 31000 as AS/NZS ISO 31000:2018 through Standards Australia.

Several Australian regulatory frameworks reference or align with ISO 31000 principles:

  • APRA CPS 220 — The Australian Prudential Regulation Authority's Risk Management standard requires APRA-regulated financial institutions to maintain a risk management framework. ISO 31000 provides the methodology to meet this requirement.
  • SOCI Act — The Security of Critical Infrastructure Act 2018 requires critical infrastructure entities to adopt risk management programs. ISO 31000 provides the overarching framework for these programs.
  • AS/NZS ISO 31000:2018 — The Australian/New Zealand adoption of the international standard, ensuring alignment with local regulatory expectations and terminology.
  • Public sector governance — Commonwealth and state government agencies reference ISO 31000 in their risk management policies and frameworks.

The Three Pillars of ISO 31000

ISO 31000 is structured around three interconnected components that work together to embed risk management into an organisation's governance, strategy, and operations.

Principles

The eight principles define what effective risk management looks like. They state that risk management should be:

  1. Integrated — embedded in all organisational activities, not treated as a separate function.
  2. Structured and comprehensive — following a systematic approach that produces consistent, comparable results.
  3. Customised — proportionate to the organisation's external and internal context.
  4. Inclusive — involving stakeholders at every stage to incorporate diverse knowledge and perspectives.
  5. Dynamic — responsive to changes in context, risks, and the organisation itself.
  6. Best available information — based on the best information available, while acknowledging its limitations.
  7. Human and cultural factors — recognising that people and culture significantly influence risk management at every level.
  8. Continual improvement — enhanced through learning and experience.

Framework

The framework provides the structure for integrating risk management into the organisation. It follows a Plan-Do-Check-Act cycle:

  • Leadership and commitment — Top management must demonstrate commitment by integrating risk management into governance and decision-making.
  • Integration — Risk management should be part of every function and process, not a standalone activity.
  • Design — Understanding the organisation's context, defining risk criteria, and allocating resources.
  • Implementation — Putting the framework into practice through plans, timelines, and accountability structures.
  • Evaluation — Measuring the framework's effectiveness and identifying improvements.
  • Improvement — Adapting and enhancing the framework based on evaluation findings and changing circumstances.

Process

The risk management process is the operational core of ISO 31000. It consists of six steps applied iteratively:

  1. Communication and consultation — Engaging stakeholders throughout the process.
  2. Scope, context, and criteria — Defining the boundaries, internal/external factors, and risk criteria.
  3. Risk identification — Finding, recognising, and describing risks.
  4. Risk analysis — Understanding the nature, sources, and level of risk.
  5. Risk evaluation — Comparing risk analysis results against risk criteria to determine which risks need treatment.
  6. Risk treatment — Selecting and implementing options to modify risks (avoid, accept, share, or mitigate).

Monitoring and review runs throughout the entire process, ensuring that risks and controls remain relevant as circumstances change.

ISO 31000 vs Other Standards

Understanding where ISO 31000 fits relative to other risk and security frameworks helps you choose the right combination for your organisation.

Standard Scope Certifiable? Relationship to ISO 31000
ISO 31000 All risk types No (guidelines)
ISO 27001 Information security Yes References ISO 31000 for risk assessment methodology
COSO ERM Enterprise risk No (framework) Complementary — COSO focuses on governance integration, ISO 31000 on process
AS/NZS 4360 Risk management Superseded Predecessor to ISO 31000 — replaced by AS/NZS ISO 31000:2018

Many Australian organisations use ISO 31000 as their enterprise risk framework and ISO 27001 as the management system for information security within it. The two standards complement each other — ISO 31000 provides the risk methodology, and ISO 27001 provides the controls and certification pathway.

ISO 31000 Professional Development

While organisations cannot certify against ISO 31000, individuals can earn the PECB Certified ISO 31000 Risk Manager credential ($599 AUD). This self-paced eLearning course covers the complete framework and includes the PECB exam voucher.

The credential validates your ability to apply ISO 31000 principles, design risk frameworks, and facilitate risk assessments — skills valued across government, finance, healthcare, critical infrastructure, and consulting.

Resources

Continue building your risk management knowledge:

  • PECB ISO 31000 Risk Manager — Self-paced eLearning with exam voucher ($599 AUD).
  • ControlStack — Browse ISO 27001, Essential Eight, and ISM controls alongside risk management guidance.
  • ISO 27001 Certification Guide — Understand the information security management system that uses ISO 31000 risk methodology.
  • Free resources — Download templates, checklists, and implementation guides.
  • All courses — Browse the full catalogue of PECB eLearning and live training options.

Frequently Asked Questions

Common questions about ISO 31000 and risk management.

Is ISO 31000 a certifiable standard?

No — ISO 31000 provides guidelines, not requirements, so organisations cannot be certified against it. However, individuals can earn professional certifications such as the PECB Certified ISO 31000 Risk Manager credential, which validates your ability to apply the framework in practice.

What is the difference between ISO 31000 and ISO 27001?

ISO 31000 is a general risk management framework applicable to any type of risk (financial, operational, strategic, safety, cyber). ISO 27001 is a certifiable standard specifically for Information Security Management Systems (ISMS). ISO 27001 references ISO 31000 for its risk assessment methodology — the two standards are complementary, not competing.

Which version of ISO 31000 is current?

The current version is ISO 31000:2018, which replaced ISO 31000:2009. In Australia, it is adopted as AS/NZS ISO 31000:2018. The 2018 revision simplified the principles, strengthened the emphasis on leadership and integration, and clarified the relationship between the framework and the risk management process.

Does ISO 31000 apply to cyber security?

Yes. ISO 31000 provides the overarching risk management methodology that frameworks like ISO 27001, the ASD Information Security Manual, and NIST CSF use for risk assessment. Many Australian organisations use ISO 31000 as the enterprise risk framework and ISO 27001 as the information security management system within it.

How long does it take to learn ISO 31000?

The PECB ISO 31000 Risk Manager eLearning takes approximately 20–30 hours of self-paced study. It covers the complete framework — principles, framework design, and the risk management process — and includes the certification exam voucher.

Ready to build your risk framework?

Whether you are establishing an enterprise risk function or strengthening your team's risk management capability, we can help. Explore our PECB-accredited training or get in touch for guidance.

View ISO 31000 course Get in touch