Framework

ISO 31000
Enterprise risk management on one operating record

ISO 31000:2018 (Risk management: Guidelines) is the international standard for enterprise risk management. It is not a certifiable standard, and it does not prescribe a quantification method. Instead, it sets the principles, the framework, and the process every mature enterprise risk programme reads against, and it is the umbrella that ISO 27005, NIST SP 800-30, COSO ERM, NIST AI RMF, and FAIR all reference. This page covers the eight ISO 31000 principles, the seven framework components, the six process steps, the named artefacts, how ISO 31000 sits next to ISO 27005, NIST 800-30, COSO ERM, and FAIR, and how to run an ISO 31000 risk programme on the same operating record the rest of the security programme produces.

Get Started Free

No credit card required. Free plan available forever.

ISO 31000:2018 explained

ISO 31000:2018 (Risk management: Guidelines) is the international standard for enterprise risk management. It is published by the International Organization for Standardization, accompanied by ISO Guide 73 (the vocabulary) and ISO/IEC 31010 (the risk assessment techniques catalogue). ISO 31000 is the framework every mature enterprise risk programme reads against, and it is the umbrella that ISO 27005, NIST SP 800-30, COSO ERM, NIST AI RMF, FAIR, and the regulatory enterprise risk frameworks all reference. Importantly, ISO 31000 is not certifiable. There is no ISO 31000 certificate; the standard supplies the discipline that informs the certifiable management system standards (ISO 27001, ISO 9001, ISO 14001, ISO 22301, ISO 45001).

For CISOs, GRC owners, enterprise risk management teams, vulnerability management teams, AppSec teams, and the audit committee reading the output, ISO 31000 is the process vocabulary that holds the security risk programme together. It is the umbrella under which the COSO ERM portfolio view, the FAIR quantitative analyses, and the parallel framework reads (ISO 27001, NIST CSF 2.0, NIST SP 800-37, DORA, NIS2) consume into a single risk vocabulary. Programmes already running the cyber risk quantification programme or the security risk assessment process typically operationalise ISO 31000 implicitly; this page names the explicit components and the evidence the framework expects.

The eight ISO 31000 principles

ISO 31000:2018 condensed eleven principles from the 2009 revision into eight principles centred on a value-creation purpose. The principles are not aspirational; they are the audit criteria the framework reads against. A programme that fails one principle materially typically fails the audit, regardless of how robust the register-side documentation looks.

Integrated

Risk management is an integral part of all organisational activities. ISO 31000 explicitly rejects risk management as a side function. The standard reads against the operating decisions the organisation makes, not against a parallel register that drifts from the live state. Programmes that hold the risk record outside the operating record fail this principle the first time the audit committee asks for the linkage between the risk treatment commitment and the operational evidence.

Structured and comprehensive

A structured, systematic, and comprehensive approach contributes to consistent and comparable results. The discipline is the same process applied to every risk in scope with the same artefacts produced per cycle. ISO 31000 does not prescribe the depth, but it requires the consistency so the per-cycle comparison and the per-business-unit reconciliation are possible without rebuilding the analysis.

Customised

The framework and process are customised to the organisation and to its external and internal context. ISO 31000 is a guideline, not a checklist. The scope, the depth, the cadence, and the integration points are sized to the organisation, the sector, and the regulatory context. Programmes that copy a generic ISO 31000 implementation without customising it produce a process that no internal stakeholder reads against.

Inclusive

Appropriate and timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered. The risk assessment is incomplete if the operating teams, the legal function, the finance function, the customer-facing functions, and the regulator-facing functions have not contributed. ISO 31000 audits read against the stakeholder engagement record, not just the analyst output.

Dynamic

Risks emerge, change, and disappear as context changes. ISO 31000 explicitly requires the framework to anticipate, detect, acknowledge, and respond to changes and events in an appropriate and timely manner. A static risk register reviewed annually fails the dynamic principle. The framework reads against the operating telemetry per cycle with the per-event re-assessment trigger named in the process.

Best available information

The framework uses historical and current information as well as future expectations. The discipline is to source inputs from the places the organisation already produces them: incident history, finance records, scanner evidence, finding remediation history, exception register entries, audit findings, regulatory correspondence. Programmes that source from assumptions rather than from the operating record produce risk assessments that collapse under scrutiny.

Human and cultural factors

Human behaviour and culture significantly influence all aspects of risk management. The principle reads against the risk-aware culture the organisation develops, the training record, the incentive alignment, and the consequence management for risk-relevant decisions. ISO 31000 audit evidence covers the cultural reinforcement record, not just the procedural compliance record.

Continual improvement

The framework is continually improved through learning and experience. The improvement loop reads against the per-cycle review findings, the post-incident lessons, the audit observations, the regulatory feedback, and the stakeholder evaluation. Programmes that treat the framework as a settled document rather than as a working document present stale risk language at the next audit cycle.

The framework: seven components plus communication and consultation

The framework section of ISO 31000 names the components that hold the process together at the organisation level. Leadership and commitment opens the framework because nothing else survives without it; integration places risk management inside the operating decisions; design, implementation, evaluation, and improvement form the lifecycle; and communication and consultation runs across every component as a cross-cutting activity.

Leadership and commitment

The framework opens with leadership and commitment because no risk management programme survives without it. ISO 31000 specifies leadership obligations: customise and implement the framework, issue a statement establishing the policy, allocate resources, and assign authority and accountability across the named roles. The audit evidence reads the published risk management policy, the resourcing record, the accountability assignments at the leadership layer, and the per-cycle leadership review.

Integration

Integration places risk management inside strategic planning, decision-making, budgeting, performance management, change management, and the project management lifecycle. The discipline is to ensure risk inputs feed the operating decisions rather than running parallel to them. A programme passes integration when removing risk language from a budget paper, a procurement decision, or a project charter leaves a noticeable hole in the decision rationale.

Design

Design covers understanding the organisation and its context, articulating commitment, assigning roles and authorities, allocating resources, and establishing communication and consultation arrangements. The design step produces the documented framework the rest of the lifecycle reads against. Programmes that skip design and proceed straight to register-building generate analyses that nobody can locate the authority basis for when the regulator asks.

Implementation

Implementation develops an appropriate plan with time and resources, identifies where, when, how, and by whom decisions involving risk are made, modifies decision-making processes where necessary, and ensures arrangements for managing risk are clearly understood and practised. Implementation produces the operating cadence the framework runs at and the per-decision-point record that explains how risk feeds the live operating process.

Evaluation

Evaluation measures framework performance against purpose, plans, indicators, and behaviour. It is the periodic check that the framework still produces what the organisation needs from it. Evaluation reads against the per-indicator record, the per-cycle stakeholder feedback, the audit observations, and the alignment between the framework outputs and the operating decisions the framework was designed to inform.

Improvement

Improvement adapts the framework to the changes in internal and external context observed during evaluation. Improvement is not a one-off correction; it is the continual loop the eighth principle calls for. The improvement record carries the per-cycle change rationale, the affected component, the implementation date, and the post-change evaluation result.

Communication and consultation

Communication and consultation runs across every framework component. It ensures stakeholders understand the risk, the assumptions, the methods, and the treatments, and that diverse views are gathered before decisions are made. The framework audit reads the communication record per cycle, the stakeholder engagement record per assessment, and the consultation evidence per material treatment decision.

The process: six steps, including the cross-cutting activities

The process section is the operational sequence per risk assessment. It is technique-agnostic: the standard names the steps but does not prescribe the analytical method. ISO/IEC 31010 catalogues the technique options; ISO/IEC 27005 operationalises the process for information security risk; NIST SP 800-30 is the federal counterpart for the assessment step; and FAIR is the most common quantitative method for the scenarios where financial expression is required.

1. Scope, context, criteria

Define the scope (the activity the risk assessment applies to). Establish the external context (regulatory, market, sector, geopolitical, stakeholder set) and the internal context (governance, strategy, structure, capability, culture, contracts, information systems). Set the criteria: the risk appetite, the impact and likelihood scales, the evaluation criteria, the treatment criteria, the residual risk acceptance criteria. The criteria are written before the analysis starts. Programmes that set criteria after running the analysis tend to fit the criteria to the result rather than the other way round.

2. Risk identification

Recognise and describe risks that might help or hinder achievement of objectives. The identification step is technique-agnostic: workshops, structured interviews, checklists, scenario analysis, root cause analysis, threat modelling, control self-assessment, brainstorming, and the structured operational records (incidents, near-misses, exception register, audit findings) all feed it. The output is the candidate risk set, each with a source, an event, a cause, and a potential consequence.

3. Risk analysis

Comprehend the nature of risk and determine the level of risk. Analysis covers the likelihood of the event, the consequence severity, the interaction with other risks, and the uncertainty in the estimates. ISO 31000 supports qualitative, semi-quantitative, and quantitative approaches. The choice is driven by the criteria set in step 1; programmes that need financial expression for board reading typically run quantitative analysis (FAIR, NIST 800-30 quantitative, ISO 27005 quantitative) for the top scenarios and qualitative for the rest.

4. Risk evaluation

Compare the analysis results against the criteria established in scope, context, and criteria. The output is the prioritised treatment list with the per-risk evaluation decision: treat further, accept as-is, escalate, or revisit the criteria. Evaluation surfaces the risks that exceed the appetite and the risks that fall within tolerance but warrant monitoring. The decision record per risk reads against the evaluation criteria, not against analyst preference.

5. Risk treatment

Select and implement options for addressing risk. The standard catalogues treatment options: avoid the activity that gives rise to the risk, take or increase the risk to pursue an opportunity, remove the risk source, change the likelihood, change the consequences, share the risk (insurance, contracts, joint ventures), and retain the risk by informed decision. Treatment produces the risk treatment plan covering the rationale, the named responsibility, the actions, the resources, the timing, the performance measures, the residual risk acceptance, and the monitoring. Treatment is iterative; residual risk is re-assessed against the criteria and the loop continues until residual risk is acceptable.

6. Communication, consultation, monitoring, review, recording, reporting

Two cross-cutting activities run alongside every step. Communication and consultation ensures stakeholders understand the risk, the assumptions, and the treatment. Monitoring and review provides feedback on the risk management performance per cycle, with the per-risk owner, the per-treatment milestone, and the per-criterion review. Recording and reporting consolidates the artefacts into the report set the audit committee, the board, the regulator, and the operating teams read. Together they prevent ISO 31000 from collapsing into a once-a-year register exercise that no decision references.

Named artefacts ISO 31000 expects

ISO 31000 is principle-based rather than artefact-prescriptive, but a defensible implementation produces a stable artefact set the audit reads against. The set below covers the records that hold up under ISO 27001 clause 6.1 internal audit, ISO/IEC 27005 alignment, NIST SP 800-30 cross-reference, COSO ERM portfolio reads, and regulatory enterprise risk inquiries.

Risk management policy with the leadership signature, the policy scope, the named accountabilities, and the periodic review cadence
Framework documentation covering the integration points, the per-component evidence (leadership, integration, design, implementation, evaluation, improvement, communication and consultation), and the per-cycle framework evaluation record
Scope, context, and criteria record per assessment with the activity scope, the external and internal context analysis, the risk appetite statement, the impact and likelihood scales, the evaluation criteria, and the residual risk acceptance criteria
Risk register with per-risk owner, per-risk criteria, per-risk source, per-risk event, per-risk cause, per-risk consequence, per-risk analysis result, per-risk evaluation decision, per-risk treatment, and per-risk monitoring cadence
Risk treatment plan per treated risk with the selected treatment option, the rationale, the named responsibility, the actions, the resources allocated, the timing, the performance measures, the residual risk acceptance signature, and the monitoring trigger
Communication and consultation record per assessment cycle with the stakeholder set engaged, the inputs gathered, the diverse views captured, the decision rationale at each material decision point, and the disagreement record where consensus did not emerge
Monitoring and review record per cycle with the per-risk indicator readings, the per-treatment milestone status, the per-criterion review outcome, the per-context change observed, and the recommended adjustment
Framework evaluation record per cycle with the framework performance measured against purpose, plans, indicators, and behaviour, plus the stakeholder feedback and the audit observations
Continual improvement record with the per-cycle improvement rationale, the affected framework component, the implementation date, and the post-change evaluation result
Per-cycle change log capturing the inputs that changed, the criteria adjustments, the new risks identified, the closed risks, the treatment plan deviations, and the residual risk re-assessment outcome
Reporting pack tailored per audience (operating team, management, audit committee, board, regulator) derived from the same record set rather than reproduced per audience

Where ISO 31000 sits next to ISO 27005, NIST 800-30, COSO ERM, FAIR, and the regulators

ISO 31000 is the umbrella under which the other risk management frameworks operate. Naming the adjacencies upfront prevents the recurring failure mode where programmes treat overlapping frameworks as substitutes rather than as layered companions. The matrix below covers the most common adjacencies and the responsibility split each pair carries.

ISO/IEC 27005 (Information security risk management)

ISO/IEC 27005 is the information-security-specific operationalisation of ISO 31000. The two are paired by design: ISO 31000 sets the umbrella principles, framework, and process, and ISO 27005 specifies how to apply them to information security risk, including the threat catalogue, the vulnerability catalogue, the asset-based and event-based identification techniques, and the per-risk treatment options under an ISO 27001 ISMS. An ISO 27001-certified programme reads ISO 31000 at the umbrella layer and ISO 27005 at the operating layer. The dedicated ISO/IEC 27005 framework page covers the per-cycle process, the audit evidence the certifier reads against, and the cross-reference into clauses 6.1.2 and 6.1.3.

NIST SP 800-30 (Guide for Conducting Risk Assessments)

NIST SP 800-30 is the federal guide to risk assessment. It is the U.S. counterpart to ISO 27005 for the risk assessment step inside the broader risk management lifecycle. Federal programmes operating under NIST SP 800-37 (RMF) read 800-30 for the assessment process and pair it with 800-39 at the strategic layer. ISO 31000 and NIST 800-39 sit at comparable layers; programmes that operate under both frameworks typically map the two and read the common evidence into both.

NIST SP 800-39 (Managing Information Security Risk)

NIST SP 800-39 covers the strategic, organisational, mission, and information-system tiers of information security risk management. It is the closest NIST counterpart to ISO 31000 at the enterprise risk management layer. The two are not interchangeable, but they overlap substantially in scope and intent; programmes that operate under federal frameworks typically read both and map the common requirements to the same operating record.

COSO ERM (Enterprise Risk Management - Integrating with Strategy and Performance)

COSO ERM is the enterprise risk management framework boards and audit committees read against for cross-organisation risk. COSO ERM and ISO 31000 are complementary rather than substitutive. COSO ERM emphasises integration with strategy and performance; ISO 31000 emphasises principles, framework, and process. Mature programmes adopt both as a layered pair: COSO ERM at the governance and strategy interface, ISO 31000 at the operating discipline layer.

NIST AI Risk Management Framework (AI RMF 1.0)

NIST AI RMF is the AI-specific framework that sits next to ISO 31000 for AI risk. The Govern function within AI RMF maps to the leadership and integration components of ISO 31000; the Map, Measure, and Manage functions map to the process steps. Programmes that operate AI workloads at scale typically pair ISO 31000 at the umbrella layer with NIST AI RMF for the AI-specific risk taxonomy and the GenAI Profile (NIST AI 600-1).

FAIR (Factor Analysis of Information Risk)

FAIR is the analytical method that produces the quantitative output ISO 31000 mentions as one of the techniques the framework supports. ISO 31000 is process and principle; FAIR is method. A mature enterprise risk programme follows ISO 31000 at the process layer and applies FAIR (or another quantitative method) at the analysis layer for the scenarios that warrant quantitative treatment. The two are paired in board reading because ISO 31000 supplies the process discipline FAIR runs inside.

ISO 9001 quality, ISO 14001 environment, ISO 22301 business continuity, ISO 45001 OH&S

ISO 31000 is the umbrella for risk management across the certifiable management system standards. ISO 9001 (quality), ISO 14001 (environment), ISO 22301 (business continuity), and ISO 45001 (occupational health and safety) all require risk-based thinking and each references ISO 31000 for the underlying approach. Organisations running integrated management systems read ISO 31000 as the common risk discipline that informs the per-standard risk treatment.

DORA, NIS2, APRA CPS 234, MAS TRM, HKMA C-RAF, RBI cyber framework

Regulatory enterprise risk frameworks across financial services and critical infrastructure expect ISO 31000-aligned risk management even when they do not name the standard. DORA, NIS2, APRA CPS 234, MAS TRM, HKMA C-RAF, and the RBI cyber framework each require board-level ICT risk governance, a documented framework, defined risk appetite, treatment plans, monitoring, and reporting. The same ISO 31000 evidence reads cleanly into each regulator inquiry when the framework is held on the operating record.

Recurring failure modes ISO 31000 programmes hit

Programmes that struggle with ISO 31000 typically hit a small set of recurring failure modes. Naming them upfront lets the programme design the operating model to avoid them rather than discovering them at the audit committee when the questions land in front of the CFO.

Treating ISO 31000 as certifiable. ISO 31000 is a guideline, not a certifiable standard. Organisations that pursue an ISO 31000 certificate discover the standard does not support one. The standard sits next to certifiable standards (ISO 27001, ISO 9001, ISO 14001, ISO 22301) which require their own risk management approach; ISO 31000 is the umbrella that informs all of them.

Holding the risk register separately from the operating record. ISO 31000 reads against the operating reality. Programmes that maintain the register in a separate platform that does not see scanner findings, exception register entries, audit observations, or incident records produce registers that drift from live posture by the second cycle. The fix is to source register inputs from the operating record so the per-cycle refresh is a re-read rather than a rebuild.

Setting criteria after the analysis. Risk appetite, impact scales, likelihood scales, and treatment criteria are set in step 1 before identification. Programmes that retrofit criteria to fit the analysis output produce evaluation decisions that cannot be defended at the audit committee because the criteria look engineered to produce the chosen conclusion.

Skipping communication and consultation. The cross-cutting activity runs alongside every step. Programmes that treat communication as a once-a-year report rather than as an embedded consultation produce risk assessments that named stakeholders disown when the consequences materialise.

Annualising the framework. The dynamic principle requires the framework to respond in an appropriate and timely manner to context changes and events. Annual review cadences fail this principle for material risk; the framework needs event-triggered re-assessment for material changes (regulatory change, business model change, significant incident, third-party breach, major customer or supplier change).

Confusing risk treatment with risk reduction. The standard explicitly names seven treatment options, including accept by informed decision, share, and retain. Programmes that default to reduce as the only option lose the discipline of evaluating retention or transfer when those are the correct treatments, and they accumulate mitigation cost the organisation cannot defend at the next budget review.

Producing the wrong record for the wrong audience. The same record set has to read at the operating team, management, audit committee, board, and regulator level. Programmes that produce a separate artefact per audience generate inconsistencies that the audit committee surfaces the first time it cross-reads the records.

Treating residual risk acceptance as a paragraph rather than a decision. Residual risk acceptance is a named decision against the criteria with a signed accountability. Programmes that treat it as a paragraph at the end of a treatment plan lose the audit trail for who accepted what, against which criteria, and on what date.

How ISO 31000 reads across enterprise security functions

ISO 31000 is cross-functional by design. The same framework reads differently depending on the function that holds the work, but the principles, the components, and the process are common across the functions. The named functions below own different parts of the same risk record.

CISOs and security leaders

Run ISO 31000 as the umbrella under which the security risk programme operates. Hold the risk policy, the risk register, the treatment plans, and the per-cycle review evidence on one workspace so the board reading reconciles to the live security record. Use FAIR or NIST 800-30 quantitative analysis for the named top scenarios where financial language is required, and run ISO 27005 inside the ISMS for the per-asset and per-event security risk identification.

GRC and compliance teams

Operate ISO 31000 as the common umbrella that informs the ISO 27001 ISMS risk management, the SOC 2 risk assessment criterion, the regulatory enterprise risk reads (DORA, NIS2, APRA CPS 234, MAS TRM), and the integrated management system risk discipline across ISO 9001, ISO 14001, and ISO 22301. Hold the framework evaluation record, the integration evidence, and the cross-framework reconciliation on the same operating record so the audit committee reads a coherent risk vocabulary across the standards.

Enterprise risk management teams

Bring cyber risk into the broader ERM portfolio under the same ISO 31000 process discipline that operational risk, financial risk, strategic risk, and compliance risk operate against. The portfolio view COSO ERM expects reads cleanly when each risk type runs under the same identification, analysis, evaluation, and treatment process, with the per-risk-type analytical method documented (FAIR for cyber, value-at-risk for financial, scenario analysis for strategic).

Vulnerability management and security engineering teams

Supply the live vulnerability state, the per-asset criticality, the exception register, and the remediation SLA adherence into the ISO 31000 risk identification and analysis inputs. The signal ISO 31000 reads against is the operating record, not a snapshot from the assessment week. Running ISO 31000 on a workspace that holds the live vulnerability state lets the per-cycle assessment refresh without rebuilding the underlying source evidence.

AppSec and product security teams

Carry the code-scanning state, the dependency vulnerability state, the secure-coding adherence record, and the SDLC integration evidence into the ISO 31000 risk inputs for the development-driven scenarios. The risks tied to application breach paths, API exposure, and supply chain compromise read against the AppSec evidence as the primary source rather than as a footnote on a generic enterprise scenario.

Internal audit and assurance functions

Audit the framework against the eight principles, the seven components, and the six process steps. Read the leadership and commitment evidence, the integration record, the design evidence, the implementation evidence, the evaluation record, the improvement record, and the communication and consultation record. The audit produces the per-component finding set the continual improvement principle feeds the next cycle.

Running ISO 31000 on SecPortal

SecPortal is built around the operating record an ISO 31000 programme reads against: the engagement carries the per-cycle assessment, the findings record carries the live vulnerability state feeding the analysis step, the documents area carries the policy, the framework documentation, the register, and the treatment plans, and the activity log carries the audit trail the per-cycle review reads against. The platform alignment below maps the verified product capabilities to the ISO 31000 framework so the programme is held on one operating record rather than across a separate analytical environment that drifts from the live posture.

Engagement management as the workspace anchor for the ISO 31000 programme, with the per-cycle assessment carried as an engagement that holds the scope, the context, the criteria, the register, the treatment plans, and the per-cycle review evidence as a single record rather than across separate documents
Findings management with CVSS calibration so the per-risk vulnerability input the analysis step reads against is consistent across scanner intake, analyst triage, exception register, and remediation SLA record
Compliance tracking across ISO 31000, ISO 27001, ISO 27002, ISO/IEC 27005, ISO/IEC 42001, NIST SP 800-30, NIST SP 800-37, NIST CSF 2.0, COSO ERM, NIST AI RMF, SOC 2, PCI DSS, DORA, NIS2, and the regional regulator frameworks so the same risk evidence consumes into the parallel framework reads without rebuilding the artefact set
Authenticated scanning so the vulnerability inputs feeding the analysis step read against the live posture on the asset rather than against a snapshot from the assessment week, with the per-asset coverage record archived per cycle
Code scanning via Semgrep against connected repositories so the AppSec inputs feeding the development-driven risk scenarios read against the live code state, with the per-repo finding state archived per cycle
Document management for the risk policy, the framework documentation, the criteria record, the register, the treatment plans, the communication and consultation evidence, the monitoring and review records, the framework evaluation, the continual improvement record, and the per-audience reporting pack
Activity log with CSV export so every change to the policy, the framework, the criteria, the register, the treatment plans, the monitoring records, and the residual risk acceptance signatures is reproducible from one source, which is the audit trail the ISO 31000 audit reads against
AI report generation that turns the per-cycle risk record into the operating team report, the management report, the audit committee briefing, the board reporting deck, and the regulator response without rebuilding the artefact pack per audience
Team management with RBAC so the risk analyst, the risk owner, the treatment owner, the reviewer, the approver, and the executive role boundaries the ISO 31000 framework names are enforced at the workspace layer rather than at the per-document level
Multi-factor authentication for workspace access so the risk owner signature, the treatment approval, the residual risk acceptance, and the framework evaluation evidence the audit reads against carry the authentication record the standard expects
Retesting workflows paired to the treatment plan milestones so the closure evidence the per-cycle monitoring step reads against carries the verify-after-fix record rather than a status statement on a treatment that was never re-tested

Key control areas

SecPortal helps you track and manage compliance across these domains.

Principle 1: Integrated

Principle 2: Structured and comprehensive

A structured, systematic, and comprehensive approach contributes to consistent and comparable results. The discipline is the same process applied to every risk in scope, with the same artefacts produced per cycle. ISO 31000 does not prescribe the depth, but it requires the consistency so the per-cycle comparison and the per-business-unit reconciliation are possible without rebuilding the analysis.

Principle 3: Customised

The framework and process are customised to the organisation. ISO 31000 is a guideline, not a checklist. The scope, the depth, the cadence, and the integration points are sized to the organisation, the sector, and the regulatory context. Programmes that copy a generic ISO 31000 implementation without customising it produce a process that no internal stakeholder reads against.

Principle 4: Inclusive

Appropriate and timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered. Stakeholder participation is not a courtesy; it is a methodological requirement. The risk assessment is incomplete if the operating teams, the legal function, the finance function, the customer-facing functions, and the regulator-facing functions have not contributed. ISO 31000 audits read against the stakeholder engagement record.

Principle 5: Dynamic

Risks emerge, change, and disappear as context changes. ISO 31000 explicitly requires the framework to anticipate, detect, acknowledge, and respond to changes and events in an appropriate and timely manner. A static risk register reviewed annually fails the dynamic principle. The framework reads against the operating telemetry per cycle, with the per-event re-assessment trigger named in the process.

Principle 6: Best available information

The risk management framework uses historical and current information, as well as future expectations. The discipline is to source inputs from the places the organisation already produces them: incident history, finance records, scanner evidence, finding remediation history, exception register entries, audit findings, regulatory correspondence. Programmes that source inputs from assumptions rather than from the operating record produce risk assessments that collapse under scrutiny.

Principle 7: Human and cultural factors

Principle 8: Continual improvement

The framework is continually improved through learning and experience. The improvement loop reads against the per-cycle review findings, the post-incident lessons, the audit observations, the regulatory feedback, and the stakeholder evaluation. Programmes that treat the framework as a settled document rather than as a working document fail the continual improvement principle and present stale risk language at the next audit.

Framework: Leadership and commitment

The framework component opens with leadership and commitment because no risk management programme survives without it. ISO 31000 specifies the leadership obligations: customise and implement the framework, issue a statement establishing the policy, allocate resources, and assign authority and accountability. The audit evidence reads the published risk management policy, the resourcing record, and the accountability assignments at the leadership layer.

Framework: Integration with organisational processes

Framework: Design, implementation, evaluation, improvement

The framework component cycles through design (understanding the organisation and its context, articulating commitment, assigning roles and authorities, allocating resources, establishing communication and consultation), implementation (developing the plan, identifying decisions that require risk inputs, executing the plan), evaluation (measuring framework performance against purpose, plans, indicators, and behaviour), and improvement (continually adapting the framework to internal and external change). Each phase produces evidence the framework audit reads against.

Process: Scope, context, criteria

The risk management process opens with defining the scope (the activity the risk assessment applies to), establishing the external and internal context (the operating environment, the strategic objectives, the stakeholder set, the relationships, the dependencies), and setting the criteria (the risk appetite, the impact and likelihood scales, the evaluation criteria, the treatment criteria). The criteria are written before the analysis starts; programmes that set criteria after running the analysis tend to fit the criteria to the result rather than the other way round.

Process: Risk assessment (identification, analysis, evaluation)

Risk assessment is the named sub-process covering identification (recognising and describing risks that might help or hinder achievement of objectives), analysis (comprehending the nature of risk and determining the level of risk), and evaluation (comparing the analysis results against the criteria established in the scope step). The output is the prioritised risk set that feeds treatment. ISO 31000 deliberately keeps the assessment technique-agnostic; FAIR, NIST SP 800-30, ISO/IEC 27005, qualitative matrices, and bow-tie analysis all sit underneath this step.

Process: Risk treatment

Treatment selects and implements options for addressing risk. The standard catalogues the treatment options: avoid, accept, remove the risk source, change the likelihood, change the consequences, share (insurance, contracts, joint ventures), and retain by informed decision. Treatment produces the risk treatment plan covering the rationale, the named responsibility, the actions, the resources, the timing, the performance measures, the residual risk acceptance, and the monitoring. Treatment is iterative; residual risk is re-assessed against the criteria and the loop continues until residual risk is acceptable.

Process: Communication and consultation, monitoring and review

Two cross-cutting activities run alongside every step. Communication and consultation ensures stakeholders understand the risk, the assumptions, and the treatment, and that diverse views are gathered. Monitoring and review provides feedback on the risk management performance per cycle, with the per-risk owner, the per-treatment milestone, and the per-criterion review. Together they prevent ISO 31000 from collapsing into a once-a-year register exercise that no decision references.

Recording and reporting

The standard explicitly requires recording and reporting across the framework and process. The records cover the scope and context, the assessment results, the treatment plans, the residual risk acceptance, the communication and consultation, the monitoring outputs, and the changes since the prior cycle. Reporting reads at multiple layers: the operating team report, the management report, the audit committee report, the board report, the regulator report. The same record set reads cleanly into each report rather than producing a separate artefact pack per audience.

Audit evidence ISO 31000 expects

A defensible ISO 31000 programme produces a stable evidence set per cycle: the risk management policy with the leadership signature, the framework documentation covering integration points and the per-component evidence, the scope and context records per assessment, the risk register with per-risk owner, per-risk criteria, per-risk treatment, and per-risk monitoring cadence, the risk treatment plans with per-action owner and milestone, the communication and consultation record, the monitoring and review record per cycle, the framework evaluation record, the continual improvement record, and the per-cycle change log. The same evidence reads cleanly under ISO 27001 clause 6.1, ISO/IEC 27005, NIST SP 800-30, COSO ERM, and regulatory enterprise risk reads (DORA, NIS2, APRA CPS 234, MAS TRM, HKMA C-RAF).

Related features

Orchestrate every security engagement from start to finish

Vulnerability management software that tracks every finding

Compliance tracking without a full GRC platform

Test web apps behind the login

Find vulnerabilities before they ship

Document management for every security engagement

Every action recorded across the workspace

AI-powered reports in seconds, not days

Collaborate across your entire team

Multi-factor authentication on every workspace

Verify fixes and track reopens on the same finding record

Run a defensible ISO 31000 programme on one operating record

Hold the policy, the framework documentation, the risk register, the treatment plans, the monitoring evidence, and the per-cycle review record on one workspace so the ISO 31000 audit reads the live programme rather than a stack of documents that drifted from the operating reality. Start free.