A practical guide to ISO 31000:2018. Important clarification up front: ISO 31000 is guidance, not a certifiable management system standard. Organisations cannot be ISO 31000 certified; individuals can be PECB-certified as Risk Managers and Lead Risk Managers.
ISO 31000:2018 is the international standard providing principles, framework, and process for managing risk. Published by ISO. The 2018 edition replaced the 2009 version and simplified the framework substantially. Eight principles, a framework, and an operational process for identifying, analysing, evaluating, treating, monitoring, and communicating risk.
Unlike ISO 27001 or ISO 42001, ISO 31000 does NOT have a Stage 1/Stage 2 audit and no certificate is issued to organisations. Any vendor offering "ISO 31000 certification" for your company is selling something that does not formally exist. What does exist: individual practitioner certifications through PECB (Foundation, Risk Manager, Lead Risk Manager) — those credentials apply to a person, not a company.
Risk and compliance professionals at ASX-listed companies and government departments where PECB Lead Risk Manager is recognised. APRA-regulated entities using ISO 31000 as the methodology underpinning CPS 230 and CPS 234 compliance. ISO 27001 implementers wanting deeper risk methodology grounding. Internal audit and second-line risk teams.
PECB training through Aegentra Academy: ISO 31000 Foundation $399 AUD, ISO 31000 Risk Manager $849 AUD, ISO 31000 Lead Risk Manager $849 AUD. Every enrolment includes the official PECB exam voucher and a free resit within 12 months.
ISO 31000 is generic and not certifiable. ISO/IEC 27005:2022 is information security risk management specifically and is audited as part of ISO 27001. COSO ERM is the US-aligned alternative. Most Australian organisations use ISO 31000 as the umbrella framework, ISO/IEC 27005 inside the ISO 27001 ISMS, and reference COSO ERM where US-aligned governance is required.