RiskMatrix Pro
Back to blog
ISO 31000Frameworks

ISO 31000 Explained: What Auditors Need to Know in 2026

Priya Nair10 min read7 February 2026

ISO 31000 is referenced in almost every risk management job description, audit committee charter, and board risk report — yet many practitioners who cite it have never read it cover to cover. This article gives you a clear, auditor-focused explanation of what ISO 31000 actually says and what it means for your daily work.

The standard in one paragraph

ISO 31000:2018 provides principles, a framework, and a process for managing risk in any type of organisation. It is a guidance document, not a certification standard. It does not tell you what your risk appetite should be, which risks to prioritise, or what templates to use — it tells you how to think about and structure risk management so it works effectively within your organisation.

Three layers: principles, framework, process

The 2018 revision organised ISO 31000 into three clearly distinct layers:

Principles (the why)

Eight attributes that describe effective risk management: integrated, structured, customised, inclusive, dynamic, informed, human-factors-aware, and continuously improving. Think of these as the criteria by which you evaluate whether your risk management is actually working.

Framework (the what)

The organisational structure that supports risk management — leadership commitment, integration into processes, design, implementation, evaluation, and improvement. The framework answers: how does risk management sit within our organisation?

Process (the how)

The operational cycle: communication and consultation, establishing scope and context, risk assessment (identification → analysis → evaluation), risk treatment, and monitoring and review. This is what your audit team does in practice.

What changed in 2018?

The 2018 revision was the first update since the original 2009 publication. Key changes relevant to auditors:

  • Leadership elevated. The 2018 version puts much stronger emphasis on leadership and commitment as a prerequisite for effective ERM. Senior leadership must demonstrate commitment, not just delegate it.
  • Integration is central. The 2018 framework component is explicitly iterative — a continuous cycle of design, implementation, evaluation, and improvement rather than a one-off setup.
  • Human factors added. A new principle specifically acknowledging that human behaviour and culture significantly influence all aspects of risk management at every level.
  • Simplified structure. The 2009 version had 11 principles; the 2018 version has 8, with clearer language and less redundancy.

Four things ISO 31000 does NOT tell you

Understanding the limits of the standard is just as important as understanding its content.

1.It does not specify risk scoring scales — your likelihood and impact anchors are yours to define.
2.It does not mandate a specific matrix size — 3×3, 4×4, or 5×5 are all compliant.
3.It does not define risk appetite thresholds — these must be set by your board or senior leadership.
4.It is not auditable — you cannot be ISO 31000 certified. If someone claims to be, they are confused with ISO 27001 or similar.

Practical implications for internal auditors

As an internal auditor, ISO 31000 gives you a defensible framework for designing and evaluating your organisation's risk management function. Concretely:

  • Use the eight principles as an assessment rubric when auditing the ERM function
  • Use the framework component to assess whether risk management is genuinely integrated or just a compliance exercise
  • Use the process component (especially risk identification and evaluation steps) to design your risk-based audit planning methodology
  • Reference ISO 31000 in audit findings and recommendations to add credibility and a recognised benchmark

Use the ISO 31000 template

RiskMatrix Pro's ISO 31000 template pre-configures your matrix with scales and risk categories aligned to the standard.

Try the template →