Is ISO 31000 certifiable?

No. ISO 31000 is a framework standard, not a management-system standard like ISO 27001 or ISO 9001. There is no ISO 31000 certificate. Organisations declare alignment; auditors test methodology fit.

What's the difference between ISO 31000 and IEC 31010?

ISO 31000 defines the framework. IEC 31010:2019 (Risk assessment techniques) is a companion standard that catalogues specific techniques — bow-tie, FMEA, scenario analysis, Monte Carlo, and others — compatible with ISO 31000. Most enterprise programmes reference both.

Does ISO 31000 alignment satisfy DORA, NIS2, or Solvency II?

ISO 31000 is necessary but not sufficient for any of these. DORA, NIS2, and Solvency II layer specific obligations (operational resilience testing, third-party risk, capital calculations) on top of a sound risk management framework. ISO 31000 alignment is the foundation; the regulation adds the specifics.

ISO 31000:2018 — Norrsent

What it is

ISO 31000:2018 is the International Organization for Standardization's umbrella standard for risk management. It is principles-based rather than prescriptive — it does not tell organisations exactly what to do, but defines the structure that any sound risk management approach should have. The standard covers eight principles (e.g., 'integrated', 'structured and comprehensive', 'continually improving'), the framework (governance, integration, design, implementation, evaluation, improvement), and the process (scope and context, risk assessment, risk treatment, monitoring, recording, communication).

Why it matters

ISO 31000 is the reference standard for enterprise risk management in regulated industries — energy, infrastructure, financial services, healthcare. It is referenced in regulatory expectations (e.g., DORA in financial services, NIS2 in critical infrastructure) and forms the baseline for board-level risk reporting. Alignment matters not because the standard is enforced — it isn't, in most jurisdictions — but because it is the methodology auditors and regulators recognise. Risk frameworks built outside ISO 31000 often have to be re-mapped when regulators look at them.

How Norrsent handles it

Norrsent's risk methodology, scoring approach, lifecycle, and reporting are designed around ISO 31000:2018 from the first day of deployment, not retrofitted via mappings. Framework alignment documentation comes with onboarding, so the audit firm or regulator can trace any risk record back to the standard's process.

Risk Management module

Common questions

Is ISO 31000 certifiable?: No. ISO 31000 is a framework standard, not a management-system standard like ISO 27001 or ISO 9001. There is no ISO 31000 certificate. Organisations declare alignment; auditors test methodology fit.
What's the difference between ISO 31000 and IEC 31010?: ISO 31000 defines the framework. IEC 31010:2019 (Risk assessment techniques) is a companion standard that catalogues specific techniques — bow-tie, FMEA, scenario analysis, Monte Carlo, and others — compatible with ISO 31000. Most enterprise programmes reference both.
Does ISO 31000 alignment satisfy DORA, NIS2, or Solvency II?: ISO 31000 is necessary but not sufficient for any of these. DORA, NIS2, and Solvency II layer specific obligations (operational resilience testing, third-party risk, capital calculations) on top of a sound risk management framework. ISO 31000 alignment is the foundation; the regulation adds the specifics.

ISO 31000:2018

What it is

Why it matters

How Norrsent handles it

Common questions

Related terms

Bow-tie analysis

ISO/IEC 27001:2022

Operating record

ISO 31000:2018

What it is

Why it matters

How Norrsent handles it

Common questions

Related terms

Bow-tie analysis→

ISO/IEC 27001:2022→

Operating record→

Bow-tie analysis

ISO/IEC 27001:2022

Operating record