Can ISO 31000:2018 be Internationally Certified?

1. Introduction

ISO 31000:2018 (Risk Management – Guidelines) cannot be internationally certified by a Certification Body (CB). Here’s why:

  • ISO 31000 is a Guideline Standard, Not a Certifiable Standard
    • ISO 31000:2018 provides principles, a framework, and a process for risk management, but it does not contain requirements that can be audited for certification.
    • Unlike ISO standards such as ISO 9001 (Quality Management) or ISO/IEC 27001 (Information Security Management), which contain specific requirements that organizations must fulfil, ISO 31000 only offers guidance on how to implement risk management effectively.
  • Lack of Conformity Requirements
    • Certifiable ISO standards, such as ISO 9001, ISO 14001, and ISO/IEC 27001, contain clear requirements that an organization must meet.
    • These requirements are structured in a way that an independent Certification Body (CB) can audit and verify compliance.
    • However, ISO 31000:2018 is not structured with mandatory clauses but rather provides flexible recommendations on best practices for risk management.
  • Alternative Approach: Conformity Assessment & Integration with Other Standards
    • While organizations cannot be certified to ISO 31000, they can align their risk management processes with its principles and demonstrate compliance through internal or external assessments.
    • Many companies integrate ISO 31000’s principles with certifiable standards like:
      • ISO/IEC 27001 (Information Security Management) – which requires a risk management process that aligns with ISO 31000.
      • ISO 9001 (Quality Management System) – which includes risk-based thinking.
      • ISO 22301 (Business Continuity Management System) – which requires a structured risk management process.
    • ISO 31000 vs. ISO 31010
      • ISO 31000 should not be confused with ISO 31010 (Risk Assessment Techniques), which provides methods for risk assessment.
      • However, ISO 31010 is also not certifiable.

2. Conclusion

ISO 31000:2018 is a guideline standard meant to help organizations establish a risk management framework, but it does not contain specific, auditable requirements, so certification by a Certification Body is not possible.

Organizations can still use ISO 31000 to enhance their risk management practices and demonstrate compliance through other means, such as self-assessments, third-party evaluations, or integration with certifiable standards.

Would you like guidance on how to implement ISO 31000 effectively within an organization?