What is the primary objective of ISO 31000?

ISO 31000 provides international guidelines to systematically manage risk as the effect of uncertainty on objectives, enabling organizations to create and protect value. It outlines eight principles, a framework (Clause 5), and a process (Clause 6) for integration into governance, strategy, and operations across any organization size or sector.

Who is legally or professionally required to comply with ISO 31000?

No organization is legally required to comply with ISO 31000, as it offers voluntary guidelines applicable to any entity regardless of size, type, or sector. Professionally, boards, executives, and risk officers in high-exposure areas like finance, healthcare, and manufacturing adopt it to enhance decision-making, resilience, and stakeholder trust through structured risk practices.

Does ISO 31000 require an external audit or third-party certification?

No, ISO 31000 does not require external audit or third-party certification, as it provides guidelines rather than auditable requirements. ISO explicitly states it is "not intended for certification purposes"; alignment is demonstrated via internal governance, records, monitoring, and management reviews.

How often should an assessment for ISO 31000 be performed?

ISO 31000 assessments should be performed iteratively and dynamically, with monitoring and review conducted continually or triggered by changes in context, rather than on a fixed schedule. The dynamic principle and Clause 6.5 mandate ongoing checks via KRIs, periodic reviews (e.g., quarterly), and event-driven reassessments for effectiveness.

What are the consequences of non-compliance with ISO 31000?

ISO 31000 has no direct legal consequences for non-compliance, as it is a non-mandatory guideline standard. Indirect impacts include heightened operational losses, regulatory scrutiny in aligned regimes, reputational damage, and suboptimal decisions from unmanaged uncertainty on objectives.

Can ISO 31000 be mapped to other international frameworks?

Yes, ISO 31000 can be mapped to other international frameworks as its principles, framework, and process provide a foundational architecture for risk management. It aligns conceptually with standards like those for quality or security by offering a universal risk process (Clauses 4-6) adaptable to domain-specific requirements.

What is the first step to begin implementing ISO 31000?

The first step to implement ISO 31000 is to secure leadership commitment and establish the risk management framework per Clause 5. Top management must issue a risk management policy, define context, scope, criteria, roles, and integration into governance before scaling the Clause 6 process.

What is the primary objective of ISO 28000?

ISO 28000:2022 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, integrate leadership commitment, and ensure performance evaluation through audits and management reviews. The standard is sector-agnostic, applicable to all organization sizes, focusing on holistic governance rather than prescriptive controls.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary and not legally mandatory for any organization. It applies professionally to any entity influencing supply chain security, including logistics providers, manufacturers, retailers, ports, and government agencies of all sizes. Adoption is driven by customer contracts, insurer requirements, trade facilitation programs, or risk reduction needs, with top management accountable for SMS integration into business processes per Clause 5.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity may be verified internally or externally. Certification follows ISO 28003 guidelines via accredited bodies, typically involving Stage 1 (documentation) and Stage 2 (implementation) audits, plus surveillance. Organizations must conduct internal audits at planned intervals (Clause 9.2) to ensure SMS effectiveness.

How often should an assessment for ISO 28000 be performed?

Risk assessments under ISO 28000 must be maintained continuously, with reviews at planned intervals aligned to changes in context, risks, or performance. Clause 8.3 mandates ongoing risk assessment and treatment processes per ISO 31000 guidance, while Clause 9 requires monitoring, internal audits per a risk-based program, and management reviews at planned intervals to evaluate suitability, adequacy, and effectiveness.

What are the consequences of non-compliance with ISO 28000?

ISO 28000 non-compliance carries no direct legal penalties as it is voluntary, but results in unmanaged security risks, potential operational disruptions, and failure to meet contractual or partner obligations. Consequences include increased incident likelihood (theft, sabotage), loss of market access, higher insurance costs, and reputational damage, with Clause 10 requiring corrective actions for nonconformities to prevent recurrence.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns structurally with ISO management system standards via its PDCA clause structure (Clauses 4–10). It references ISO 31000 for risk processes (Clause 8.3), ISO 22300 vocabulary normatively, and encourages consistency with ISO 22301 for security plans, enabling integrated audits and shared governance like unified risk registers.

What is the first step to begin implementing ISO 28000?

The first step is determining the organization's context, interested parties, and SMS scope per Clause 4. This includes identifying internal/external issues, legal requirements, supply chain boundaries, and controls for externally provided processes, documented as foundational input for leadership policy (Clause 5) and risk planning (Clause 6).

Standards Comparison

ISO 31000 vs ISO 28000

ISO 31000

Voluntary

2018

International guidelines for enterprise risk management

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

ISO 31000 provides voluntary risk management guidelines for all organizations, while ISO 28000 is a certifiable standard for supply chain security. Companies adopt 31000 for enterprise resilience; 28000 for auditable logistics protection and compliance.

Risk Management

ISO 31000

ISO 31000:2018 Risk management — Guidelines

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Non-certifiable guidelines for any organization
Eight principles emphasizing integration and leadership
Framework embedding risk into governance operations
Iterative six-step risk management process
Defines risk as uncertainty effect on objectives

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based PDCA cycle for security management
Supply chain interdependencies and third-party controls
Top management leadership and policy commitment
Operational security plans and incident response
Performance evaluation via audits and reviews

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 31000 Details

What It Is

ISO 31000:2018, Risk management — Guidelines is an international standard providing non-certifiable guidance for systematic risk management. Its primary purpose is to help organizations manage uncertainty affecting objectives, applicable to any size, sector, or type. It uses a principles-based, iterative approach focused on creating and protecting value.

Key Components

Three pillars: Eight principles (e.g., integrated, customized, dynamic), framework (leadership, integration, design, implementation, evaluation, improvement), and process (communication, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting).
No fixed controls; flexible, PDCA-aligned structure.
Non-certifiable; relies on internal governance and audits.

Why Organizations Use It

Enhances decision-making, resilience, and value creation; supports compliance in regulated sectors; builds stakeholder trust; reduces losses and captures opportunities without mandatory certification burdens.

Implementation Overview

Phased approach: leadership commitment, gap analysis, pilot process, integration, monitoring. Suited for all organizations; involves policy, training, tools like risk registers. No external certification required.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international standard specifying requirements for a security management system (SMS) focused on supply chain security. It provides a risk-based framework using the Plan-Do-Check-Act (PDCA) cycle to manage security risks like theft, sabotage, and disruptions.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Emphasizes risk assessment aligned with ISO 31000, operational controls, and security plans.
Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.
Optional third-party certification via ISO 28003 guidelines.

Why Organizations Use It

Reduces supply chain risks and ensures continuity.
Meets contractual, regulatory, and partner requirements.
Enhances resilience, insurance terms, and market access.
Builds stakeholder trust through auditable governance.

Implementation Overview

Phased approach: gap analysis, risk assessment, controls deployment, training, audits.
Applicable to all sizes/industries; scalable for logistics, manufacturing.
Involves internal audits, management reviews; certification via Stage 1/2 audits.

Key Differences

Aspect	ISO 31000	ISO 28000
Scope	Enterprise-wide risk management guidelines	Supply chain security management system
Industry	All industries, any organization size	Logistics, manufacturing, supply chain sectors
Nature	Non-certifiable guidelines	Certifiable management system standard
Testing	Internal reviews, no formal certification	Internal audits, external certification audits
Penalties	No legal penalties	Loss of certification, no legal penalties

Scope

ISO 31000

Enterprise-wide risk management guidelines

ISO 28000

Supply chain security management system

Industry

ISO 31000

All industries, any organization size

ISO 28000

Logistics, manufacturing, supply chain sectors

Nature

ISO 31000

Non-certifiable guidelines

ISO 28000

Certifiable management system standard

Testing

ISO 31000

Internal reviews, no formal certification

ISO 28000

Internal audits, external certification audits

Penalties

ISO 31000

No legal penalties

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about ISO 31000 and ISO 28000

ISO 31000 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 for Cloud & SaaS: A Practical Safeguard Playbook for AWS/Azure/GCP and Microsoft 365

Turn CIS Controls v8.1 into a cloud-first playbook for AWS, Azure, GCP & Microsoft 365. Get actionable IaaS/PaaS/SaaS safeguards, automation patterns, evidence

Beyond the Checkbox: Why Maturity Assessments are the Secret to Sustainable Compliance

Discover why maturity assessments beat binary compliance checks by uncovering hidden gaps and enabling continuous improvement for sustainable success. Read now!

NIST CSF 2.0 Govern Function Deep Dive: Building Executive Cybersecurity Governance from Scratch

Step-by-step blueprint for NIST CSF 2.0 Govern function: templates, RACI matrices, metrics to elevate cybersecurity governance to boardroom level. Reduce breach

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 31000 and ISO 28000 compare against other standards

Other ISO 31000 Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Three pillars: Eight principles (e.g., integrated, customized, dynamic), framework (leadership, integration, design, implementation, evaluation, improvement), and process (communication, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting).

No fixed controls; flexible, PDCA-aligned structure.

Non-certifiable; relies on internal governance and audits.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.

Emphasizes risk assessment aligned with ISO 31000, operational controls, and security plans.

Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.

Optional third-party certification via ISO 28003 guidelines.

Aspect

ISO 31000

ISO 28000

Scope

Enterprise-wide risk management guidelines

Supply chain security management system

Industry

All industries, any organization size

Logistics, manufacturing, supply chain sectors

Nature

Non-certifiable guidelines

Certifiable management system standard

Testing

Internal reviews, no formal certification

Internal audits, external certification audits

Penalties

No legal penalties

Loss of certification, no legal penalties