The Cyber Academy take
ISO 31000 is the international guidance standard for risk management, principles, framework, process, applicable to any organisation and any type of risk. It is not certifiable; the PECB pathway is Foundation, Risk Manager, then Lead Risk Manager. There is no ISO 31000 Lead Auditor: ISO 31000 is guidance, not a management-system standard, so there is nothing to audit against.
TL;DR
- 1ISO 31000 is guidance, not a certifiable management system. No Lead Auditor exists.
- 2PECB pathway: Foundation (2 days), Risk Manager (5 days), Lead Risk Manager (5 days). The senior credential is Lead Risk Manager.
- 3Foundation gives the vocabulary, the principles and the process model. Required prerequisite for the senior credentials.
- 4Risk Manager applies ISO 31000 to a specific scope. Lead Risk Manager leads the enterprise risk programme across functions.
- 5Complements ISO 27005 (information-security-specific risk) and EBIOS RM (strategic cyber scenarios), different lenses on the same risk discipline.
How the ISO 31000 pathway actually works in an organisation
ISO 31000 is not something you implement the way you implement a management system. There is no Statement of Applicability, no mandatory clauses to satisfy, no surveillance audit cycle. What you build instead is a risk management framework: a way for risk to be identified, analysed, treated, monitored and reported consistently across the organisation, and a process that people in operational roles actually follow. The standard gives you the principles and the vocabulary; the work is making them real in your governance, your committees and your decision points.
That is why the pathway runs the way it does. Foundation gives you the shared language so that "likelihood", "risk criteria", "risk appetite" and "residual risk" mean the same thing to everyone in the room. Risk Manager teaches you to run the process inside a defined scope: a department, a programme, a product line. Lead Risk Manager teaches you to design and steer the framework itself across functions, which is a governance job as much as a technical one.
The pathway is sequential by design. Foundation is the prerequisite for the senior credentials, so most practitioners start with the ISO 31000 Foundation course before deciding whether they need the Risk Manager or Lead Risk Manager level.
Choosing your level: Risk Manager or Lead Risk Manager
The decision is not about seniority on paper, it is about what you will be accountable for. Risk Manager is for the person who runs the risk process within a scope and owns a risk register: you facilitate workshops, score risks against agreed criteria, propose treatment, and keep the register honest over time. Lead Risk Manager is for the person who has to make the whole thing coherent across the organisation: set the risk criteria and appetite, design the framework, integrate it with strategy and the other assurance functions, and report to the board.
A useful test: if your job is to answer "what are our top risks in this area and what are we doing about them", Risk Manager is the right level. If your job is to answer "is our risk management framework fit for purpose, and can leadership rely on it to make decisions", you need Lead Risk Manager. Many people take Risk Manager first, run a programme for a year or two, then take Lead Risk Manager when they move into an enterprise or CISO-adjacent role.
| Level | Duration | Scope | Who it fits |
|---|---|---|---|
| Foundation | 2 days | Principles, framework and process model; vocabulary only, no implementation responsibility | Anyone who needs the shared language: analysts, project managers, auditors from other domains, newcomers to risk |
| Risk Manager | 5 days | Apply the ISO 31000 process inside a defined scope; own and run a risk register | Practitioners who facilitate assessments and manage risk for a department, programme or product |
| Lead Risk Manager | 5 days | Design and lead the enterprise risk framework; set criteria and appetite; report to leadership | Heads of risk, CISOs and senior GRC roles accountable for the whole programme |
Why there is no ISO 31000 Lead Auditor
This question comes up constantly because most other ISO credentials come in pairs: Lead Implementer and Lead Auditor, mirroring the certifiable standard behind them. ISO 31000 has no Lead Auditor because there is nothing to audit against. An audit checks conformity to requirements, the "shall" statements of a management-system standard such as ISO 27001 or ISO 9001. ISO 31000 contains guidance, the "should" of good practice, not requirements. You cannot certify an organisation to ISO 31000, so you cannot run a certification audit against it, so there is no auditor credential.
That does not mean risk management escapes assurance. It is assessed indirectly. When an ISO 27001 auditor examines your risk assessment and risk treatment process, they are checking conformity to ISO 27001 clauses 6.1 and 8.2/8.3, and ISO 31000 (often via ISO 27005) is the recognised reference for how that process should look. So the Lead Risk Manager builds the framework, and the management-system auditor tests whether the framework is applied where a certifiable standard requires it. They are two different jobs, and conflating them is the most common misunderstanding people bring into the training room.
How ISO 31000 complements ISO 27005 and EBIOS RM
These are not competing standards; they are different lenses on the same discipline, and senior practitioners use them together. ISO 31000 is the generic frame that applies to any risk in any organisation. ISO 27005 narrows that frame to information security risk, with the asset, threat and vulnerability detail that an ISMS needs. EBIOS Risk Manager, the French (ANSSI) method, comes at the problem from strategic attack scenarios and the ecosystem of attackers and stakeholders, which is strong for high-stakes cyber risk and increasingly expected in the EU public and regulated sectors.
The practical pattern is layered: ISO 31000 sets the principles, the framework and the process the whole organisation shares; ISO 27005 Risk Manager gives you the information-security-specific method that plugs into an ISO 27001 ISMS; and EBIOS Risk Manager gives you the scenario-driven, attacker-centric view for the cyber risks that matter most. They do not contradict each other, and the ISO 31000 vocabulary is what lets a team move between them without confusion.
| ISO 31000 | ISO 27005 | EBIOS RM | |
|---|---|---|---|
| Scope | Any risk, any organisation | Information security risk | Strategic cyber risk scenarios |
| Role | Principles, framework, process | IS-specific risk method for an ISMS | Attacker and ecosystem-driven analysis |
| Pairs with | Enterprise governance | ISO 27001 certification | ANSSI / regulated and public sector |
| Approach | Generic and top-down | Asset, threat, vulnerability | Scenario and stakeholder-driven |
Relevance beyond cyber, and the common mistakes
Because ISO 31000 is risk-type agnostic, the same framework covers operational, financial, supply-chain, project, safety, compliance and strategic risk. That is its real value to a CISO who wants a seat at the enterprise table: speaking ISO 31000 means speaking the language the board and the wider risk function already use, not a cyber dialect they have to translate. The credential travels well outside security, which is part of why it sits at the centre of a serious GRC career rather than at its edge.
The mistakes are consistent across organisations. People treat the risk register as a compliance artefact to produce once a year instead of a live decision tool. They define risk criteria that no one agrees with, so scoring becomes theatre. They confuse risk appetite (a leadership decision) with risk tolerance (the operating range), and let neither be set explicitly, which means treatment decisions have no anchor. And they skip Foundation, jumping a whole team into a Risk Manager course where half the room is still arguing about what "likelihood" means.
If you are building a programme rather than just sitting an exam, the order that works is: get the team through ISO 31000 Foundation for shared vocabulary, put your scope owners through ISO 31000 Risk Manager, and have whoever owns the enterprise framework take ISO 31000 Lead Risk Manager. That sequence avoids the most expensive failure mode, which is a framework that only one person understands.
Frequently asked questions
01Why is there no ISO 31000 Lead Auditor?
ISO 31000 is guidance, not a management-system standard. There is no certifiable system to audit against. Some training catalogues advertise ISO 31000 Lead Auditor; the credential does not exist within the PECB programme. People asking for it usually mean ISO 27001 Lead Auditor (which audits the ISMS using ISO 27005 risk methodology) or ISO/IEC 27005 Risk Manager (which applies the methodology to information security).
If your auditor expects an ISO 31000 audit, push back: there is no certifiable conformity criterion. They likely mean a maturity assessment of the risk-management framework, which is a different exercise.
02Risk Manager or Lead Risk Manager, which is right for me?
Risk Manager (5 days) is for practitioners running a defined risk scope: a department, a programme, a subsidiary. The course teaches you to operate ISO 31000 within that scope. Most GRC analysts and risk officers stop here.
Lead Risk Manager (5 days) is for senior practitioners running the enterprise risk programme: setting the risk appetite, designing the framework, integrating risk across business units, reporting to the board. Required when the role title is Head of Risk, Chief Risk Officer, or equivalent.
03How does ISO 31000 sit alongside ISO 27005?
Different scopes. ISO 31000 is the generic risk-management guidance, applies to financial risk, operational risk, strategic risk, compliance risk, information-security risk, anything. ISO 27005 is the application of ISO 31000 principles specifically to information-security risk in an ISO 27001 ISMS context.
A risk practitioner with ISO 31000 credentials operates across the enterprise. An information-security risk specialist with ISO 27005 credentials operates inside the ISMS scope. Senior practitioners often hold both.
04Is ISO 31000 relevant outside cybersecurity?
Yes, very. ISO 31000 is sector-agnostic. It is used in financial risk management (alongside Basel and Solvency frameworks), enterprise risk management (alongside COSO ERM), supply-chain risk, environmental risk, project risk and operational risk. The principles and process model are identical across domains; only the asset and threat categories change.




