ISO 27001 vs ISO 31000: Differences, Starting Points, and How They Work Together

  • What is the difference between ISO 27001 and ISO 31000?
  • Published by: André Hammer on Apr 05, 2024
Group classes

ISO/IEC 27001 and ISO 31000 address related but different governance needs: one focuses on managing information security, while the other guides risk management across an organisation.

ISO/IEC 27001:2022 is a certifiable management system standard for establishing, operating, maintaining and improving an information security management system, usually called an ISMS. ISO 31000:2018 is guidance for risk management at enterprise level; it helps organisations make better decisions under uncertainty, but it is not a certifiable management system standard.

The distinction matters because the two standards are often discussed as alternatives when they are more useful as complements. ISO 27001 gives structure, auditability and evidence requirements for information security. ISO 31000 gives senior leaders a broader language for risk principles, governance, appetite and decision-making across strategic, operational, financial and compliance domains.

ISO 27001 vs ISO 31000 at a glance

The simplest way to separate the standards is to ask what each one is trying to produce. ISO 27001 produces an ISMS that can be independently audited and certified. ISO 31000 produces a risk management approach that can be adopted, adapted and embedded across the organisation, but there is no ISO 31000 certification equivalent to an ISO 27001 certificate.

This does not make one standard more mature than the other. They operate at different levels. ISO 27001 is narrower and more prescriptive because certification requires defined requirements, documented evidence and a repeatable audit trail. ISO 31000 is broader because enterprise risk management needs to work across many kinds of objectives, decision forums and operating models.

AreaISO/IEC 27001:2022ISO 31000:2018
Primary scopeInformation security management through an ISMSRisk management across organisational objectives
CertifiabilityCertifiable through an external ISMS auditGuidance only; not certifiable
Main artefactsISMS scope, risk criteria, risk assessment results, risk treatment plan, Statement of Applicability and evidence of control operationRisk management policy, risk appetite statements, governance model, enterprise risk registers, treatment plans and reporting structures
Typical ownersCISO, information security manager, compliance manager or ISMS ownerBoard, executive leadership, enterprise risk function, risk committees and business owners
Typical outputsAuditable information security risk management and continual improvementConsistent risk-informed decision-making across the organisation

ISO.org identifies ISO/IEC 27001:2022 as the international standard for information security management systems, while ISO 31000:2018 is presented as risk management guidance. That difference should shape expectations from the start: ISO 27001 can result in certification, while ISO 31000 should result in a better risk management framework and stronger governance conversations.

Where ISO 27001 fits

ISO/IEC 27001:2022 is designed for organisations that need a systematic way to protect information. It requires the organisation to define the scope of its ISMS, understand interested parties, assess information security risks, select and justify risk treatments, evaluate performance and continually improve the system.

Its value is especially clear when customers, regulators, procurement teams or business partners expect independent assurance. Certification does not guarantee that incidents will never occur, but it shows that the organisation has implemented a managed system for identifying, treating and reviewing information security risks.

A common mistake is to treat ISO 27001 as if it mandates a single risk assessment method. It does not. Auditors are usually more concerned with whether the organisation has defined risk criteria, applies its method consistently, maintains evidence, records treatment decisions, obtains acceptance where appropriate and reviews changes over time. A simple method applied consistently is often more defensible than a complex matrix that teams do not understand.

Another nuance is Annex A. The controls in Annex A support risk treatment, but they are not a universal checklist that every organisation must implement in full. The organisation must determine which controls are applicable based on its risk assessment and justify inclusions or exclusions in the Statement of Applicability. Readers working through the current edition may find the article on ISO 27001:2022 changes and Annex A mapping useful when aligning older documentation to the 2022 structure.

Where ISO 31000 fits

ISO 31000:2018 is broader than information security. It gives organisations a way to think about risk as part of governance, strategy, planning, operations, reporting and decision-making. Its principles are relevant to cyber risk, but also to supply chain risk, financial risk, safety risk, operational resilience and strategic uncertainty.

The standard is particularly useful when an organisation lacks a shared vocabulary for risk. Without a common framework, security teams may describe risks in technical language, finance may describe them in monetary terms, and executive committees may focus on strategic exposure. ISO 31000 helps create a common structure so these views can be compared and escalated coherently.

Governance terms need careful handling. Risk appetite describes the amount and type of risk an organisation is willing to pursue or retain in pursuit of objectives, while risk tolerance is usually more specific and operational. Confusing the two leads to vague dashboards and inconsistent decisions. A separate explanation of risk appetite vs risk tolerance can help when translating board-level language into measurable criteria for information security risk decisions.

The most important limitation is that ISO 31000 should not be presented as something an organisation can become certified against in the same way as ISO 27001. It can be assessed internally, used by auditors as a reference point, or adopted as a governance model, but treating it as a certifiable destination creates confusion and weakens stakeholder expectations.

How the two standards connect in practice

The strongest connection between the standards is the movement from enterprise risk context to information security execution. ISO 31000 can help define the organisation’s risk principles, appetite, governance model and reporting expectations. ISO 27001 can then translate those expectations into the ISMS scope, information security risk criteria, risk treatment decisions and evidence model.

Clause 4 of ISO/IEC 27001:2022 is an important touchpoint because it requires the organisation to understand its context, interested parties and ISMS scope. ISO 31000 supports this by encouraging risk management to be integrated into organisational governance and aligned with objectives. In practice, that means the ISMS should not be scoped only around technology assets; it should reflect business services, contractual obligations, regulatory exposure and the expectations of stakeholders who rely on the information being protected.

Clause 6.1 of ISO 27001 is another key connection. It deals with actions to address risks and opportunities, including information security risk assessment and treatment. ISO 31000 can inform the principles behind that process, but ISO 27001 still requires the ISMS to produce auditable outputs. The organisation needs defined criteria for accepting risk, a repeatable assessment approach, documented results and evidence that treatment plans are implemented and reviewed.

ISO/IEC 27005 also has a practical role here. ISO 31000 sets broad risk management principles, and ISO 27001 sets ISMS requirements; ISO 27005 helps operationalise information security risk management in a way that can support ISO 27001 while remaining consistent with enterprise risk thinking. It is often useful when teams need more detailed guidance for identifying, analysing, evaluating and treating information security risks without inventing their own method from scratch. A practical ISO 27005 risk assessment guide can help teams turn high-level requirements into repeatable working practices.

Which standard should come first?

The right starting point depends on the pressure the organisation is trying to resolve. If a company needs customer assurance, procurement eligibility, stronger information security governance or a certifiable ISMS, ISO 27001 is usually the more direct starting point. It gives the organisation a defined project boundary, clearer audit evidence and a tangible certification outcome.

An ISMS-first path often suits small and mid-sized organisations because it creates structure around a specific risk domain. The implementation can begin with a scoped business unit, service or set of systems, then mature over time. The main pitfall is building a narrow security programme that does not connect to enterprise risk appetite, which can leave treatment decisions dependent on the security team rather than business ownership.

An enterprise risk management-first path often suits larger organisations with multiple divisions, complex governance structures or inconsistent risk reporting. ISO 31000 can reduce organisational friction by establishing common language, escalation routes and appetite statements before individual risk domains are formalised. The main pitfall is staying too abstract: risk principles and frameworks are useful only when they influence decisions, budgets, ownership and treatment plans.

In many organisations the practical answer is a staged approach. The enterprise risk function defines the overall risk context and appetite, while the security function builds or improves the ISMS using ISO 27001. Over time, information security risks can be reported into enterprise risk governance using consistent categories, ownership expectations and decision thresholds.

Implementation scenarios and common pitfalls

A smaller organisation pursuing ISO 27001 for customer assurance may start with an ISMS scope covering the product, platform or service that customers depend on. Early work typically focuses on defining the scope, identifying information security risks, selecting treatments, documenting the Statement of Applicability and producing evidence that controls operate. The challenge is keeping the system proportionate. Over-engineered risk matrices, excessive documentation and asset-only registers can slow progress without improving decision quality.

By contrast, a large enterprise may begin with ISO 31000 because risk ownership is fragmented across business units. In that scenario, the first priority is often governance: who owns which risks, how appetite is expressed, how risks are escalated and how treatment accountability is tracked. Once that foundation is in place, ISO 27001 can be used to formalise the information security part of the model. The challenge is avoiding a framework that looks coherent on paper but does not change how investment decisions are made.

Several mistakes appear repeatedly in ISO 27001 and ISO 31000 alignment projects. Treating ISO 31000 as certifiable is the most obvious. Another is forcing every information security risk into an asset-only register when business processes, suppliers, legal obligations and service dependencies may be better risk anchors. A third is confusing risk appetite with risk tolerance, which can cause senior leaders to approve broad statements while operational teams lack measurable thresholds for action.

Success should be measured through outcomes rather than document volume. For ISO 27001, useful indicators may include the age of untreated high-priority ISMS risks, time to close agreed treatment actions, percentage of controls with recent evidence and the number of overdue risk acceptances. For ISO 31000, useful indicators may include the percentage of strategic risks with named owners, the number of material risks with active treatment plans, the quality of escalation decisions and the consistency of risk reporting across business units.

Relationship with NIST and other frameworks

Many organisations also use NIST publications, especially in technology and public-sector environments. The NIST Risk Management Framework is not a direct substitute for ISO 27001 or ISO 31000, but it provides a useful comparison point because it also links risk management, system categorisation, control selection, implementation, assessment, authorisation and monitoring.

In practice, organisations do not need to choose a single reference model for every purpose. ISO 31000 can frame enterprise risk governance, ISO 27001 can provide the certifiable ISMS requirements, ISO 27005 can guide information security risk assessment, and the NIST RMF can inform control lifecycle thinking where it is already familiar to stakeholders. The challenge is maintaining traceability so teams understand which framework is being used for governance, which is being used for certification, and which is being used for technical control management.

Building capability without losing governance

Training should not focus only on passing an audit or memorising standard clauses. Security managers, risk owners and internal auditors need to understand how risk context, assessment criteria, treatment choices and acceptance decisions connect. That is where structured learning can help, particularly when an organisation is preparing people to own parts of an ISMS rather than leaving all evidence and interpretation to a small compliance team.

Readynez provides ISO training options through its ISO courses and certifications, which may be relevant for teams building ISO 27001 capability or aligning security work with wider governance expectations. Some organisations also use Unlimited Security Training when several security and governance roles need a shared baseline across related topics.

The learning priority should match the implementation route. An ISMS-first organisation needs people who can define scope, maintain evidence, run risk assessments and prepare for audits. An ERM-first organisation needs people who can connect security risk with enterprise decision-making, ownership and appetite. Both routes require enough practical understanding to avoid turning risk management into a documentation exercise.

FAQ

What is the main difference between ISO 27001 and ISO 31000?

ISO/IEC 27001:2022 is a certifiable standard for information security management systems. ISO 31000:2018 is guidance for risk management across an organisation and is not certifiable in the same way.

Does ISO 27001 require a specific risk assessment method?

No. ISO 27001 requires the organisation to define and apply an information security risk assessment process, but it does not mandate one specific method or matrix. Auditors look for consistency, defined criteria, documented results, treatment decisions and evidence of review.

Can ISO 31000 be certified?

No. ISO 31000 is a guidance standard for risk management. Organisations can use it to improve governance and risk practices, but it is not a certifiable management system standard like ISO 27001.

Where does ISO 27005 fit with ISO 27001 and ISO 31000?

ISO 27005 provides guidance for information security risk management. It can help teams design a risk assessment and treatment process that supports ISO 27001 requirements while remaining consistent with broader ISO 31000 risk management principles.

Should an organisation start with ISO 27001 or ISO 31000?

An organisation that needs a certifiable ISMS or customer assurance will often start with ISO 27001. An organisation with fragmented enterprise risk governance may start with ISO 31000 to establish common language, ownership and appetite before formalising specific domains such as information security.

Making the two standards work together

ISO 27001 and ISO 31000 work best when they are treated as connected layers of governance. ISO 31000 helps define how the organisation thinks about risk, while ISO 27001 turns information security risk management into a structured, auditable system with evidence, ownership and continual improvement.

The most effective next step is to decide which problem needs solving first: external assurance through an ISMS, or broader consistency in enterprise risk management. From there, the organisation can build the missing layer without duplicating registers, confusing certification expectations or separating security risk from business decision-making. If structured guidance would help, Readynez can be contacted through the contact page to discuss ISO learning paths in context.

Related resources

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}