Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ISO 31000 RM Practice Questions

Pass your PECB Certified ISO 31000 Risk Manager exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is residual risk?

A
B
C
D
to track
Same family resources

Explore More PECB ISO Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

PECB Certified ISO 14001 Lead Implementer (Environmental Management)

Practice Questions

PECB Certified ISO 22301 Lead Auditor (Business Continuity)

Practice Questions

PECB Certified ISO 37001 Lead Implementer (Anti-Bribery)

Practice Questions

PECB Certified ISO 37301 Lead Implementer (Compliance Management)

Practice Questions

PECB Certified ISO 45001 Lead Implementer (OH&S Management)

Practice Questions

PECB Certified ISO 9001 Lead Implementer (Quality Management)

Practice Questions
2026 Statistics

Key Facts: ISO 31000 RM Exam

70%

Passing Score

PECB

80

Exam Questions

120-minute exam

40-60 hrs

Study Time

Recommended

$800

Exam Fee (USD)

PECB

3 years

Certification Valid

PECB

ISO 31000:2018

Current Standard

ISO second edition

ISO 31000 Risk Manager (PECB) is a globally recognized credential covering enterprise risk management aligned with ISO 31000:2018 and IEC 31010:2019. The exam contains 80 multiple-choice questions in 120 minutes and requires 70% to pass. Key topics include the 8 risk management principles, the 6-component framework, the risk management process (scope/context/criteria, assessment, treatment, monitoring), the 5 treatment options (avoid, take/increase, remove source, change likelihood, change consequences, share, retain), and IEC 31010 techniques such as bow-tie, FMEA, HAZOP, and Monte Carlo. Typical exam fee is $800 USD.

Sample ISO 31000 RM Practice Questions

Try these sample questions to test your ISO 31000 RM exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1According to ISO 31000:2018, how is risk defined?
A.The probability of a negative event occurring within a defined time horizon
B.The effect of uncertainty on objectives
C.A threat exploiting a vulnerability to cause harm to assets
D.The product of likelihood and consequence of an adverse outcome
Explanation: ISO 31000:2018 defines risk as 'the effect of uncertainty on objectives.' This definition is intentionally broad: the effect can be positive (opportunity) or negative (threat), and the uncertainty is about events, their consequences, or their likelihood. The other options are common informal definitions but are not the standard's wording.
2How many risk management principles are stated in ISO 31000:2018?
A.5
B.8
C.11
D.20
Explanation: ISO 31000:2018 defines 8 principles: Integrated; Structured and comprehensive; Customized; Inclusive; Dynamic; Best available information; Human and cultural factors; and Continual improvement. The 2009 version had 11 principles, which were consolidated to 8 in 2018. COSO ERM 2017 has 20 principles, which is a different framework.
3Which statement about ISO 31000 certification is correct?
A.Organizations can be certified to ISO 31000 by accredited bodies after a stage 1 and stage 2 audit
B.ISO 31000 is a guidance standard; organizations cannot be certified to it, though individuals can earn PECB credentials
C.ISO 31000 certification is mandatory for any organization claiming to be ISO 27001 compliant
D.ISO 31000 is a management system standard equivalent to ISO 9001 for risk management
Explanation: ISO 31000:2018 is explicitly a guidance document, not a management system standard. There is no Annex SL high-level structure and no auditable requirements, so organizations cannot be certified to ISO 31000. Individuals, however, can validate their competency via PECB credentials such as ISO 31000 Foundation, Risk Manager, and Lead Risk Manager.
4Which of the following is NOT one of the three elements of risk management described in ISO 31000:2018?
A.Principles
B.Framework
C.Process
D.Audit
Explanation: ISO 31000:2018 is built on three interrelated elements: Principles (the why and characteristics of effective risk management), Framework (the how — leadership, integration, design, implementation, evaluation, improvement), and Process (the operational steps from communication through recording). Audit is not part of this three-element model; ISO 31000 is not auditable as a standalone standard.
5Which ISO 31000:2018 principle emphasizes that risk management should consider the behaviors and perceptions of people at all levels?
A.Integrated
B.Structured and comprehensive
C.Human and cultural factors
D.Best available information
Explanation: The 'Human and cultural factors' principle recognizes that risk management is influenced by — and influences — human behavior and culture at all levels of the organization. ISO 31000:2018 explicitly calls out that capabilities, perceptions, and intentions of people facilitate or hinder the achievement of objectives.
6How many components are in the ISO 31000:2018 risk management framework?
A.4
B.5
C.6
D.7
Explanation: The ISO 31000:2018 framework has 6 components: Leadership and commitment (central), Integration, Design, Implementation, Evaluation, and Improvement. The 2009 version used a Plan-Do-Check-Act cycle with 5 elements. The 2018 version places Leadership and commitment at the center to emphasize top management's role.
7Which framework component is at the center of the ISO 31000:2018 framework diagram?
A.Integration
B.Leadership and commitment
C.Implementation
D.Continual improvement
Explanation: Leadership and commitment is at the center of the 2018 framework. It surrounds the other components (Integration, Design, Implementation, Evaluation, Improvement) because effective risk management requires that top management and oversight bodies ensure the framework is integrated into all organizational activities and demonstrate that commitment through policy, accountability, and resources.
8Which sequence correctly lists the risk management process steps in ISO 31000:2018?
A.Identify, Analyze, Evaluate, Treat, Monitor, Communicate, Report
B.Communication and consultation; Scope, context, criteria; Risk assessment; Risk treatment; Monitoring and review; Recording and reporting
C.Plan, Do, Check, Act applied to a risk register
D.Establish context; Identify; Estimate; Evaluate; Respond; Audit
Explanation: The ISO 31000:2018 process consists of: (1) Communication and consultation — continuous, throughout; (2) Scope, context and criteria; (3) Risk assessment — Identification, Analysis, Evaluation; (4) Risk treatment; (5) Monitoring and review — ongoing; (6) Recording and reporting. Communication, consultation, monitoring, and review run throughout the process, not just as discrete steps.
9What are the three steps that make up risk assessment under ISO 31000:2018?
A.Risk identification, risk analysis, risk evaluation
B.Threat modeling, vulnerability analysis, impact assessment
C.Risk scoring, risk ranking, risk acceptance
D.Risk detection, risk classification, risk monitoring
Explanation: Risk assessment in ISO 31000 consists of risk identification (finding, recognizing, describing risks), risk analysis (understanding nature, sources, likelihood, consequences), and risk evaluation (comparing analysis results against criteria to decide whether risk is acceptable or needs treatment).
10An organization decides to discontinue selling a product line because the regulatory risk has become unacceptable. Which risk treatment option does this represent?
A.Sharing the risk through insurance
B.Avoiding the risk by deciding not to continue the activity
C.Retaining the risk by informed decision
D.Changing the likelihood of the risk
Explanation: Discontinuing the activity that gives rise to the risk is the 'avoidance' option in ISO 31000:2018, described as 'avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.' Sharing would mean insurance/contract, retaining means accepting it, and changing likelihood means reducing the chance of occurrence (e.g., new controls).

About the ISO 31000 RM Exam

The PECB Certified ISO 31000 Risk Manager certification validates your ability to support an organization in establishing and managing a risk management process based on ISO 31000:2018 and IEC 31010:2019. The exam covers the 8 ISO 31000 principles, the 6-component framework (Leadership and commitment, Integration, Design, Implementation, Evaluation, Improvement), and the full risk management process. Because ISO 31000 is guidance and not a management system standard, organizations themselves are not certifiable against it — but individuals can validate their risk management competence through this PECB credential.

Questions

80 scored questions

Time Limit

120 minutes

Passing Score

70%

Exam Fee

$800 USD (PECB)

ISO 31000 RM Exam Content Outline

20%

Fundamental Principles and Concepts

Risk terminology, the 8 ISO 31000:2018 principles, and ISO 31000 as guidance rather than a certifiable standard

25%

Risk Management Framework

Leadership and commitment, Integration, Design, Implementation, Evaluation, Improvement

40%

Risk Management Process (ISO 31000)

Communication, scope/context/criteria, assessment, treatment, monitoring, recording and reporting

15%

Risk Assessment Techniques (IEC 31010)

Bow-tie, FMEA, HAZOP, Delphi, Monte Carlo, fault and event tree analysis, technique selection

How to Pass the ISO 31000 RM Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 80 questions
  • Time limit: 120 minutes
  • Exam fee: $800 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ISO 31000 RM Study Tips from Top Performers

1Read ISO 31000:2018 cover-to-cover — it is short (about 16 pages) and the exam tests precise terminology
2Memorize the 8 ISO 31000:2018 principles in order and contrast them with the 11 principles in the 2009 version
3Master the 6 framework components (Leadership and commitment, Integration, Design, Implementation, Evaluation, Improvement) and how they differ from the 2009 PDCA framework
4Know the risk management process steps in order: Communication and consultation, Scope/Context/Criteria, Risk Assessment (Identification, Analysis, Evaluation), Risk Treatment, Monitoring and review, Recording and reporting
5Study IEC 31010:2019 to recognize techniques like bow-tie (combines fault tree and event tree around a top event), HAZOP, FMEA/FMECA, Delphi, and Monte Carlo simulation
6Understand the distinction between inherent risk and residual risk, and between risk appetite (amount willing to take) and risk tolerance (acceptable variation)
7Be ready for scenario questions: given a situation, identify the correct process step, principle, treatment option, or technique

Frequently Asked Questions

What is the ISO 31000 Risk Manager exam format?

The PECB ISO 31000 Risk Manager exam consists of 80 multiple-choice questions delivered over a 120-minute time limit. A 70% score is required to pass. The exam is offered online through the PECB app or at PECB exam centers and covers four competency domains aligned with ISO 31000:2018 and IEC 31010:2019.

Can an organization be certified to ISO 31000?

No. ISO 31000:2018 is a guidance standard, not a management system standard. Organizations cannot obtain ISO 31000 certification themselves. However, individuals can validate their risk management knowledge and skills against ISO 31000 through PECB credentials such as Foundation, Risk Manager, and Lead Risk Manager. ISO 31000 informs other certifiable standards (e.g., ISO 27001, ISO 22301) by providing the underlying risk methodology.

What changed in ISO 31000:2018 vs the 2009 version?

The 2018 second edition reduced the principles from 11 to 8 (Integrated, Structured and comprehensive, Customized, Inclusive, Dynamic, Best available information, Human and cultural factors, Continual improvement) and replaced the PDCA-style framework with a 6-component framework centered on Leadership and commitment (Integration, Design, Implementation, Evaluation, Improvement). The process is simplified and emphasizes value creation, with risk now defined as 'the effect of uncertainty on objectives' (both positive and negative effects).

What are the risk treatment options in ISO 31000?

ISO 31000:2018 lists seven possible treatment options: (1) avoiding the risk by deciding not to start or continue the activity; (2) taking or increasing the risk to pursue an opportunity; (3) removing the risk source; (4) changing the likelihood; (5) changing the consequences; (6) sharing the risk (insurance, contracts, partnerships); and (7) retaining the risk by informed decision. These are often summarized as the five core options of avoid, modify likelihood, modify consequences, share, and retain — plus take/increase to pursue opportunity and remove the source.

How does ISO 31000 differ from COSO ERM 2017?

ISO 31000:2018 is a principles-based, generic guidance standard (about 16 pages) applicable to any organization. COSO ERM 2017 (Enterprise Risk Management — Integrating with Strategy and Performance) is a US-developed framework with 5 components and 20 principles, focused on integrating risk with strategy-setting and performance. ISO 31000 emphasizes integration into all activities; COSO ERM emphasizes alignment with strategy. Many organizations use both — ISO 31000 for risk methodology and COSO for governance reporting.

Is the ISO 31000 Risk Manager certification worth it in 2026?

Yes — with regulators worldwide (EU NIS2, SEC cyber disclosures, climate risk via TCFD/IFRS S2) demanding documented risk programs, ISO 31000 expertise is in growing demand across all sectors. The credential is vendor-neutral, internationally recognized, and applicable to enterprise risk, operational risk, project risk, and compliance risk roles. It pairs well with ISO 27005 (infosec risk), ISO 22301 (business continuity), or COSO ERM training.