ISO 31000:2009提供了有关风险管理的原则和通用指南。 ISO 31000:2009可供任何公共、私人或社区企业、协会、团体或个人使用。因此，ISO 31000:2009不适用于任何行业或部门。 ISO 31000:2009适用于组织的整个生命周期，适用于广泛的活动，包括战略和决策、运营、流程、职能、项目、产品、服务和资产。 ISO 31000:2009适用于任何类型的风险，无论其性质如何，无论其后果是积极的还是消极的。 尽管ISO 31000:2009提供了通用指南，但其目的并不是促进组织间风险管理的统一性。风险管理计划和框架的设计和实施需要考虑特定组织的不同需求、其特定目标、背景、结构、运营、流程、职能、项目、产品、服务或资产以及所采用的具体做法。 计划利用ISO 31000:2009来协调现有和未来标准中的风险管理流程。它提供了一种通用方法来支持处理特定风险和/或行业的标准，而不是取代这些标准。 ISO 31000:2009不用于认证目的。

ISO 31000:2009 provides principles and generic guidelines on risk management. ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000:2009 is not specific to any industry or sector. ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed. It is intended that ISO 31000:2009 be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards. ISO 31000:2009 is not intended for the purpose of certification.