Which standard is responsible for providing guidelines on risk management in organizations?

ISO 31000:2009 is the standard that provides comprehensive guidelines on risk management within organizations. It establishes a framework and a process for risk management that can be tailored to the needs of any organization. ISO 31000 emphasizes the importance of integrating risk management into an organization’s overall governance, strategy, and decision-making processes.

The guidelines it offers cover how to effectively identify, assess, manage, and communicate risks, ensuring that organizations can make informed decisions and achieve their objectives while minimizing potential adverse effects. This makes it a foundational standard for any organization looking to enhance its risk management capabilities and maintain resilience against uncertainty.

In contrast, the other options serve different purposes: ISO 14001 focuses on environmental management systems, NIST SP 800-37 provides a framework specifically for information security risk management, and ISO 27001 sets requirements for information security management systems. While all these standards address aspects of risk, ISO 31000:2009 is the one specifically aimed at broad organizational risk management.