Risk management is increasingly seen as a means of improving the likelihood of success in complex engineering projects. Yet the presence of a legitimacy gap, driven by the lack of empirical validation of published best practices, might explain low adoption of risk management on projects. We present an empirical investigation and discussion of the eleven principles of the ISO 31000:2009 Risk Management Standard via a large-scale survey of engineering and product development practitioners. Adhering to the risk management principles at a high level was found to be a significant factor in better reaching cost, schedule, technical and customer targets, in addition to achieving a more stable project execution. This finding suggests that, rather than a single rigid standard or an ever-changing set of detailed methods, the ISO principles have potential to be the basis for our shared understanding of best practice, and to catalyze the professionalization of project risk management.