As a CISO, you decide to implement Information security management systems and to be certified as compliant with ISO 27001 standard, in which actions to address risks and opportunities are required. You realize this requirement is about risk management and start evaluating risk management frameworks to meet the requirement. To implement a risk management program, which of the following least meets the requirement?
A. NIST FARM Framework (Frame, Assess, Respond, and Monitor)
B. ISO 27002
C. ISO 27005
D. ISO 31000
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. ISO 27002.
ISO Standards
- ISO 31000:2018
Risk management — Guidelines - ISO/IEC 27005:2018
Information technology — Security techniques — Information security risk management - ISO/IEC 27002:2013
Information technology — Security techniques — Code of practice for information security controls
Summary
- NIST FARM, ISO 31000, and ISO 27005 cover context establishment/framing, risk assessment, risk treatment/response, and risk monitoring.
- ISO 27002 covers the implementation guidelines of security controls in risk treatment.