You are learning about risk management. Which of the following provides the most general concept of risk and applies to the most comprehensive contexts? (Wentz QOTD)
A. NIST Generic Risk Model
B. NIST Risk Management Framework
C. ISO 31000
D. ISO 27005

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. ISO 31000.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

ISO 31000 provides generic risk management guidelines that can be applied to various contexts across different sizes of organizations. ISO 27005 aligns with ISO 31000 but focuses on information security risk.

ISO 31000:2018 provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context.
ISO 31000:2018 provides a common approach to managing any type of risk and is not industry or sector specific.
ISO 31000:2018 can be used throughout the life of the organization and can be applied to any activity, including decision-making at all levels.
Source: ISO 31000

NIST Risk Management Framework (RMF)

NIST Risk Management Framework (RMF) specifically focuses on the risk at the information systems level. NIST FARM provides risk management approaches to frame, assess, respond and monitor risk, which can be applied at different tiers/levels in an organization. However, NIST guidelines mostly focus on the information systems tier. NIST generic risk model elaborates risk from the perspective of threat, the risk that brings adverse impact.