The requirement is specifically for a framework that explains how to identify, assess, and treat information security risks within the context of an Information Security Management System (ISMS). The ISO standard dedicated to information security risk management is ISO/IEC 27005. It provides guidance on establishing a risk management process aligned with the ISO/IEC 27000 family and supports the ISMS by describing risk context, risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, and ongoing risk communication and monitoring.
This focus on the “how” of risk management is what distinguishes ISO/IEC 27005 from the other options. ISO/IEC 27001:2022 is the standard that specifies the requirements to establish, implement, maintain, and continually improve an ISMS. It requires that risk assessment and treatment be performed, but it is not primarily a detailed methodology standard for conducting those activities. ISO/IEC 27002:2022 is a code of practice that provides a catalog of security controls (the “what” controls you can select), rather than a risk assessment/treatment methodology. ISO/IEC 27701:2019 extends ISO/IEC 27001/27002 to privacy information management (PIMS) and focuses on privacy controls and requirements—not the general information security risk management lifecycle.
Because the question asks for a standard that addresses identification, assessment, and treatment of information security risks as part of an ISMS, ISO/IEC 27005 is the best match. It complements ISO/IEC 27001 by giving organizations practical guidance for building and running the risk management process that ISO/IEC 27001 requires, ensuring risk decisions are systematic, repeatable, and suitable for governance and continual improvement.
