Certified Incident Handler (CIH) Practice Ecam

Which ISO standard focuses specifically on risk management guidance?

• A. ISO/IEC 31000
• B. ISO/IEC 27005
• C. ISO/IEC 27017
• D. ISO/IEC 20000

The correct answer is: ISO/IEC 27005

The ISO standard that specifically focuses on risk management guidance is ISO/IEC 31000. This standard provides principles and guidelines for creating a robust risk management framework that can be applied across various organizations and sectors. It emphasizes the importance of integrating risk management into the overall governance and strategic planning of organizations, ensuring that risks are addressed in a structured and consistent manner. ISO/IEC 31000 outlines a systematic approach to risk management, detailing how organizations can identify, assess, and respond to risks effectively. Its application is broad, meaning it can be utilized in different contexts regardless of the type or size of the organization. The focus on risk management ensures that organizations are proactive in recognizing potential challenges and are able to implement appropriate measures to mitigate those risks. Other standards mentioned address related topics but do not center specifically on risk management guidance in the same comprehensive manner. For instance, ISO/IEC 27005 provides guidelines for information security risk management, but it is more focused on information security rather than a broader risk management framework. Meanwhile, ISO/IEC 27017 deals with cloud security management, and ISO/IEC 20000 pertains to IT service management standards. Thus, while these may involve elements of risk management, they are not primarily centered on it as ISO