Which standard provides a model for information security risk management?

The correct choice is ISO/IEC 27005, which specifically focuses on information security risk management. This standard is part of the ISO/IEC 27000 family of standards, which guide organizations in implementing and managing an adequate information security management system (ISMS).

ISO/IEC 27005 provides guidelines for the risk management process, outlining how to manage and assess the risks associated with information security threats. It emphasizes identifying risks, analyzing them, assessing their impact, and determining risk treatment options. By providing a structured approach to understanding and mitigating risks, this standard helps organizations to prioritize their security efforts and resources effectively.

In contrast, other options serve different purposes within the broader context of information security. ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS, while ISO/IEC 27002 offers best practice recommendations for implementing information security controls. ISO/IEC 27018 focuses on the protection of personal data in the cloud. While all these standards contribute to a comprehensive information security framework, it is ISO/IEC 27005 that is specifically dedicated to the aspect of risk management.