To provide guidelines for implementing ISO/IEC 27001 controls

To offer guidance on managing information security risks

To define cybersecurity incident response procedures

To standardize encryption algorithms

ISO/IEC 27001 (ISMS requirements)

ISO/IEC 27002 (Security controls)

ISO/IEC 27017 (Cloud security)

ISO/IEC 27031 (ICT disaster recovery)

Risk identification

Risk assessment

Risk transfer (insurance)

Risk treatment

Inherent risk is before controls, residual risk is after controls

Inherent risk is financial, residual risk is operational

Inherent risk is external, residual risk is internal

They are the same

Only quantitative methods

Only qualitative methods

A combination of qualitative and quantitative methods

No specific method is prescribed

To define the maximum budget for cybersecurity

To set the level of risk an organization is willing to accept

To measure employee awareness of risks

To determine insurance premiums

Risk avoidance (discontinuing the activity)

Risk sharing (outsourcing)

Risk acceptance (tolerating the risk)

All of the above