At the macro-organisational level, the architecture of risk management is governed by established international standards, with ISO 31000 and ISO 27005 being preeminent in the corporate sphere.

ISO 31000 offers a universal and highly flexible risk management framework suitable for any risk an organisation faces, such as financial, strategic, operational, compliance, and reputational risks. Its strength is versatility and adaptability, allowing organisations to tailor the framework to their needs and integrate different risk types into a single corporate approach.

Conversely, ISO 27005 is a standard specifically dedicated to Information Security Risk Management (ISRM). It focuses on protecting the confidentiality, integrity, and availability of information assets and is part of the ISO 27000 series, working with the ISO 27001 Information Security Management Systems (ISMS) standard.

The distinction lies in their taxonomy and philosophical focus: ISO 31000 views risk broadly through the lens of overarching organisational objectives, whereas ISO 27005 views risk highly specifically through the interplay of malicious threat actors, asset vulnerabilities, and the technical controls required to mitigate them.

Modern quantitative cyber risk methods, such as those relying on Monte Carlo simulations or the FAIR framework, must map their outputs to meet the rigorous compliance requirements of these ISO frameworks to ensure comprehensive corporate governance and auditability.

Comparative Analysis: ISO 31000 vs ISO 27005

• Scope and Focus: ISO 31000 focuses on generic risk management, applicable across financial, operational, and strategic risks. ISO 27005 is strictly focused on Information Security Risk Management, with a primary focus on the confidentiality, integrity, and availability of data.

• Primary Characteristics: ISO 31000 is versatile and highly adaptable to virtually any organisational structure or risk appetite. ISO 27005 provides highly specific, targeted requirements built upon information security terminology.

• System Integration: ISO 31000 functions beautifully as a standalone, overarching corporate framework. ISO 27005 integrates directly with and is a key operational component of the ISO 27001 Information Security Management System (ISMS) certification.