Which concept is emphasized in ISO/IEC 27005?

ISO/IEC 27005 specifically addresses the management of information security risks within an organization. This standard provides guidelines for implementing a systematic approach to identify, assess, and treat information security risks, ensuring that an organization can effectively protect its information assets.

The emphasis on information security risk management within ISO/IEC 27005 is critical because it helps organizations understand the potential threats to their data and systems and implement measures to mitigate those risks. This proactive approach not only enhances the security posture but also ensures compliance with relevant legal and regulatory requirements, fostering a culture of continual improvement in managing security risks.

In contrast, the other options focus on different areas of organizational operations. Organizational governance relates to overall management structures and decision-making processes, while quality improvement processes pertain to achieving better outcomes in delivering products or services. Employee performance metrics involve evaluating an individual’s contributions to the organization, which, while important, do not directly tie into risk management in the context of information security. Thus, the selection of information security risks management accurately reflects the core concept highlighted by ISO/IEC 27005.