Which ISO standard relates to defining risk management activities?

The correct selection relates to ISO/IEC Guide 73:2002, which specifically provides guidelines for the terminology and concepts of risk management. This guide aims to support organizations in implementing a systematic approach to risk management, outlining essential principles and definitions that can help frame risk management processes. By offering a foundational understanding of risk and how to manage it, ISO/IEC Guide 73:2002 is instrumental in facilitating coherent risk management practices across various sectors.

ISO/IEC 27001 primarily focuses on establishing, implementing, maintaining, and continually improving an information security management system (ISMS), emphasizing a comprehensive framework for managing sensitive information, but it does not specifically define risk management activities.

ISO/IEC 27002 provides a code of practice for information security controls based on ISO/IEC 27001, detailing best practices and recommendations for selecting and implementing controls, rather than specifically addressing risk management processes.

ISO/IEC 9001 is centered around quality management systems and does not specifically deal with risk management, although it incorporates a risk-based thinking approach within the context of ensuring quality in processes and outcomes.

Understanding the distinction between these standards helps clarify why ISO/IEC Guide 73:2002 is the most appropriate choice for defining risk management activities.