Which document focuses on principles and processes for managing information security risks?

The selection of ISO/IEC 27005 as the correct answer is based on its specific focus on managing information security risks. This standard provides guidelines for establishing a framework for information security risk management and outlines the principles and processes necessary to identify, assess, and manage those risks effectively.

ISO/IEC 27005 is aligned with the broader information security management system established by ISO/IEC 27001, which centers on implementing an ISMS. However, 27005 dedicates itself explicitly to the risk management aspect, making it essential for organizations seeking to understand and mitigate their information security risks comprehensively.

In contrast, ISO/IEC 29100 deals with privacy framework and principles, focusing primarily on privacy considerations rather than the general management of information security risks. ISO/IEC 27001:2013 establishes the requirements for an overall information security management system but does not delve deeply into risk management processes like 27005 does. On the other hand, ISO 9001 provides guidelines for quality management systems, which while important for organizational processes, does not specifically address information security risks. Therefore, ISO/IEC 27005 stands out as the document that centers on the principles and processes for managing information security risks effectively.