Standard-Oriented Architecture for AI-Powered Information Security Risk Management

This paper presents a standard-oriented architecture for automating information security risk management (ISRM) using artificial intelligence. The study first evaluates eight international frameworks (including COBIT 2019, NIST SP 800-53, and ISO 31000) for automation suitability, identifying ISO/IEC 27005 as the optimal structural foundation. Based on these findings, an architecture integrating Natural Language Processing and machine learning to automate risk identification, assessment, and treatment is proposed. A core component is a decision-making module that combines expert reasoning with a Multi-LLM consensus mechanism to ensure reliability. To provide exploratory support for the proposed architecture, a comparative study using five state-of-the-art Large Language Models (ChatGPT, Gemini Advanced, Grok, Microsoft Copilot, and DeepSeek Chat) was conducted on a standardized risk identification task. The results highlight strong cross-model consensus patterns, providing exploratory evidence that LLMs may support expert-informed risk identification and reasoning tasks while acknowledging the current limitations in complex reasoning. This approach proposes a transparent architectural foundation for AI-driven ISRM whose scalability must be established through future prototype-based evaluation, thereby bridging the gap between rigid compliance standards and generative AI capabilities.