Which option describes the ISO/IEC 2700 family as it relates to information security management systems?

The ISO/IEC 27000 family provides the framework for building an information security management system and the path to third‑party certification. It includes the standards that define what an ISMS must do and how it can be audited and certified. The idea that it specifies how to certify ISMS captures that pathway: ISO/IEC 27001 sets the requirements for an ISMS that can be certified, and ISO/IEC 27006 outlines the requirements for certification bodies to assess conformity to 27001. The other options miss the broader role: internal audit procedures are part of ISMS practice, but not the overarching framework; PCI compliance is a separate standard for payment card data; and focusing only on risk management is too narrow a view of what the 27000 family encompasses.