Can I use the CIS RAM as my Risk Assessment Method for implementing the ISO 27001:2013? I feel very comfortable using that method but need to know if it is appropriate to use it with the ISO 27001. Or the best scenario is to use the ISO 27005:2018?
Generally speaking, a risk assessment methodology compliant with ISO 27001 has these 5 elements:
Provided CIS CRAM can fulfill these requirements, it can be used in an ISO 27001 context.
We are not experts in CIS RAM, but based on the material provided in the Center for Internet Security (https://www.cisecurity.org/white-papers/cis-ram-risk-assessment-method/), this methodology seems too complex for beginners (please note that risk assessment is more useful when everyone in an organization can use it by themselves in a quick way, not depending upon few persons).