Risk management for cloud computing

Answer:
From my point of view, in a cloud computing environment it is better ISO 27005, because it is developed for risks about information security, although you can also use ISO 31000 because this standard has the same structure that ISO 27005 but it is developed to any type of risk (information security, financial, environmental, etc).

Regarding ISO 91000, I suppose that you mean ISO 9001 because ISO 91000 does not exist, and ISO 9001 is not specifically developed to manage risks,it is developed to establish the requirements for a quality management system, although in the current version of the standard (ISO 9001:2015) there is a new requirement related to the risk analysis (the risk treatment is not mandatory), so it is not useful to use this standard for the risk management.

Remember that if you want to write your own methodology for the risk management, this article can be interesting for you “How to write ISO 2700 1 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

This article can be also interesting for you "ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

And also this one "ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

And our online course can be also interesting for you because we give more information about the risk management “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/