Risk assessment

1. Would you please help to guide me how to start to do risk management (from Risk Identified --Risk Treatment Plan)?

Answer: Since your answer is not clear about which material from our knowledge base you've read, I suggest these materials for you to understand the risk management process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/es/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar-on-demand/

2. I would be appreciated if you could help to detail with sample data since the first step to get risk identified.

Answer: For free sample data I suggest these materials:
- Diagram of 6 steps in ISO 27001 risk management https://info.advisera.com/27001academy/free-download/diagram-of-6-steps-in-iso-27001-risk-management
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

For more detailed information I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

This toolkit enables you to implement information security and business continuity risk management compliant with ISO 27001 and ISO 22301, and provides access to video tutorials to help fill in the documents with real data examples.

3. Is it possible to treat or prevent to be zero risk appetite?

Answer: It is not possible to treat risks to achieve zero risk appetite, because the cost to treat all possible risks an organization is exposed to would be prohibitive.

4. If I follow standard COBIT 5 for risk management, I don’t need to do SOA right?

Answer: Your understanding is correct. The Statement of Applicability is not a requirement for COBIT 5, so you do not need to develop such document if you follow COBIT 5 risk management approach.