1 - I was assigned to do a review on company (financial institution) IT and IS Risk Assessment. However, I am confuse about the difference of both assessment?
I'm assuming that by ISRA you mean "Information security risk assessment", and that by ITRA you mean "Information Technology risk assessment".
Considering that, although they have an overlap, IT risk assessment and IS risk assessment focus on different things. IS risk assessment focuses on impacts related to the loss of confidentiality, integrity, and/or availability of information, while IT risk assessment focus on impacts that affects information technology assets and/or provided information technology services.
The overlap is that part of IS risk assessment covers information and communication technologies, and part of IT risk assessment covers information related to provided information technology services.
2 - how will I start?
Although these are independent assessments, since information in many situations relies on information technology assets, starting with the IS risk assessment review may provide you with a better understanding when performing the IT risk assessment review because as part of IS risk assessment you need to list all information related assets - and for IT assets you will perform the IT risk assessment.
3 - And what about IT Risk Policy Manual and IT Risk management Framework is same? how is this related on both ISRA and ITRA?
The IT Risk Policy Manual and IT Risk management Framework are not the same.
An IT Risk management Framework provides the general elements for a risk management process (e.g., risk assessment, risk treatment, etc.), while an IT Risk Policy Manual defines the specific rules defined by the organization to be applied to the risk management process.
Risk management framework and risk policy should be developed for information security, and potentially include a further explanation for IT.
This article will provide you with a further explanation of ISO 27001 information risk assessment: