1- If my company require to follow both standard ISO and COBIT, so what will be affect to the IT Risk Management Process? which standard should I follow for implement IT Risk Management?
Answer: ISO and COBIT requirements for risk management are very similar (identify, analyse, evaluate and treat the risks), the difference being that for ISO 27001 you have to consider effects of risks on information (in terms of confidentiality, integrity, and availability), while for COBIT you have to consider risks for IT assets (e.g., hardware and software) not related only to information (e.g., risks related to operational performance or cost efficiency). Considering that, if you follow both standards, your IT Risk Management Process will have to include evaluation criteria related to information security and assess and treat risks also considering how the affected IT assets will impact information.
Regarding implementation, ISO 27001 only requires the definition of a methodolog y, while COBIT also provides details about risk management, so you can use COBIT approach.
2 - I got many assets and applications in my company, I want to do IT risk management on some asset and application by following ISO 27001:2013 and the remain asset and application I will do the IT Risk management later, I wonder that if I do like this the SOA is remain the same or different?
Answer: The SoA covers the controls applicable to treat risks related to information security, so if the IT risk assessment you perform later does not identify additional risks (please review the previous answer) that can affect information, then the SoA will not change. On the other hand, if a risk affecting an IT asset will also impact information and this one is considered unacceptable and you have to implement a new control, listed or not on ISO 27001 Annex A (e.g., a control required by COBIT), then this situation will require you to change your SoA (you can included on SoA controls not listed on ISO 27001 Annex A if these controls will treat information security related risks).
3 - Could you please explain and give an example related to Quantitative and Qualitative term of risk assessment?
Answer: In qualitative risk assessment, the focus is on interested parties’ perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” which are used to define risk’s final value.
In quantitative risk assessment, the focus is on factual and measurable data, with highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms.