Risk assessment frameworks

Answer: Since your scope is IT, I'd suggest you to implement COBIT, since this framework was designed having IT in mind. ISO 27001 can help with specifics about information security in IT, but this ISO standard is focused on information protection, and it is not so detailed on IT controls as COBIT.

Unfortunately, COBIT is not in our expertise (we work with ISO standards), but you can find some useful information here: https://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx

Some materials are free to access and others are free but require registration.

For an overview of risk assessment on ISO 27001 I suggest you these articles:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowl edgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

These materials will also help you regarding ISO 27001 Risk Assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
If you would like to try Risk assessment for ISO 27001, you can take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

This toolkit contains the following documents: 1) Risk Assessment and Risk Treatment Methodology, (2) Risk Assessment Table, (3) Risk Treatment Table, (4) Risk Assessment and Treatment Report, (5) Statement of Applicability, and (6) Risk Treatment Plan. You just have to scroll down the screen a little to access the free demo tab.

The material is editable and you can make adjustments to fulfil your needs.