Your book is very useful to me which it could guide me the way for start up to do risk management. But I wonder that is it ok ? If I write the new Risk framework + methodology for implement in my company by combine the both ISO and COBIT 5? or I can use only one among both?
Requirements for risk management in ISO 27001 do not prescribe which approach to use, only that a process must be defined, so you can use requirements from both ISO 27001 and COBIT 5 to perform risk management without a problem.