Risk management frameworks

Answer: For certification purposes, ISO 27001 requires only that a risk management methodology to be defined, so there is no need to write another IT risk framework only to be compliant with ISO 27001.

2. If not as question 1 above, I can combine those requirements and emboss to use only one ?

Answer: Your understanding is correct, for compliance with ISO 27001 you can use a single document combining requirements of both COBIT and ISO 27001, just making adjustments on your current framework if you identify that not all requirements of the standard are fulfilled.

These articles will provide you further explanation about integrating COBIT and ISO 27001:
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- How to write ISO 2700 1 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

Dear Sir,
Many thanks for your kind response and support.
Please let me clarify that if currently I have IT Risk Framework which follow requirement of COBIT already and then my company require to get ISO 27001:2013 Certification, so do I need to do Statement of Applicable or not? while the IT Risk Management Framework does not mention about this.
Best Regards,
Dalin

Statement of Applicability is a mandatory document for ISO 27001 certification, so you need to have it if you want to get certified.

Thanks you sir.

Dear Sir,
When we do risk assessment we have Threat and Vulnerability, thus how about Residual Risk ? Is it the same to Threat and Vulnerability?
Many thanks for kind response and support.
Regards,

You need to measure residual risk based on impact and likelihood, taking into account the same threats and vulnerabilities - in most cases either impact or likelihood will be lower because of the applied controls.

Yes, sir. Mean that if both impact and likelihood of those threat and vulnerabilities becoming low, there will be no Residual Risk ? or still have residual risk of threat and/or vulnerabilities?
Regards

If both impact and likelihood are brought down to minimum, then the residual risk is zero.

Thanks you sir. Nice day :-)

Dear Sir,
Please let me asking for your support on Risk Appetite.
For the best practice, Can we link Risk Appetite to KPI?
1. If can, how can we do? Please kindly guide with example.
2. If cannot, how can we implement the effective of Risk Appetite?
Many thanks for your time and kind response.
Best Regards,
Dalin

Answer: Risk apetite is used to define acceptance criteria for your risk assessment and treatment process (the higher the risk appetite, the more permissive the risk criteria will be, and higher risks you will accept, and vice versa), so ways to verify how risk appetite is affecting your results are by establishing a KPI related to the number of incidents and by evaluating the results of the KPIs of your business processes. A high number of incidents, or processes KPIs not achieving the expected results, may mean that risk appetite is too high and some current accepted risks must be treated.

This article will provide you further explanation about risk appetite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/

Dear Sir,
Many thanks for your response and explain.
Regards,