Quantity of risks

Good day Dejan, I hope things are going well in your part of the world? We at *** are slowly working on our ISO27001 accreditation and would appreciate some guidance from you please. How does the attached Risk Table look for a small IT services company with ~15x people? When we spoke last, you suggested that we do the certification for our whole business as opposed to just our SOC portion, so I’ve considered elements from our offices, hosted customer environment and our new SOC. I’ve used ~50x of your standard assets, combined with your standard Threats and Vulnerabilities, and have come up with ~200x Risks. ~15% of these will need further attention later in the process based on their risk score. Are these risks and numbers appropriate, or do we need more / less / different? I don’t want to get too far ahead if this stage still needs more work. We still need to share it with our technical people who could very well raise some additional assets and associated threats, vulnerabilities and risks. I also don’t want to add too many risks if they are effectively trivial, but also want to demonstrate to an auditor later that we have applied our mind to the task. Would you be available for some feedback by email and/or online meeting in the next 2-3x weeks? 7x hours time difference to Perth so probably 9am your end / 4pm our end will work. Look forward to hearing from you.