Do you have any recommendations for creating a concrete cybersecurity risk assessment for SMBs?

Hi community :)

Do you have any recommendations for creating a concrete cybersecurity risk assessment for SMBs?

The ISO 27001 regulation is maybe too much for SMBs and the NIST cybersecurity framework gives a very good baseline but what would be your answer if you have to create a concrete cybersecurity risk assessment for SMBs? What would be part of it?

assessment community cybersecurity cybersecurity risk cybersecurity risk assessment framework iso iso 27001 nist nist cybersecurity framework recommendations regulation risk risk assessment smbs