With the context, you are able to derive your scope. The risk assessment you will perform will be for the assets within the identified scope.
More often than not, you will have risks that will not satisfy your risk acceptance criteria. You then have to perform risk treatment. Somewhere within your risk treatment process you will select controls such as conduct user awareness training courses or establish a CCTV system. Objectives can then be established to these controls.
Examples:
% attendance to ISMS courses vs total manpower of the company
Completion of the CCTV installation. On time? Within budget?
Do you want a sample of a risk treatment plan with objectives?
Richard