Which of the following statements about risk assessment in ISO/IEC 27001 is correct?

The statement that risk assessment must consider legal and regulatory requirements is correct because ISO/IEC 27001 emphasizes the importance of understanding the context in which an organization operates. This includes recognizing applicable legal and regulatory obligations that can impact information security. Compliance with laws, regulations, and contractual obligations is a critical aspect of risk assessment, as these factors can pose risks that need to be managed in order to protect sensitive information and ensure the organization's legal standing.

Incorporating legal and regulatory requirements into the risk assessment process helps organizations identify potential compliance gaps, reduce liability, and create a framework for effective information security management. This alignment with legal norms is fundamental for creating a robust Information Security Management System (ISMS) capable of addressing both security and compliance risks.

The other statements do not align with the comprehensive approach prescribed by ISO/IEC 27001. For example, risk assessment is not optional; it is a mandatory part of the standard, which aims to ensure that organizations systematically manage risks. Additionally, risk assessments should encompass all types of risks, not just technical ones. They need to include operational, physical, and legal risks, among others. Finally, risk assessment frequency is not strictly defined at an annual interval; it should be conducted whenever there are significant changes in