How often should information security policies and risk assessments be completed?

The correct response emphasizes the importance of maintaining up-to-date information security policies and conducting risk assessments regularly. Annual reviews ensure that the organization adheres to current compliance requirements and reflects changes in the threat landscape, regulatory environment, and business operations.

Additionally, conducting these assessments whenever there are significant changes to the business—such as new technologies, processes, or data handling practices—ensures that the security measures in place remain effective and relevant. This dynamic approach allows organizations to proactively identify and address potential security risks and reinforces a culture of continuous improvement in their security posture.

The other options, such as biannual or every three years, may not provide sufficient frequency to adapt to evolving threats. Monthly assessments may be excessive for most organizations, potentially leading to resource strain without delivering proportional benefits. Thus, the requirement for annual reviews, coupled with adjustments for any changes, strikes a balanced approach for maintaining robust information security protocols.