Which of the following is a best practice concerning information security risk assessment?

A.
Information security risk assessments should be carried out by an external auditor to maintain objectivity.

B.
Information security risk assessments should be performed as a result of the review of every incident.

C.
Information security risk assessments should be performed at agreed intervals and be maintained during changes.

D.
Information security risk assessments should be performed once a year.