Which of the following describes the required frequency for an annual risk assessment?

Risk assessments in PCI DSS are performed on an annual basis and updated whenever significant changes occur in the cardholder data environment. The formal risk assessment helps identify threats and vulnerabilities, assess overall risk, and prioritize controls to reduce that risk. Doing it at least once a year keeps the assessment current with evolving threats and changes in your environment, such as adding new systems, modifying network topology, or adopting new payment applications. It isn’t done monthly or quarterly as a routine for the formal risk assessment, though ongoing monitoring and vulnerability scanning complement it. It also isn’t tied to a single project, since the assessment covers the entire cardholder data environment. Therefore, the required frequency described is annually.