Which statement regarding residual risk is correct?

Residual risk is defined in ISO/IEC 27000:2018 as the risk remaining after risk treatment. According to ISO/IEC 27005:2022, residual risk can include risks that were not identified during the risk assessment process — meaning unidentified risks form part of the residual risk. This is because no risk assessment is exhaustive; unknown or emerging threats may exist outside the assessed scope. Option B is incorrect because residual risk is not limited to retained risk alone; it includes any risk remaining after all treatment options, including modification, sharing, and avoidance. Option C is incorrect because transferred risks (via insurance or contracts) still contribute to residual risk, as the transfer may be partial or incomplete. Therefore, the only fully correct statement is that residual risk can consist of unidentified risk, consistent with ISO/IEC 27005:2022 risk management guidance.