A agree with bcompliance that there isn't a citation for this, but there definitely is a trend where examiners want to see a segregation of info security and IT. At least they do when it comes to the IS officer and the IT officer, so I can see why this desired segregation would trickle down to the risk assessment(s).
That said, there isn't a citation for this so it really is more of a recommendation or (dare I say) best practice.
_________________________
Adam Witmer, CRCM
All statements are my opinion, not those of my employer, and should not be taken as legal advice.
www.compliancecohort.com