Quick Risk assessment

No, it is not correct, and it is not a control in the ISO: “The System shall have a logoff button”. One way to perform the risk assessment (although you can develop your own methodology): a.- Identify assets (software can be a type of asset, and an app can be an asset), b.- Identify threats related to the assets (you can do it with a catalogue), c.- Calculate risks (based on impact and likelihood). If the risk is below a level defined by the organization, it is acceptable, and there is no problem (current controls for the asset are sufficient). If the risk is above, then the organization must to apply controls to reduce it to an acceptable level. What controls? The defin ed in the Annex A of the ISO 27001. 
I recommend you to read these articles:
“How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
“ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, here there is a free webinar that I think that can be very interesting for you “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/