Continiously and Evaluate your Risk Register
Your Security Risks are constantly evolving... new vulnerabilities and threats are constanstantly being discovered, and existing vulnerabilities are being mitigated by updating your server.
In order to maintain a relevant view on the effectiveness of your Security Program, your Risk regsiter must be updated continiously. Input for updating can come form vulnerabiliy assessments, Penetration tests, Internal or External Audit,...
Your Risk Register should not be limited to only IT Risks, Security Risks can also be updated by changes in the business.
If your organisation has started a webshop, expanded business into new regions,... these can also imply new risks to be evaluated.
Your Risk Register is the heart and soul of your Security Program! Keep it rigourously up to date!