Continuously evaluate your risk register
Your security risks are constantly evolving. New vulnerabilities and threats are continuously being discovered, and existing vulnerabilities are being mitigated by updating your servers/applications.
In order to maintain a relevant view on the effectiveness of your security program, your risk register must be updated continuously. Input for updating can come from vulnerability assessments, penetration tests, internal or external audits,...
Your risk register should not be limited to only IT risks. Security risks can also be updated by changes in the business.
If your organization has started a web shop, expanded business into new regions,... these changes can also imply new risks, to be evaluated.
Your risk register is the heart and soul of your security program! Keep it rigorously up to date!