For Security rule requirements may very with respect to time. Like rule implemented once need to be modified or changed or must be reviewed piriodically.
If any new recuirements come to the picture it must be reviwed. I have SSIM in my organisation implemented before few years rules was as it is. Now security purpose and engineering approch needed to update it. so accordingly older rules must be updated, and if necessary it must be added new once for provideing better services.