Information systems are exposed to constantly changing environments which require constant updating. Software "ages" not by wearing out, but by failing to keep up-to-date with its environment. Security is an increasingly important quality aspect in modern information systems. At the same time, it is particularly affected by the above-mentioned risk of "software ageing". When an information system 1 handles assets of a company or an organization, any security loophole can be exploited by attackers. Advances in knowledge and technology of attackers are part of the above-mentioned environment of a security-relevant information system. Outdated security precautions can, therefore, permit sudden and substantial losses. Security in long-living information systems, thus, requires an on-going and systematic evolution of knowledge and software for its protection. Our objective is to develop techniques, tools, and processes that support security requirements and design analysis techniques for evolving information systems in order to ensure "lifelong" compliance to security requirements. We will build on the security requirements & design approach SecReq developed in previous joint work. As a core feature, this approach supports reusing security engineering experience gained during the development of security-critical software and feeding it back into the development process. We will develop heuristic tools and techniques that support elicitation of relevant changes in the environment. Findings will be formalized for semi-automatic security updates. During the evolution of a long-living information system, changes in the environment will be monitored and translated to adaptations that preserve or restore its security level.