Penetration testing simulates real-world attacks to ensure vulnerabilities have been addressed and no residual weaknesses remain.
"Penetration testing provides assurance that implemented controls effectively mitigate identified vulnerabilities and that no new exposures have been introduced."
- CISM Review Manual 15th Edition, Chapter 3: Information Security Program Development and Management, Section: Testing and Evaluation* The ISACA practice database consistently recommends penetration testing for validating that vulnerabilities are closed.

Before implementing any changes to the security incident response plan, the information security manager should first conduct a gap analysis to identify the current state of the plan and compare it with the new requirements. A gap analysis is a systematic process of evaluating the differences between the current and desired state of a system, process, or program. A gap analysis can help to identify the strengths and weaknesses of the existing plan, the gaps that need to be addressed, the priorities and dependencies of the actions, and the resources and costs involved. A gap analysis can also help to create a business case for the changes and justify the investment. A gap analysis can be conducted using various methods and tools, such as frameworks, standards, benchmarks, questionnaires, interviews, audits, or tests1234.
References =
* CISM Review Manual 15th Edition, page 1631
* CISM certified information security manager study guide, page 452
* How To Conduct An Information Security Gap Analysis3
* PROACTIVE DETECTION - GOOD PRACTICES GAP ANALYSIS RECOMMENDATIONS4

The most important information to present to senior management when reporting on the performance of the initiative to mitigate risk associated with ransomware is the cost and associated risk reduction, which means showing the value and effectiveness of the technical and administrative controls in terms of reducing the likelihood and impact of ransomware incidents and data extortion, and comparing them with the investment and resources required to implement and maintain them. The cost and associated risk reduction can help senior management to evaluate the return on investment (ROI) and the alignment with the business objectives and risk appetite of the initiative.
References = Ransomware Risk Management - NIST, #StopRansomware Guide | CISA