SOA controls are implemented due to various reasons like Best Practices, Legal, Contractual, or out of risk assessments.
Answer: You should review your current risk assessment at least once a year, or if any bigger change happens - e.g. change of technology, change of location, change in your products or services, change in legislation, etc.
Is it good to categorize the controls implementation like this and do assess all controls every quarter or only during any technology or regulatory changes?
Answer: I didn't see in practice this kind of categorization, and it seems to me it won't be useful - as mentioned above, the review needs to be triggered by any significant changes.