I am currently reading over the Supplier Security Policy and wanted to check something. Under the "Monitoring and review" section, it mentions auditing the supplier or auditor once a year. What exactly is meant by this? And is it required?
I’m assuming you are referring to the text “, as well as audit the supplier or partner at least once a year.” in section 3.5 of the Supplier Security Policy.
Considering that this text means that, as you need to audit your processes, you also need to audit suppliers and partners to ensure they have implemented the security controls you agreed with them, and if the controls are performing properly.
Please note that such audits are required only if control A.15.2.1 - Monitoring and review of supplier services is stated as applicable in the Statement of Applicability.
Additionally, there are different types of audits, some more thorough (e.g., a comprehensive local audit), others simpler (e.g., verification of applied security clauses), and you should consider criteria such as the criticality of the supplier, results of previous audits and incidents history to decide which audit approach to apply.