In relation to the Supplier security policy,
1) is it necessary to perform an audit to cloud-based providers (e.g. Egnyte (files), Xero (finance data), Confluence (knowledge-based)) that are already in compliance/certified with many industry regulatory standards?. They are high-risk because of the type of information we're keeping in them, but again, these are already big established companies.
2) the same question as number 1 but for service providers (power, internet, telecommunications)
3) same question as number 1 but for professional outsourcing services such as legal, accounting, etc