This should be standard practice for Due Diligence with your third parties. If they are a supplier, then you are probably giving them some data or they are giving you some service that could impact the security of your information systems. Companies typically do recurring reviews in this instance (usually every year) to ensure that the security posture has not changed, there were no major system upgrades or changes with the vendor, etc. We are consistently asked by our clients if we do recurring reviews on our vendors. Having a review data (with the associated email reminder using Cron) would be very helpful.