Richard has hit the nail on the head. A policy document on third party security should set out the requirements and expectation on the third party, the data they use, their method of communications, there own responsibilities to protect data, retain ISO27001 certification etc.
That is only half of the story. How have your existing risk assessments been completed with regards to:
- transmission of data to/from third parties
- third party confidentiality clauses that protect you as the customer
- the integrity of their services - what if they suffer a hack or data breach
- what happens when third party personnel leave?
- any assets (data or tangible) supplied to the third party
- their own business/service continuity arrangements
- etc. etc. etc.
Policy sets directions. Risk assessment demonstrates whether or not security activities and controls are effective. You need a combination of both.