Answer:
There is no specific requirement to annually approve the policy. There is a requirement for the Security Officer to conduct a security assessment and provide a report on the status of the security program at least annually. As part of that review, I would think a review of the Security Policy would be appropriate.