As is reflected in many current third-party provider security assurance programs,
the client and the CSP need to agree in advance that
the client has accessibility to the CSP to audit and verify the existence and
effectiveness of security controls specified in the SLA.
The pre-engagement security controls audit then becomes the benchmark for ongoing audits once the
cloud contract is in place.
For CSPs with very high volumes (hundreds) of cloud clients,
this could become troublesome.
That is why a broadly agreed industry standard,
best-practice security certification will be a readily embraced tool,
once available.