Right to audit—As is reflected in many current third-party provider security
assurance programs, the client and the CSP need to agree in advance that
the client has accessibility to the CSP to audit and verify the existence and
effectiveness of security controls specified in the SLA. The pre-engagement
security controls audit then becomes the benchmark for ongoing audits once the
cloud contract is in place. For CSPs with very high volumes (hundreds) of cloud
clients, this could become troublesome. That is why a broadly agreed industry
standard, best-practice security certification will be a readily embraced tool, once
available.