If you think like an auditor, criticality will override the low-risk rating. Since the internet is a critical service for your organization, you should be doing more exhaustive diligence. But, due diligence for internet providers can be a tricky business. Typically providers will not participate in your due diligence efforts. And most of these services are purchased via their standard agreement, leaving your organization no room to make demands or negotiate. Still, your organization bears the responsibility of conducting due diligence.
The question is how to get the information you need, to evidence that you took reasonable care?
Over the years, I have learned several research techniques that can assist you when no information is available directly from the vendor.
While you may not be able to meet your standard due diligence evidence requirements, you can still demonstrate your efforts, which is always better than nothing.
Hopefully, this information was helpful, but I would love to hear from other members.