We have a vendor that would be providing our IT team with support. They would:
*have access to services that support our use of Microsoft's Cloud products and if they need to check and ensure things are working, any activity is recorded.
* train our employees and comply with our information security policies and report any exposures or incidents
What, if anything beyond the "basic" due diligence (COI, W9, business license, financials), would you request from them?