An industry-accepted way to document what security controls exist in infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software as-a-service (SaaS) environments and is available through the Cloud Security Alliance (CSA). If your vendor has a CAIQ completed, you should have it assessed to ensure their posture aligns with your expectations, the cloud control matrix, and industry best practices.