Look Beyond Security Certifications
Security certifications should certainly be on your checklist, but the truth is that the conditions required to achieve certifications are necessary, but not sufficient to ensure security. While certifications are a quick way to see if a provider has met certain industry standards, a secure environment relies on a continuous monitoring, remediation and improvement process.
Certifications are effectively point-in-time snapshots of a cloud platform and supporting processes. In the time that it takes for a certification to be achieved, audited by a third party and certified, it is entirely possible for results to be outdated before the ink is dry on the certificate. Ask your prospective provider(s) how they ensure continuous compliance, and what their policies are vis-à-vis notifications of any lapses. Favor those with the greatest transparency.