We believe that in our case we do not need to have these controls in place. We are using our IMSM to confirm adherence to HIPAA and GDPR compliance. in the SoA we are going to state:
Our current suppliers are all well established best in class solutions that have already proven to be suitable for our requirements and were chosen with security of data in mind. All our classified software suppliers are ISO27001:2013 certified, HIPPA compliant and GDPR compliant. We have standard agreements that take into account the Confidentiality, Integrity and Availbility of the data.
Does this seem like a reasonable rationale? We use large clients like AWS, so we can't expect that they would sign agreements with us