Controls for a cloud provider

Answer:
I am sorry but I am not sure if I have understood your question. The maturity is not a requirement of ISO 27001, and the basic logic is perform the risk assessment and apply the appropriate controls.

Anyway, if you have a standard SQL image into a cloud provider infrastructure, and you can manage for example the information and the software, these assets need to be included in your risks assessment, and security controls involved need to be implemented by your organization.

For others assets that you can not manage (for example the IT infrastructure of the cloud provider), if there are risks related to them, you can perform a treatment establishing during the risk assessment that you transfer to external company the risks related to these assets, which means that in this case the external company is responsible of the implementation of the security controls, although you can review if these controls are implemented.

Anyway, keep in mind that ISO 27001 is not specifically developed for the cloud, for this you can use ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

And this article related to the basic logic of ISO 27001 can be also interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

And also this article about handling supplier security "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/