I work a lot with startups who are too young and too small to have even thought about ISO27001 accreditation and complex security controls. In the absence of a recognised accreditation (which doesn’t necessarily prove that your data is secure and private), a sensible approach is to ask you suppliers for their Technical and Operational Measures (TOM) which they should be able to give you under NDA. At the simplest level this can be a two page document. My preference is to use an extract from the DPIA (assuming there is a Data Privacy Impact Assessment in place) as it’s a good starting point for proving that your supplier processes data in line with GDPR principles…:
[…] There are many reasons why processors may refuse to accept specific security measures imposed by controllers. This is often a matter of economies of scale, where suppliers have designed their services to meet particular requirements and may not be in a position to implement bespoke security measures for every customer. Likewise, bargaining power often comes into play.
In those situations, the processor should be able to provide details of the technical and organisational measures it has in place as part of its own information security programme, as part of the diligence process to satisfy the controller that it can give appropriate guarantees of its security requirements.
And if the appropriate documentation exists, then clearly this can be set out in the contract, even if the supplier may require the ability to update it as part of the continuous development of services. It still pays to have a detailed set of information security measures set out in the contract.