Criteria for evaluating a cloud services provider

Was having some ideas about how cloud services providers could turn their investment in security into a compettitive advantage. For this to be accomplished there needs to be a frame of reference established.

So here are a few criteria for evaluation of SAAS vendors as a series of questions:
* have security requirements from legislation (e.g. Privacy act), regulation (e.g. PCI-DSS )and relevant best practice (e.g. ISO 27002 )been recorded?
*has a security architecture been developed, that considers both application and hosting infrastructure?
*does the application security architecture leverage the security functionality available in the application development framework?
*have security controls been tested functionally?
*has static code analysis for common security vulnerabilities been performed?
*has security functionality in framework been implemented?
*have security controls been tested for vulnerabilities by a qualified 3rd party?
*are release, change and configuration management processes in place?