During the certification audit, the auditor might look for the following evidence regarding control A.5.23 Information security for use of cloud services: if security requirements for cloud services are defined, and if the cloud is managed accordingly.

Examples:
A company has defined in its Supplier Security Policy how security requirements for cloud services are defined and managed — the auditor might ask to see several contracts signed with cloud providers to see if security clauses were included, and if cloud services are monitored accordingly.