A financial organization is evaluating a cloud provider to host its critical data and services. They need to ensure the provider complies with ISO/IEC 27017 for cloud-specific security, offers data encryption, and supports robust identity management. What should the organization prioritize FIRST in the evaluation process?