What's the scenario? It'd be best to consult with a lawyer, but you're going to want to look at hiring processes, internal audit (i.e. how frequently permissions are reviewed), access controls, controls over data stored and in-transit, physical security, SDLC, policies, security assessments, etc.
I'd be surprised if they let you do vulnerability assessments or penetration tests. I don't let any of our customers do that with our applications (high-level summary results are provided). However, I do allow them to conduct on-site audits and provide anything they ask for, within reason. You may want to see if you can perform an annual visit as well.
The day you stop learning is the day you start becoming obsolete.