CAIQ stands for Consensus Assessments Initiative Questionnaire, a standardized set of yes-or-no security questions designed for cloud service providers. Created by the Cloud Security Alliance (CSA), the CAIQ gives cloud vendors a structured way to document what security controls they have in place, and gives their customers a clear way to evaluate whether those controls are strong enough. If you’re researching cloud vendor security or preparing your own company for a security assessment, here’s how the CAIQ works and where it fits.
How the CAIQ Works
The CAIQ is a downloadable spreadsheet containing 261 questions. Each question maps directly to a specific control in CSA’s Cloud Controls Matrix (CCM), a cybersecurity framework built specifically for cloud computing. The CCM contains 207 controls spread across 17 security domains covering areas like data protection, encryption, identity management, and incident response.
The questions break each CCM control into concrete actions. A cloud service provider, whether it offers infrastructure (IaaS), platform (PaaS), or software (SaaS), answers yes or no to indicate whether it follows each practice. The result is a detailed snapshot of the provider’s security posture that potential customers can review before signing a contract.
For example, instead of a vague claim like “we take security seriously,” a provider’s completed CAIQ shows exactly which encryption standards it uses, how it handles access controls, and whether it has incident response procedures in place. This transparency is the core value of the questionnaire.
Who Uses It and Why
Two groups benefit from the CAIQ. Cloud service providers use it to document and demonstrate their security practices. Customers evaluating those providers use completed CAIQs to compare vendors and make informed purchasing decisions during the vendor risk assessment process.
For providers, filling out the CAIQ serves double duty. It forces an internal review of security practices against industry best standards, and it produces a document that can be shared with prospective customers or submitted to a public registry. For customers, receiving a completed CAIQ eliminates the need to design a custom security questionnaire from scratch, saving weeks of back-and-forth during procurement.
The CSA STAR Registry
Providers that complete the CAIQ can submit it to CSA’s STAR (Security, Trust, Assurance and Risk) Registry, earning STAR Level 1 certification. This is a self-assessment level, meaning the provider fills out the questionnaire on its own rather than undergoing a third-party audit. Submissions need to be updated annually to stay current.
Once listed on the STAR Registry, a provider’s completed CAIQ becomes publicly accessible. Customers can search the registry to find and compare providers without needing to request the information directly. This public visibility gives providers an incentive to be thorough and honest, since anyone can review their answers.
CSA also offers an optional enhancement called Valid-AI-ted, which uses AI to automatically score a CAIQ submission against the CCM. This costs $595, though CSA corporate members can use it at no cost. Providers that pass receive a STAR Level 1 Valid-AI-ted badge on the registry, along with detailed feedback on their answers.
CAIQ Lite for Smaller Companies
The full 261-question CAIQ can be a heavy lift for startups and small to mid-sized companies with limited security staff. CSA offers a streamlined version called CAIQ Lite, which condenses the questionnaire to 71 questions while still covering all the CCM control domains. It’s designed as a practical starting point for companies working toward a full Level 1 self-assessment, and it works well for faster engagements between cloud customers and providers when a deep-dive assessment isn’t necessary.
Current Version
The latest release is CAIQ v4.1, which aligns with CCM v4.1. This version includes updated mappings to other industry standards and revised auditing guidelines. CSA publishes a change analysis document that details which questions shifted between versions, so providers upgrading from a prior submission can see exactly what needs updating rather than starting from scratch.
When downloading the CAIQ, note that CSA offers two versions of the spreadsheet. One bundles the CAIQ with the full CCM and is intended as a reference only. The separate standalone CAIQ v4 spreadsheet is the one you need to fill out and submit to the STAR registry.
How CAIQ Compares to Other Questionnaires
The CAIQ is purpose-built for cloud providers, which makes it the right tool when you’re specifically evaluating IaaS, PaaS, or SaaS vendors. But it’s not the only security questionnaire in use.
The Standardized Information Gathering (SIG) Questionnaire covers a broader scope. SIG Core contains more than 1,200 questions and assesses cybersecurity, IT, privacy, and operational risk across all types of third-party vendors, not just cloud providers. Its lighter version, SIG Lite, trims that down to under 200 questions for vendors with lower inherent risk or during early-stage onboarding.
Many organizations use a tiered approach: CAIQ or CAIQ Lite when evaluating cloud service providers specifically, and SIG Core or SIG Lite for non-cloud third parties. A SOC 2 report, by contrast, is not a questionnaire at all but rather an independent audit conducted by a CPA firm. It covers similar territory but provides third-party verification rather than self-reported answers. Providers often maintain both a completed CAIQ and a SOC 2 report, since customers may request either one depending on their own compliance requirements.
Getting Started With the CAIQ
The CAIQ spreadsheet is free to download from CSA’s website. If you’re a cloud provider, download the standalone CAIQ v4 submission version, work through the questions with your security and operations teams, and decide whether to submit to the STAR registry. If you’re a customer evaluating providers, check the STAR registry first to see if your vendor has already submitted one. If not, you can send them the blank CAIQ and ask them to complete it as part of your procurement process.
Because the questions are structured as yes-or-no with space for additional explanation, the format is straightforward to work through even without deep compliance expertise. The CCM documentation provides context for each control domain, which helps if a question’s intent isn’t immediately clear.