The CAIQ questionnaire, short for Consensus Assessments Initiative Questionnaire, is a standardized security assessment from the Cloud Security Alliance. It documents a cloud provider's security controls in a yes or no format mapped to the Cloud Controls Matrix, so buyers can evaluate vendor risk consistently and vendors can answer one questionnaire instead of hundreds of custom ones.
If you sell cloud software to enterprises, the CAIQ shows up early in procurement and security review. This guide covers what the CAIQ questionnaire asks, how version 4 maps to the Cloud Controls Matrix, how it compares to the SIG, and how response teams answer it faster without sacrificing accuracy.

What is the CAIQ questionnaire?
The CAIQ questionnaire is published by the Cloud Security Alliance, the nonprofit that defines best practices for cloud security. Version 4 folds the CAIQ directly into the Cloud Controls Matrix, so each of its 261 yes or no questions maps to a specific control specification across 17 security domains, from identity and access management to incident response and supply chain management.
Two things make the CAIQ different from most security questionnaires. First, it is fully standardized: every buyer sees the same questions, so an answer you approve once stays valid everywhere. Second, it is publishable. Vendors can submit a completed CAIQ to the CSA STAR Registry as a Level 1 self-assessment, giving prospects a public record of your security posture before they ever send a questionnaire of their own.
CAIQ vs SIG vs custom security questionnaires
Most response teams juggle all three formats in the same quarter. The table below shows where the CAIQ fits.
| DIMENSION | CAIQ | SIG | CUSTOM QUESTIONNAIRES |
|---|---|---|---|
| Maintained by | Cloud Security Alliance | Shared Assessments | Individual buyers |
| Focus | Cloud service security controls | Broad third-party risk | Whatever the buyer decides |
| Format | Yes or no answers mapped to the Cloud Controls Matrix | Multi-tab Excel across risk domains | Varies by buyer, often Excel or a portal |
| Question volume | 261 questions in version 4 | Hundreds in SIG Core, fewer in SIG Lite | Anywhere from 20 to 1,000 plus |
| Public sharing | Can be published to the CSA STAR Registry | Shared privately per request | Shared privately per request |
| Best for | Cloud providers proving security once | Enterprise vendor risk programs | Buyer-specific requirements |
The overlap matters more than the differences. All three formats ask about the same underlying controls: encryption, access management, business continuity, incident response. Teams that maintain one governed answer library reuse the same approved content across the CAIQ, the SIG, and every custom variant. For a closer look at the SIG side, see our SIG questionnaire guide.
How the CAIQ questionnaire is structured
The 17 domains of the Cloud Controls Matrix organize the questionnaire, covering areas such as audit and assurance, application and interface security, cryptography and key management, data security and privacy lifecycle management, identity and access management, infrastructure and virtualization, and threat and vulnerability management. Each question expects a yes, no, or not applicable answer, plus a note on whether the control is owned by the provider, the customer, or shared. That shared security responsibility column is a point of emphasis in version 4, and it is where careless answers create audit trouble later.
CAIQ-Lite
CAIQ-Lite is a condensed subset built for lower-risk vendor assessments and faster procurement cycles. Buyers use it as a first-pass screen, much the way they use SIG Lite. If you maintain current answers for the full CAIQ, the Lite version is already covered.
How to respond to a CAIQ questionnaire
A CAIQ response is a coordination problem more than a writing problem. The questions are stable and public; the work is getting accurate, current answers from the right owners quickly. Four habits separate fast teams from slow ones.

Answer from an approved library
Store every approved CAIQ answer in a governed content library with a named owner and a review date on each entry. Because CAIQ questions are standardized, exact-match autofill can populate the bulk of a new request instantly, and your team reviews instead of rewrites.
Keep the yes or no honest
Buyer security teams and auditors read a CAIQ as a set of claims. Answering yes to a control you only partially operate is worse than a documented no with a remediation date. Track caveats in the notes column and keep them consistent across every copy you send out, because inconsistent answers across prospects are exactly what a due diligence reviewer is trained to catch.
Route new questions to SMEs with deadlines
When a buyer stacks custom questions on top of the CAIQ, route each one to the subject matter expert who owns that domain, with a due date and an approval gate. Security signs off on the final document instead of scrambling at the deadline, and the new answers flow back into the library for next time.
Publish to STAR to cut questionnaire volume
A STAR Level 1 listing answers many prospects before they ask. It does not eliminate questionnaires, but it shortens them, and it signals a mature security program to buyers comparing vendors side by side.
Automate CAIQ responses without losing accuracy

Because the CAIQ is standardized and recurring, it is one of the easiest questionnaires to automate well. Purpose-built security questionnaire software parses the workbook, autofills approved answers, flags anything AI-drafted for human review, and keeps a full audit trail of who approved what and when. Teams in regulated industries add one more requirement: the AI drafting those answers should never send security content to a public model. That is the architecture behind RocketDocs' private AI, which drafts from your approved knowledge base inside a controlled environment.
If your team still rebuilds the CAIQ from scratch for every deal, RocketDocs can turn it into a repeatable, audit-ready workflow. Book a demo built around your real questionnaires and see how much of the next CAIQ you never have to write again.
Looking for the platform behind this? See the RocketDocs platform or book a demo.