Skip to main content

Glossary

CAIQ (Consensus Assessments Initiative Questionnaire)

The Consensus Assessments Initiative Questionnaire (CAIQ) is a standardized security questionnaire published by the Cloud Security Alliance (CSA). It gives cloud customers a consistent set of yes or no questions for evaluating a cloud provider's security controls, with each question mapped to the CSA Cloud Controls Matrix.

In practice

Cloud service providers complete the CAIQ to document how their controls address areas such as data security, identity and access management, encryption, and incident response. Because the format is standardized and widely recognized, a completed CAIQ often serves as a provider's default answer to routine cloud security due diligence, reducing the number of custom questionnaires it must field.

Buyers use the CAIQ in the opposite direction. A security or procurement team evaluating a SaaS product can request the vendor's completed CAIQ, or check whether one is already published, before deciding whether a deeper assessment is needed.

Many providers publish their completed CAIQ through the CSA's STAR registry, a public directory of cloud provider security assessments. For example, a SaaS company might publish its CAIQ to STAR so prospects can review its answers before, or instead of, sending their own questionnaire.

Keep reading

Related terms

For how cloud vendors manage the CAIQ alongside custom assessments, see the RocketDocs security questionnaire solution.

FAQ

Frequently asked questions

What does CAIQ stand for?

CAIQ stands for Consensus Assessments Initiative Questionnaire. It was created by the Cloud Security Alliance through an industry consensus process, which is where the name comes from, and it is commonly pronounced "cake."

How is the CAIQ different from the SIG?

The CAIQ is cloud-specific and maintained by the Cloud Security Alliance, with questions mapped to its Cloud Controls Matrix. The SIG, from Shared Assessments, covers third-party risk more broadly across outsourcing relationships, not just cloud services. Many vendors end up completing both.

Where is the CAIQ published?

The questionnaire itself is available from the Cloud Security Alliance. Completed CAIQs are often published in the CSA STAR registry, where providers submit self-assessments so customers can review security answers without requesting them directly.

From definition to response

See how RocketDocs turns these concepts into a working response process: approved content, private AI drafting, and audit trails your compliance team can trust.