What is the CAIQ? A Complete Guide for SaaS Companies

Key Takeaways

• CAIQ (Consensus Assessments Initiative Questionnaire) is a standardized security questionnaire from the Cloud Security Alliance containing 261 yes/no questions across 17 control domains.
• Enterprise prospects use CAIQ to evaluate cloud provider security before signing contracts, making it a common request for SaaS companies selling to larger organizations.
• CAIQ maps directly to the CCM (Cloud Controls Matrix), the de facto security framework for cloud services. Completing it demonstrates alignment with industry-standard controls.
• SOC 2 and ISO 27001 certifications cover most CAIQ questions, allowing certified companies to complete the questionnaire in hours rather than days.
• Publishing a completed CAIQ on the CSA STAR Registry provides public evidence of your security posture and reduces repetitive questionnaire requests.

If you're a SaaS company selling to enterprise customers, you've likely received a spreadsheet titled "CAIQ" during the procurement process. Your prospect's security team wants you to fill out 261 questions about your security controls before they'll approve the purchase. This guide explains what the CAIQ is, why it exists, and how to complete it efficiently.

What is the CAIQ?

The Consensus Assessments Initiative Questionnaire (CAIQ) is a standardized security questionnaire developed by the Cloud Security Alliance (CSA). It's designed to help organizations evaluate the security posture of cloud service providers through a consistent set of questions.

The current version, CAIQ v4, contains 261 yes/no questions organized across 17 security control domains. Each question maps directly to a control in the CSA's Cloud Controls Matrix (CCM), which serves as the underlying security framework.

Here's what makes CAIQ different from the dozens of other security questionnaires you might receive:

Standardization. Unlike custom security questionnaires that vary between organizations, CAIQ uses a fixed set of questions based on established cloud security controls. This means the same answers can be reused across multiple prospects who request it.

Industry consensus. The CSA developed CAIQ through collaboration between security professionals, cloud providers, and enterprise buyers. The questions represent agreed-upon security expectations for cloud services.

Framework alignment. CAIQ questions map to the Cloud Controls Matrix, which itself aligns with other frameworks like SOC 2, ISO 27001, NIST CSF, and PCI DSS. If you're already compliant with these frameworks, you've implemented most of what CAIQ asks about.

Who Created the CAIQ and Why?

The Cloud Security Alliance (CSA) created the CAIQ in the early 2010s as part of their broader effort to improve cloud security standards. The CSA is a nonprofit organization focused on defining and promoting best practices for secure cloud computing.

The motivation behind CAIQ was practical: enterprise organizations evaluating cloud providers needed a consistent way to assess security across different vendors. Before CAIQ existed, every company created their own security questionnaire, leading to:

• Inconsistent questions that didn't cover critical areas
• Duplicated effort for cloud providers answering similar questions repeatedly
• Difficulty comparing security postures between vendors
• No industry-wide agreement on what "good" cloud security meant

CAIQ solved these problems by creating a standardized questionnaire that both buyers and providers could rely on. When a prospect sends you a CAIQ, they're essentially asking: "Do you implement the security controls that the industry has agreed cloud providers should have?"

How CAIQ Relates to the Cloud Controls Matrix (CCM)

The CAIQ is the questionnaire version of the Cloud Controls Matrix (CCM). Think of CCM as the framework that defines what security controls should exist in cloud environments, and CAIQ as the tool that asks whether you've implemented those controls.

The CCM v4 framework includes 197 controls across 17 domains. CAIQ takes these controls and converts them into specific yes/no questions that probe implementation details. For example, a CCM control about encryption at rest becomes multiple CAIQ questions about whether you encrypt data, what algorithms you use, and how you manage encryption keys.

The 17 CCM Control Domains

The CAIQ questions are organized into these 17 domains:

When you complete a CAIQ, you're documenting your security controls across each of these domains.

Why SaaS Companies Receive CAIQ Requests

If you sell B2B SaaS, especially to enterprises, you'll receive CAIQ requests as part of the vendor security review process. Here's why this happens:

Enterprise Procurement Requirements

Large organizations have formal vendor risk management programs. Before approving a new software purchase, the security team evaluates whether the vendor meets their security standards. The CAIQ provides a structured way to conduct this evaluation.

From the buyer's perspective, the CAIQ answers critical questions:

• Does this vendor implement reasonable security controls?
• How does this vendor's security compare to alternatives we're evaluating?
• Will using this vendor introduce unacceptable risk to our organization?

Regulatory and Compliance Pressures

Many enterprises face regulatory requirements that mandate third-party risk assessment. Financial institutions subject to GLBA and SOX, healthcare organizations under HIPAA, and companies subject to GDPR all need to demonstrate they've evaluated vendor security. The CAIQ provides documentation that satisfies auditors.

Standardization Across Vendors

Security teams evaluating multiple vendors prefer using a standardized questionnaire. If they receive completed CAIQs from all vendors being considered, they can directly compare security capabilities. This is easier than trying to normalize responses from ten different custom questionnaires.

The CAIQ as a Sales Blocker

Here's the reality: if a prospect's security team requires CAIQ completion and you don't provide it (or provide an incomplete response), the deal stalls. Security sign-off is typically a prerequisite for contract approval at enterprise organizations. The CAIQ isn't optional if your buyer requires it.

What the CAIQ Covers: A Closer Look at Key Domains

While all 17 domains matter, certain areas receive particular scrutiny from enterprise security teams evaluating SaaS vendors.

Identity & Access Management (IAM)

Questions in this domain probe how you control access to your systems and customer data. Expect questions about:

• Multi-factor authentication for administrative access
• Role-based access control implementation
• Access review and recertification processes
• Password policies and credential management
• Privileged access management

For SaaS companies, IAM is typically the highest-scrutiny area because access control directly determines who can reach customer data.

Data Security & Privacy (DSP)

These questions focus on how you protect customer data throughout its lifecycle:

• Data classification schemes
• Encryption at rest and in transit
• Data retention and deletion procedures
• Privacy impact assessments
• Cross-border data transfer controls

Prospects want assurance that their data is protected and handled according to privacy requirements.

Cryptography, Encryption & Key Management (CEK)

Encryption implementation details matter to security teams:

• Encryption algorithms and key lengths
• Key generation, storage, and rotation procedures
• Certificate management
• Cryptographic controls for data protection

Security Incident Management (SEF)

How you detect, respond to, and communicate about security incidents:

• Incident response procedures
• Breach notification timelines
• Forensic investigation capabilities
• Incident documentation and lessons learned

Supply Chain Management (STA)

Your security is only as strong as your weakest vendor. Expect questions about:

• Third-party risk assessment procedures
• Vendor security reviews
• Subprocessor management
• Supply chain transparency

For a detailed breakdown of which vendors belong in your security program, see our guide on vendor management for SOC 2 and ISO 27001.

CAIQ vs. Security Questionnaires: Similarities and Differences

The CAIQ is one type of security questionnaire, but it's not the only one you'll encounter. Understanding how it compares to other formats helps you manage the overall questionnaire burden.

Standardized vs. Custom Questionnaires

CAIQ is standardized. The 261 questions are fixed, meaning every organization that uses CAIQ sends you the same form. This has major advantages: you can prepare answers once and reuse them, and you know exactly what to expect.

Custom questionnaires vary by organization. Some companies create their own security questionnaires with anywhere from 50 to 500+ questions. These may overlap with CAIQ but include organization-specific concerns. You'll need to answer each custom questionnaire individually.

Common Standardized Questionnaires

Besides CAIQ, you may encounter:

SIG (Standardized Information Gathering): Maintained by Shared Assessments, SIG is another widely-used standardized questionnaire. It comes in two versions: SIG-Lite (fewer questions for lower-risk vendors) and SIG-Core (comprehensive assessment).

VSAQ (Vendor Security Alliance Questionnaire): Focuses specifically on software vendor security with a more targeted question set.

SOC 2 Report: While not a questionnaire, your SOC 2 Type 2 report often satisfies security review requirements. Many enterprises accept a SOC 2 report in lieu of a completed questionnaire.

The Questionnaire Problem for SaaS Companies

Here's the challenge: even with standardized questionnaires like CAIQ, SaaS companies often spend 5-20 hours per week responding to security questionnaires from prospects. As you close more enterprise deals, this burden scales.

The strategic response is to:

1. Complete the CAIQ proactively and publish it (more on this below)
2. Achieve SOC 2 and ISO 27001 certifications to address most questions
3. Build a library of standard responses for common questions
4. Consider security questionnaire automation tools for high volume

The STAR Registry: Publishing Your CAIQ

The CSA STAR (Security, Trust, Assurance, and Risk) Registry is a public database where cloud providers can publish their completed CAIQ. This creates visibility into your security posture and reduces repetitive questionnaire requests.

STAR Registry Levels

The STAR program has multiple levels:

Level 1: Self-Assessment
Submit your completed CAIQ (or CCM self-assessment) to appear in the registry. No third-party validation required. This is the entry point for most organizations.

Level 2: Third-Party Certification
Requires an independent audit that incorporates CCM requirements. There are two pathways: STAR Attestation (a SOC 2 engagement with CCM criteria added) or STAR Certification (an ISO 27001 certification with CCM controls integrated). Both provide verified assurance rather than self-reported answers. Note that Level 2 involves third-party audit costs.

Level 3: Continuous Monitoring
The most rigorous level, requiring ongoing monitoring and real-time security reporting. Few organizations pursue Level 3.

Benefits of STAR Registration

Reduced questionnaire volume. When prospects can view your CAIQ answers in the public registry, some skip sending you a questionnaire entirely.

Sales enablement. Include your STAR Registry link in security documentation, sales materials, and RFP responses. It demonstrates proactive security transparency.

Industry credibility. Appearing in the STAR Registry alongside major cloud providers signals that you take cloud security seriously.

SEO and discovery. Prospects researching cloud security may find your STAR listing during due diligence.

Important Clarification: CAIQ Is Not a Certification

A common misconception: completing and publishing a CAIQ does not make you "CAIQ certified." There's no such thing as CAIQ certification. The CAIQ is a self-assessment tool. STAR Level 1 registration acknowledges your self-reported security controls but doesn't independently verify them.

For verified assurance, you need STAR Level 2, which requires a third-party audit (SOC 2 or ISO 27001 with CCM alignment).

How SOC 2 and ISO 27001 Help Answer CAIQ Questions Faster

If you already have SOC 2 or ISO 27001 certification, you've implemented most of the controls CAIQ asks about. This dramatically reduces the effort required to complete the questionnaire.

Control Mapping Between Frameworks

The frameworks overlap significantly:

Practical Benefits for CAIQ Completion

Evidence exists. For most CAIQ questions, you can point to existing policies, procedures, and audit evidence from your SOC 2 or ISO 27001 program.

Answers are already documented. Your SOC 2 system description and ISO 27001 Statement of Applicability contain detailed descriptions of your controls.

Confidence in "Yes" answers. When your controls have been audited by a third party, you can confidently answer "Yes" to CAIQ questions about those controls.

Faster completion. Companies with SOC 2 and ISO 27001 typically complete CAIQ in 2-4 hours. Without certifications, the same questionnaire might take 2-3 days.

Practical Tips for SaaS Companies Facing Their First CAIQ

If you've just received your first CAIQ request, here's how to approach it systematically.

Before You Start

Read the instructions. CAIQ includes guidance on how to interpret and answer questions. Some questions may not apply to your service model.

Identify your service model. CAIQ questions assume IaaS, PaaS, or SaaS delivery models. Some questions only apply to certain models. As a SaaS provider, you may mark infrastructure-specific questions as "Not Applicable," particularly in the Datacenter Security (DCS) domain if you run on AWS, Azure, or GCP, since your cloud provider handles physical security controls.

Leverage your cloud provider's CAIQ. If you're built on a major cloud platform, many infrastructure-level CAIQ questions can reference your provider's published CAIQ response. AWS, Azure, and GCP all publish their completed CAIQs on the STAR Registry. For shared responsibility questions, explain which controls your provider handles and which you manage.

Gather your documentation. Collect your security policies, procedures, and technical documentation before starting. You'll reference these throughout.

Answering Questions Effectively

Yes means implemented. Only answer "Yes" if you have the control fully implemented and can provide evidence. Don't answer "Yes" to controls you plan to implement.

Use the notes field. CAIQ includes space for additional context. Use it to explain your implementation, reference documentation, or clarify scope.

Be consistent. If multiple questions address related controls, ensure your answers align. Inconsistent responses raise red flags.

Document exceptions. If you answer "No" or "Not Applicable," explain why. A clear rationale is better than an unexplained negative response.

Common Pitfalls to Avoid

Over-claiming. Don't answer "Yes" to controls you haven't implemented. Prospects may validate your answers during deeper due diligence.

Under-claiming. Don't answer "No" to controls you've implemented but can't immediately document. Take time to verify before defaulting to negative responses.

Rushing. A hastily completed CAIQ with inconsistent or incomplete answers creates a worse impression than a delayed but thorough response.

After Completion

Archive your answers. Save your completed CAIQ for reuse. The next prospect who requests it will get faster turnaround.

Consider STAR registration. Publishing to the STAR Registry can reduce future questionnaire requests.

Update annually. Your security controls evolve. Review and update your CAIQ answers at least annually.

CAIQ-Lite: The Condensed Alternative

The CSA also offers CAIQ-Lite, a shorter version containing 124 questions (compared to 261 in the full CAIQ). It covers all 17 control domains but with fewer questions per domain.

CAIQ-Lite is designed for scenarios where the full questionnaire is excessive:

• Lower-risk vendor assessments
• Initial screening before deeper due diligence
• Situations where the prospect needs a quick security overview

If a prospect offers the choice between CAIQ and CAIQ-Lite, and you don't have a completed full CAIQ ready, CAIQ-Lite can be a faster option that still demonstrates security maturity.

How Bastion Helps with CAIQ and Security Questionnaires

Completing security questionnaires efficiently requires two things: having the right controls in place and being able to document them clearly. This is where compliance certification pays dividends.

Bastion helps SaaS companies achieve SOC 2 and ISO 27001 certifications through managed compliance services. Once certified, you'll have:

• Documented policies and procedures that map directly to CAIQ questions
• Audit-tested controls that give you confidence in your "Yes" answers
• Evidence repositories that support detailed questionnaire responses
• Certification reports that many prospects accept in lieu of detailed questionnaires

The investment in compliance certification reduces your long-term questionnaire burden while strengthening your actual security posture.

Bastion helps SaaS companies achieve SOC 2 and ISO 27001 certifications, making security questionnaires like the CAIQ significantly easier to complete. If you're spending too much time on security questionnaires or preparing for enterprise sales, let's talk.