CAIQ Questionnaire Explained: What It Covers, What It Misses, and How Vendor Teams Use It

The CAIQ is a self-assessment questionnaire produced by the Cloud Security Alliance. Procurement and vendor risk teams send it to cloud vendors to evaluate security controls. The vendor fills it out. You review the responses and decide whether the vendor passes your security assessment. The workflow is standard enough that most enterprise cloud vendors have a CAIQ response ready to share.

It is a useful tool within a specific scope. That scope is narrower than most vendor risk programs treat it.

What CAIQ Stands For

CAIQ stands for Consensus Assessments Initiative Questionnaire. The Cloud Security Alliance (CSA), a nonprofit that sets standards for cloud security, created it to give organizations a standardized way to evaluate cloud service providers against the Cloud Controls Matrix (CCM). The CCM maps cloud security controls to major compliance frameworks including ISO 27001, NIST 800-53, SOC 2, and GDPR.

The current version, CAIQ v4, aligns with CCM v4 and covers 17 control domains. For each domain, the questionnaire asks the vendor whether specific controls are in place and how they are implemented. Vendors self-certify their responses. No independent auditor verifies the answers unless the vendor separately holds a third-party certification like SOC 2 Type II or ISO 27001.

Where CAIQ Responses Live

The CSA maintains the STAR (Security, Trust, Assurance, and Risk) registry, a public database of vendor CAIQ submissions. Before sending a CAIQ to a vendor, check the registry first. Major cloud vendors including AWS, Google Cloud, Microsoft Azure, Salesforce, and many SaaS providers have published responses there. If your vendor's submission is current and publicly posted, you skip the collection process entirely.

STAR has two submission levels. Level 1 is a self-assessment: the vendor submits their CAIQ responses and they are publicly listed. Level 2 requires independent attestation aligned to SOC 2 Type II or ISO 27001 certifications. For high-criticality cloud vendors, Level 2 submissions are worth requiring. Someone outside the vendor has reviewed the claims.

CAIQ vs. SIG: When to Use Which

The SIG (Standardized Information Gathering questionnaire, from Shared Assessments) is broader. It covers IT operations, business continuity, privacy, physical security, and compliance in addition to cyber controls. The CAIQ focuses specifically on cloud security against the CCM framework.

The choice comes down to vendor type:

• Use the SIG questionnaire for broad operational risk assessment across vendor categories, or where privacy, business continuity, and physical security matter alongside cyber
• Use the CAIQ for cloud service providers where you want a cloud-specific security controls evaluation
• Use both for SaaS vendors with significant data exposure and complex cloud architecture

Neither questionnaire was built to assess vendor financial health. That is a gap both instruments share, and it is the gap that causes the most preventable supply chain disruptions.

What the CAIQ Covers: The 17 Control Domains

CAIQ v4 maps to 17 CCM v4 control domains. The full list:

• Application and Interface Security
• Audit Assurance and Compliance
• Business Continuity Management and Operational Resilience
• Change Control and Configuration Management
• Cryptography, Encryption and Key Management
• Data Center Security
• Data Security and Privacy Lifecycle Management
• Governance, Risk and Compliance
• Human Resources
• Identity and Access Management
• Infrastructure and Virtualization Security
• Interoperability and Portability
• Logging and Monitoring
• Security Incident Management, E-Discovery and Cloud Forensics
• Supply Chain Management, Transparency and Accountability
• Threat and Vulnerability Management
• Universal Endpoint Management

Within each domain, the vendor responds yes or no to specific controls and can add implementation notes. A thoughtful CAIQ response includes references to relevant certifications or audit reports. A fast CAIQ response is a column of yes answers with no supporting evidence, which tells you much less than it appears to.

How to Fill Out a CAIQ Response (For Vendors)

If you are on the vendor side, filling out a CAIQ typically involves:

1. Downloading the CAIQ spreadsheet from the CSA website or the STAR registry
2. Working through each control with your security team to confirm whether the control is implemented
3. Documenting implementation details for controls where additional context helps the assessor
4. Optionally publishing the completed CAIQ to the STAR registry for future reference

A Level 1 STAR submission (self-assessment) is free to publish. A Level 2 requires third-party attestation, typically aligned with a SOC 2 Type II or ISO 27001 certification. Level 2 submissions carry more weight with enterprise procurement teams because an independent party has verified the responses.

The Limitation Most Vendor Teams Miss

A vendor can complete a perfect CAIQ and file Chapter 11 four weeks later. These two facts are unrelated. Financial health is not a cloud security control domain, and the CAIQ was never designed to surface it.

This matters because vendor risk programs that rely primarily on questionnaire compliance give procurement and finance teams false confidence. You know the vendor's access management policies are documented. You do not know whether the vendor can make payroll next quarter.

Venminder collects and reviews questionnaire responses as a managed service. OneTrust handles privacy and compliance workflows. UpGuard, SecurityScorecard, and BitSight score cyber risk posture. None of these platforms were built to monitor vendor financial trajectories. For companies with material supply chain exposure, the questionnaire layer needs to be paired with financial signal monitoring that questionnaires cannot provide.

Pairing CAIQ with Financial Due Diligence

A complete vendor risk assessment for a critical supplier combines security controls verification with ongoing financial health monitoring:

• CAIQ or SIG: Confirms that security controls are documented and in place
• SOC 2 Type II or ISO 27001: Provides independent verification for high-criticality vendors
• Financial due diligence: Reviews credit data, payment history, public filings, and financial statements for signs of distress
• Continuous monitoring: Tracks changes in financial signals between annual reviews

The annual questionnaire cycle is where most vendor risk programs stop. A vendor that was financially stable when it completed your CAIQ may look materially different 11 months later. The questionnaire captures a point in time. It does not capture a trajectory.

The vendor financial risk layer closes the gap. For any vendor where operational continuity is material, continuous vendor monitoring on financial signals is what keeps a passed questionnaire from becoming the last thing you checked before a disruption.

See the vendor financial due diligence checklist for the specific data points to gather alongside your CAIQ review. And if you are building out a broader vendor risk program, the vendor risk management overview covers how the pieces fit together.