Key Takeaways
- CAIQ is a standardised security questionnaire created by the Cloud Security Alliance (CSA) that cloud service providers complete to document their security posture across 17 control domains.
- The current version (CAIQ v4) contains 261 questions mapped directly to the Cloud Controls Matrix (CCM) v4, covering everything from encryption and identity management to supply chain and interoperability.
- Thousands of organisations have published CAIQ self-assessments on the CSA STAR Registry, making it one of the most widely adopted cloud security frameworks globally.
- Completing a CAIQ proactively can replace dozens of bespoke security questionnaires from prospects, saving days per deal cycle.
- CAIQ is free to complete and publish, and it serves as Level 1 (self-assessment) of the three-tier CSA STAR certification programme.
Another prospect, another spreadsheet, another week of your CTO’s time disappearing into a security review. Sound familiar? If you have been through a few B2B SaaS sales cycles, you already know the drill: a deal is moving, momentum is building, and then procurement drops a 200-question spreadsheet on you like a cold bucket of water.
The Consensus Assessments Initiative Questionnaire (CAIQ) exists to break that cycle. It is a standardised set of 261 yes-or-no security questions, published by the Cloud Security Alliance (CSA), that cloud service providers use to document how they meet specific security controls. If your SaaS company sells to enterprises or mid-market buyers who care about cloud security, you will encounter the CAIQ either as a direct request from a prospect or as the foundation for their own vendor risk assessment.
Here is the thing that makes the CAIQ different from the usual spreadsheet hell: you complete it once, publish it on the CSA STAR Registry, and suddenly your buyers can find your answers before they even ask for them. No more scrambling. No more “can you get this back to us by Friday?” emails at 4pm on a Wednesday.
The commercial stakes are real. Security reviews are already one of the biggest bottlenecks in B2B SaaS sales. According to Vanta’s 2024 State of Trust Report, up to 67% of companies report that security reviews slow down their sales cycles. A published CAIQ self-assessment gives your buyers something they already recognise and trust - and it can shave days off your deal timeline.
When I was co-founder and CTO at Progression, answering bespoke security questionnaires was one of my biggest time sinks. The thing nobody told me was that half the questions I was answering manually were already covered by standardised frameworks like the CAIQ. I just did not know where to start. This guide is the one I wish I had back then.
How CAIQ Fits Into the CSA STAR Programme
The CAIQ does not exist in isolation. It is one component of the CSA’s Security, Trust, Assurance, and Risk (STAR) programme, which provides a tiered approach to cloud security assurance.
The Three Levels of CSA STAR
| Level | Type | What It Involves | Cost |
|---|---|---|---|
| Level 1 | Self-Assessment | Complete the CAIQ and publish it on the STAR Registry | Free |
| Level 2 | Third-Party Audit | Independent audit against CCM controls (can be combined with SOC 2 or ISO 27001) | Paid (auditor fees) |
| Level 3 | Continuous Monitoring | Ongoing automated assessment of cloud security controls | Paid (tool and auditor fees) |
For most early-to-growth-stage SaaS companies, Level 1 is the sweet spot. It is free, self-serve, and immediately publishable. You complete the CAIQ spreadsheet, submit it to CSA, and your answers appear on the publicly searchable STAR Registry. Your prospects can look you up before they even send their own questionnaire.
Level 2 becomes relevant when enterprise buyers require third-party validation. The CSA STAR Certification (Level 2) can be bundled with a SOC 2 Type II or ISO 27001 audit, which means your auditor assesses CCM controls alongside the standard audit scope. If you are already pursuing SOC 2 or ISO 27001, adding the STAR certification is incremental rather than a separate workstream.
What the CAIQ Actually Covers: The 17 CCM Domains
The CAIQ is structured around the Cloud Controls Matrix (CCM) v4.0, the CSA’s control framework for cloud computing. Each question in the CAIQ maps directly to a specific CCM control, which means completing the CAIQ simultaneously documents your alignment with the CCM.
The 17 control domains are:
- Audit & Assurance (A&A) - Internal and external audit processes
- Application & Interface Security (AIS) - Secure software development and API security
- Business Continuity Management & Operational Resilience (BCR) - Disaster recovery, backup, and resilience planning
- Change Control & Configuration Management (CCC) - Change management processes
- Cryptography, Encryption & Key Management (CEK) - Encryption standards and key lifecycle
- Datacenter Security (DCS) - Physical security controls
- Data Security & Privacy Lifecycle Management (DSP) - Data classification, retention, and privacy
- Governance, Risk & Compliance (GRC) - Policy management and risk frameworks
- Human Resources (HRS) - Background checks, training, and termination procedures
- Identity & Access Management (IAM) - Authentication, authorisation, and access controls
- Interoperability & Portability (IPY) - Data portability and vendor lock-in prevention
- Infrastructure & Virtualisation Security (IVS) - Network and virtualisation controls
- Logging & Monitoring (LOG) - Audit logging and monitoring capabilities
- Security Incident Management (SEF) - Incident response procedures
- Supply Chain Management, Transparency & Accountability (STA) - Third-party risk management
- Threat & Vulnerability Management (TVM) - Vulnerability scanning and patching
- Universal Endpoint Management (UEM) - Device management and endpoint security
Each domain contains between 5 and 30 questions. The format is straightforward: a yes/no answer followed by a free-text field where you describe how you meet the control. The free-text field is where the real work happens. A bare “yes” without context is technically valid but commercially useless. Buyers want to see specifics: which tools you use, what policies govern the control, and how you verify compliance.
The CAIQ Completion Framework: A 5-Step Process
Completing 261 questions sounds daunting. In practice, most SaaS companies can get through a CAIQ in one to two focused days if they approach it systematically. Here is a repeatable process.
Step 1: Download the Current Template
Grab the CAIQ v4.0 spreadsheet from the CSA’s official downloads page. It comes as an Excel file with each domain on a separate tab. Do not use an outdated version - the jump from v3.1 to v4 restructured the entire questionnaire.
Step 2: Map Your Existing Policies
Before answering a single question, inventory what you already have. If you have completed SOC 2 or ISO 27001, most of the evidence already exists. Map your existing policies, procedures, and audit artefacts to the 17 CCM domains. You will typically find that 60-70% of the questions are already addressed by documentation you have on hand.
Step 3: Draft Answers With Citations
For each question, provide a yes/no answer and a concise explanation that references the specific policy or control. For example, under CEK (Cryptography), instead of writing “Yes, we encrypt data at rest,” write “Yes. All data at rest is encrypted using AES-256. Key management is handled via AWS KMS with automatic annual rotation. See our Encryption Policy, Section 3.2.”
This level of specificity is what separates a CAIQ that accelerates deals from one that generates follow-up questions.
Step 4: Internal Review
Have your engineering lead or security-aware team member review the completed CAIQ for accuracy. The biggest risk is not getting a question wrong - it is overstating a control that does not actually exist in practice. If a buyer later discovers a discrepancy, trust evaporates.
Step 5: Publish to the STAR Registry
Submit your completed CAIQ to the CSA for publication. The process is straightforward: create a CSA account, upload your completed spreadsheet, and submit. Once approved, your self-assessment is publicly visible and searchable. This means your next prospect might find your answers before they even ask for them.
CAIQ vs. Other Common Security Questionnaires
The CAIQ is not the only standardised questionnaire your team will encounter. Here is how it compares to the other frameworks that show up regularly in B2B SaaS sales cycles.
| Framework | Creator | Question Count | Focus | Cost | Public Registry |
|---|---|---|---|---|---|
| CAIQ v4 | Cloud Security Alliance | 261 | Cloud-specific security controls | Free | Yes (STAR Registry) |
| SIG (Lite/Core) | Shared Assessments | 170 (Lite) / 850+ (Core) | Broad third-party risk | Membership required | No |
| VSAQ | ~100 | Web application security | Free | No | |
| Custom questionnaires | Individual buyers | 50-500+ | Varies wildly | N/A | No |
The CAIQ’s biggest advantage is standardisation combined with public visibility. When you publish on the STAR Registry, you create a reusable asset that satisfies multiple buyers simultaneously. A SIG assessment stays locked in a single vendor relationship. A custom questionnaire helps exactly one deal.
That said, completing a CAIQ does not eliminate custom questionnaires entirely. Many enterprise buyers have their own templates with organisation-specific questions. But a published CAIQ gives your sales team a strong starting position: “Here’s our CAIQ on the STAR Registry. Happy to address any additional questions your template covers beyond the CCM scope.”
Why Enterprise Buyers Trust the CAIQ
The CAIQ carries weight with procurement and security teams for a few specific reasons that are worth understanding if you are deciding whether to invest the time.
It is backed by an independent standards body. The Cloud Security Alliance is a major industry consortium with significant membership from enterprises and cloud providers (AWS, Azure, Google Cloud are all corporate members). When a buyer sees a CAIQ, they know the questions were designed by an industry body, not by the vendor trying to look good.
It maps to frameworks they already care about. The CCM v4 includes mapping to ISO 27001, NIST SP 800-53, AICPA TSC (the basis for SOC 2), and GDPR requirements. This means your CAIQ answers indirectly address controls from multiple frameworks simultaneously. The CSA publishes detailed mapping documentation showing alignment with dozens of other standards and regulations.
It is publicly verifiable. Unlike a SOC 2 report that sits behind an NDA, or a custom questionnaire response that lives in someone’s email, the STAR Registry is open. Anyone can verify your self-assessment exists without requesting anything from you. This transparency signals confidence.
It enables apples-to-apples comparison. When a procurement team evaluates three cloud vendors and all three have published CAIQs, the comparison is structured and standardised. That consistency reduces evaluation time for the buyer, which means faster decisions for you.
Where CAIQ Fits in Your Security Maturity Journey
Think of the CAIQ as a force multiplier for wherever you already are in your compliance journey.
Pre-SOC 2 / Pre-ISO 27001: The CAIQ gives you a structured framework to document what you are already doing, even before you pursue a formal audit. It is a credible, recognised artefact you can hand to buyers who are asking “what do you have?” when the answer is not yet a SOC 2 report.
Post-SOC 2 / Post-ISO 27001: If you already have a SOC 2 Type II or ISO 27001 certification, completing the CAIQ is significantly faster because most controls are already documented. Publishing it on the STAR Registry adds another layer of visibility and reduces the volume of inbound custom questionnaires.
Scaling beyond 20 security reviews per quarter: This is where automation becomes critical. Answering 261 CAIQ questions once is manageable. Answering those same questions plus 15 custom questionnaires per month is not - especially if you are a small team. Tools like ResponseHub let you build a knowledge base from your existing policies and past CAIQ responses, then auto-complete new questionnaires using AI that cites the exact policy, section, and sentence behind each answer. The first CAIQ you complete manually becomes the foundation for every future questionnaire.
The Compounding Advantage
Here is the thing about the CAIQ that most teams miss: the real value is not in the questionnaire itself. It is in what the questionnaire forces you to build.
Completing a CAIQ properly means you now have a documented, structured, referenceable knowledge base of how your organisation handles 261 distinct security controls. That knowledge base does not just serve the STAR Registry. It serves every subsequent security review, every custom questionnaire, every due diligence call, and every SOC 2 audit prep session.
I learned this the hard way. At Progression, we treated each security questionnaire as a standalone fire drill. Every new one meant starting from scratch, digging through Notion, Slack threads, and half-remembered conversations. If we had built the knowledge base first - which is exactly what the CAIQ framework pushes you to do - every subsequent response would have taken a fraction of the time.
The teams that treat the CAIQ as a one-time compliance exercise get one-time value. The teams that treat it as the foundation of a living security knowledge base get compounding returns on every hour they invest.
The gap between those two approaches widens with every new deal, every new prospect, and every new questionnaire that lands in your inbox. Start with the CAIQ, build the knowledge base, and let each response make the next one faster.
Frequently Asked Questions
Is the CAIQ mandatory for selling to enterprise customers?
No, the CAIQ is voluntary. No regulation or standard requires you to complete it. However, many enterprise procurement teams specifically ask for a CAIQ or check the CSA STAR Registry as part of their vendor evaluation process. Having one published proactively removes a friction point from the sales cycle and signals security maturity to buyers who recognise the framework.
How long does it take to complete a CAIQ from scratch?
For a typical SaaS company with existing security policies in place, expect one to two focused days of work for the initial completion. If you already have a SOC 2 report or ISO 27001 certification, much of the evidence and language can be reused, which can cut the time significantly. The ongoing maintenance effort is minimal - update your answers when policies change or at least annually.
What is the difference between CAIQ and CCM?
The Cloud Controls Matrix (CCM) is the control framework - it defines what security controls should exist. The CAIQ is the questionnaire - it asks whether and how you have implemented those controls. Think of CCM as the specification and CAIQ as the compliance checklist. Every CAIQ question maps to a specific CCM control ID.
Can I use my CAIQ responses to answer other security questionnaires?
Absolutely, and this is one of the biggest practical benefits. Because the CCM maps to ISO 27001, SOC 2 (AICPA TSC), NIST, and GDPR, your CAIQ answers provide reusable language for a large percentage of questions in other frameworks. Tools like ResponseHub can ingest your completed CAIQ and use it as source material to auto-complete future questionnaires from different frameworks - citing the exact policy and section behind each answer.
Does publishing on the STAR Registry expose sensitive information?
You control what you disclose. The CAIQ asks how you implement controls, not for specific technical configurations, IP addresses, or proprietary architecture details. Your answers should describe your approach at the policy level - “We use AES-256 encryption for data at rest” - not expose implementation specifics that would create security risk. Review your completed CAIQ with this lens before publishing.
How often should I update my CAIQ?
The CSA recommends updating your STAR Registry submission at least annually. In practice, you should also update whenever you make significant changes to your security controls, policies, or infrastructure. An outdated CAIQ can be worse than no CAIQ at all if a buyer discovers discrepancies between your published answers and your actual practices.
Stop Answering the Same Questions Twice
Your CAIQ should not live and die in a single spreadsheet. Once you have done the hard work of documenting 261 security controls, that knowledge base should work for you on every future questionnaire - CAIQ, SIG, custom, whatever lands in your inbox next. ResponseHub turns your policies and past responses into AI-powered answers that cite the exact source, so your team can blast through security reviews in hours instead of days. Get started in under 5 minutes, no sales call needed.
