CAIQ (Consensus Assessments Initiative Questionnaire): What It Is and How to Complete It

A prospective enterprise customer asks for evidence of your cloud security controls. You could spend days filling out a bespoke security questionnaire, or you could point them to a completed Consensus Assessments Initiative Questionnaire (CAIQ) on the CSA STAR Registry. The CAIQ is a standardised security questionnaire developed by the Cloud Security Alliance (CSA) that maps directly to the Cloud Controls Matrix (CCM). It provides a structured, publicly verifiable way for cloud service providers to document their security posture. This guide explains what the CAIQ is, how it relates to CSA STAR, and how to complete it efficiently.

What Is the CAIQ?

The CAIQ is a downloadable spreadsheet of yes-or-no questions that correspond to the controls in the CSA Cloud Controls Matrix (CCM). Each question probes a specific aspect of a cloud service provider’s security implementation. The current version, CAIQ v4, contains 261 questions organised across the 17 security control domains defined in the CCM.

The questionnaire serves two audiences. For cloud service providers (CSPs), it provides a structured format for documenting which security controls are in place and how they are implemented. For cloud service customers, it provides a standardised way to evaluate and compare the security posture of different providers using the same criteria.

When a CSP completes the CAIQ and submits it to the CSA, the completed questionnaire is published on the STAR Registry. This achieves CSA STAR Level 1 status, the entry-level tier of the CSA STAR assurance programme. The listing is public and freely accessible, meaning any prospective customer can review the provider’s CAIQ without requesting it directly.

How the CAIQ Relates to CSA STAR and the CCM

The CAIQ does not exist in isolation. It is one component of a broader ecosystem that the Cloud Security Alliance has built around cloud security assurance.

The Cloud Controls Matrix (CCM) is the controls framework. It defines 197 control objectives across 17 security domains. The CCM specifies what controls should be in place and assigns applicability to different cloud service models (IaaS, PaaS, SaaS) and responsibility to the provider, the customer, or both.

The CAIQ translates those CCM controls into specific, answerable questions. Where the CCM says “The organisation shall implement encryption for data at rest,” the CAIQ asks “Do you encrypt data at rest? What encryption algorithms do you use? How do you manage encryption keys?” The CAIQ takes the abstract control objective and converts it into concrete yes-or-no verification points.

The CSA STAR programme is the assurance framework that uses both the CCM and the CAIQ. Completing and publishing the CAIQ on the STAR Registry achieves Level 1 (self-assessment). Level 2 involves a third-party audit against the CCM criteria. Organisations pursuing a broader cloud security certification programme should understand how the full CSA STAR programme works across all three levels.

The 17 Control Domains

The CAIQ v4 questions are organised across the same 17 domains as the CCM. Understanding these domains helps when scoping the effort required to complete the questionnaire.

1. Audit and Assurance (A&A) — independent audit processes, audit planning, and compliance monitoring
2. Application and Interface Security (AIS) — application security, secure development lifecycle, and API protection
3. Business Continuity Management and Operational Resilience (BCR) — continuity planning, disaster recovery, and operational resilience testing
4. Change Control and Configuration Management (CCC) — change management processes, configuration baselines, and unauthorised change detection
5. Cryptography, Encryption, and Key Management (CEK) — encryption standards, key lifecycle management, and cryptographic controls
6. Datacenter Security (DCS) — physical security of data centre facilities, environmental controls, and equipment protection
7. Data Security and Privacy Lifecycle Management (DSP) — data classification, data retention, privacy controls, and data disposal
8. Governance, Risk, and Compliance (GRC) — governance structures, risk management frameworks, and regulatory compliance processes
9. Human Resources Security (HRS) — screening, training, security awareness, and termination procedures
10. Identity and Access Management (IAM) — authentication, authorisation, privileged access management, and identity lifecycle
11. Interoperability and Portability (IPY) — data portability, API interoperability, and vendor lock-in prevention
12. Infrastructure and Virtualisation Security (IVS) — network security, virtualisation hardening, and segmentation controls
13. Logging and Monitoring (LOG) — event logging, security monitoring, and log management
14. Security Incident Management, E-Discovery, and Cloud Forensics (SEF) — incident response, evidence preservation, and forensic investigation
15. Supply Chain Management, Transparency, and Accountability (STA) — third-party risk management, supply chain security, and transparency reporting
16. Threat and Vulnerability Management (TVM) — vulnerability scanning, penetration testing, and threat intelligence
17. Universal Endpoint Management (UEM) — endpoint security, mobile device management, and endpoint detection

Not every domain will be equally relevant to every organisation. A SaaS provider, for example, will have extensive answers in the Application and Interface Security and Identity and Access Management domains but may have lighter coverage in Datacenter Security if the underlying infrastructure is managed by a hyperscale cloud provider.

How to Complete the CAIQ

Completing the CAIQ is a documentation exercise, not a technical implementation project. The questionnaire asks whether controls exist and how they are implemented. It does not require the organisation to build new controls specifically for the CAIQ.

Step 1: Download the Questionnaire

The CAIQ v4 is available as a free download from the CSA website. The download includes both the CCM (for reference) and the CAIQ spreadsheet. Use the version designated for STAR Level 1 submission if the goal is to publish on the Registry.

Step 2: Assign Ownership

The 261 questions span security, operations, legal, HR, and infrastructure. No single person has the knowledge to answer all of them accurately. Assign domain owners based on the 17 control domains. Typical ownership mapping includes: IT security for most technical domains, legal and compliance for governance and privacy, HR for human resources security, and facilities or the cloud provider for data centre security.

Step 3: Answer Each Question

Each question expects a yes-or-no answer with an optional explanation field. Best practice is to provide a brief explanation for every “yes” answer describing how the control is implemented, and for every “no” answer explaining why it is not applicable or what compensating controls exist. Bare yes-or-no responses without context reduce the value of the completed CAIQ for the customers who will read it.

Step 4: Review and Validate

Before submission, have the completed CAIQ reviewed by someone who was not involved in answering the questions. This catches inconsistencies, gaps, and answers that do not accurately reflect current practice. Organisations that already hold ISO 27001 certification or a SOC 2 report can cross-reference existing audit evidence to validate their CAIQ responses.

Step 5: Submit to the STAR Registry

Submit the completed CAIQ to the CSA through the STAR Registry submission process. Once accepted, the questionnaire is published publicly. The listing must be updated annually to remain current.

CAIQ vs CAIQ-Lite

CSA also offers CAIQ-Lite, a condensed version of the full questionnaire. CAIQ-Lite contains 124 questions compared to the 261 in the full CAIQ, while still covering all 17 control domains. It is designed for smaller organisations or for customers who need a quicker assessment of a provider’s security posture.

CAIQ-Lite is useful for initial vendor screening or for organisations that want to begin documenting their cloud security controls without committing to the full 261-question questionnaire immediately. However, only the full CAIQ qualifies for publication on the STAR Registry and CSA STAR Level 1 status.

How Long Does It Take to Complete?

The time required depends on the organisation’s existing documentation and compliance posture.

• Organisations with ISO 27001 or SOC 2: Two to four hours. Most CAIQ questions map directly to controls that are already documented and evidenced. The work is primarily translating existing documentation into the CAIQ format.
• Organisations with some controls but no formal certification: One to two days. The questions are answerable, but the documentation may need to be gathered from multiple sources and validated.
• Organisations without a formal security programme: Two to three days, plus additional time to document controls that exist in practice but have not been formally written down.

The largest variable is not the number of questions but the availability of the domain owners who need to provide answers. Coordinating input from security, IT, legal, HR, and operations teams is typically what extends the timeline.

Frequently Asked Questions

What does CAIQ stand for?

CAIQ stands for Consensus Assessments Initiative Questionnaire. It is a standardised security questionnaire developed by the Cloud Security Alliance (CSA) that maps to the Cloud Controls Matrix (CCM). The current version, CAIQ v4, contains 261 yes-or-no questions across 17 security control domains.

Is the CAIQ free?

Yes. The CAIQ v4 is available as a free download from the CSA website. Submitting the completed CAIQ to the STAR Registry for Level 1 listing is also free. There is an optional paid Valid-AI-ted submission that provides AI-powered validation of responses.

What is the difference between the CAIQ and the CCM?

The Cloud Controls Matrix (CCM) is the controls framework that defines 197 control objectives across 17 security domains. The CAIQ translates those control objectives into 261 specific yes-or-no questions. The CCM defines what controls should be in place; the CAIQ asks whether they are in place and how they are implemented.

Does completing the CAIQ give us a certification?

No. Completing the CAIQ and publishing it on the STAR Registry achieves CSA STAR Level 1 status, which is a self-assessment. It is not a certification. Certification requires a Level 2 third-party audit by an accredited certification body (ISO 27001-based) or CPA firm (SOC 2-based) that evaluates controls against the CCM.

How Copla Supports Cloud Security Assessment Programmes

Completing the CAIQ efficiently requires documented controls, organised evidence, and clear ownership across security domains. Copla’s platform tracks controls mapped to the CCM alongside ISO 27001, SOC 2, and other frameworks, so that organisations completing the CAIQ can draw directly from evidence already collected for other certifications. The structured intake process generates the policy and procedure documentation that underpins CAIQ responses, and Copla’s consultants help scope the assessment, validate answers, and coordinate the STAR Registry submission. For organisations pursuing CSA STAR Level 2, Copla supports the full audit preparation alongside the base ISO 27001 or SOC 2 certification.

Book a consultation with Copla to walk through how this would look for your team.