The CAIQ is a standardized set of yes/no questions from the Cloud Security Alliance (CSA). It gives cloud providers a consistent way to describe their security practices and lets customers review them without inventing a new questionnaire each time. It’s a common language for cloud security reviews.
Why it exists
Before the CAIQ, every buyer sent a different spreadsheet. Vendors answered near-identical questions in slightly different forms, and side-by-side comparisons were slow.
CAIQ standardizes the format so providers can answer once and share widely, and customers can evaluate on familiar ground. It is a self-assessment used for transparency and due diligence, not an audit and not a certification.
What’s inside CAIQ v4
- Question set: CAIQ v4 contains 261 yes/no questions designed to be clear and reviewable at scale.
- Mapping to CCM: Each question maps to the Cloud Controls Matrix (CCM), which currently lists 197 control objectives across 17 domains. The question count is higher because multiple questions can test one control.
- Shared Responsibility: v4 introduces explicit columns for the Security Shared Responsibility Model (SSRM). These fields identify whether the provider or the customer is accountable for an activity, reducing the ambiguity that often appears in cloud deployments.
- Machine-readable options: CAIQ/CCM packages are available in JSON, YAML, and OSCAL, which makes it easier to automate population, validation, and integration with third-party tools.
- STAR submission formats: There are two CAIQ v4 flavors to know. A general reference format is useful for review and mapping. A separate STAR Level 1 format is the one used for CSA STAR registry submissions.
- AI validation: CSA offers an optional AI service, “Valid-AI-ted”, that analyzes STAR Level 1 submissions, returns automated scoring and feedback, and helps teams tighten responses. It’s optional and does not turn the CAIQ into a certification.
Who uses CAIQ, and when
Cloud service providers (IaaS, PaaS, SaaS) complete the CAIQ to describe their controls once for many customers or to publish in the STAR registry. Buyers, security leaders, compliance teams, procurement, and vendor risk managers, use CAIQ responses during RFPs, onboarding, and recurring third-party risk reviews. It’s a starting point for informed conversations rather than a final verdict on risk.
What CAIQ does well, and what it doesn’t
Strengths
CAIQ replaces one-off questionnaires with a repeatable format, aligns answers to a recognized control framework (CCM), and makes reviews faster and more consistent. The SSRM columns in v4 also clarify who does what, which helps prevent gaps in cloud responsibility.
Limits
CAIQ is self-reported. It does not provide independent assurance and is not a certification. Many “yes/no” answers warrant follow-up to understand scope, evidence, and exceptions. Without automation, large questionnaires can still take time and invite inconsistencies.
CAIQ vs. SIG vs. SOC 2 / ISO 27001
Practical notes
Use the STAR Level 1 CAIQ file if you plan to publish to the STAR registry; the general CAIQ/CCM reference is better for internal mapping and review.
If you manage many questionnaires, consider automation: answer libraries, machine-readable packages (JSON/YAML/OSCAL), and, where helpful, CSA’s Valid-AI-ted service can reduce repetition and improve consistency. Even with automation, keep a short list of evidence references so reviewers can quickly verify key claims.
If you manage many questionnaires, consider automation: answer libraries, machine-readable packages (JSON/YAML/OSCAL), and, where helpful, CSA’s Valid-AI-ted service can reduce repetition and improve consistency. Even with automation, keep a short list of evidence references so reviewers can quickly verify key claims.
Why it still matters in 2025
Cloud adoption hasn’t slowed down, and neither has the need for trust and transparency in vendor relationships.
An up-to-date CAIQ shows how a provider approaches data protection, access, infrastructure, and governance in a format buyers recognize.
Pairing CAIQ with published STAR entries, and, where appropriate, audited reports such as SOC 2 or ISO 27001, gives stakeholders a clear, layered picture of assurance.
Related terms
Cloud Controls Matrix (CCM): CSA’s control framework for cloud security. In its current release it contains 197 control objectives across 17 domains; CAIQ questions map directly to these controls.
CSA STAR (Security, Trust, Assurance, and Risk): A public registry for cloud provider self-assessments (STAR Level 1) and audited reports (higher levels). CAIQ is the standard self-assessment for Level 1.
Security Shared Responsibility Model (SSRM): A way to define which party (provider or customer) is responsible for a given control activity. CAIQ v4 includes fields to record that ownership.
Third-Party Risk Management (TPRM): The process of identifying, assessing, and managing vendor risk. CAIQ is widely used as a cloud-specific input to TPRM.
Security Questionnaire Automation: Software and workflows that centralize answers, reuse approved language, and import/export machine-readable CAIQ/CCM files to cut effort and reduce errors.
Fast facts
- CAIQ v4: 261 questions.
- CCM v4: 197 control objectives across 17 domains.
- SSRM: Explicit ownership fields in CAIQ v4.
- Formats: JSON / YAML / OSCAL available for automation.
- STAR: Use STAR Level 1 format for registry submissions.
- AI option: Valid-AI-ted provides automated feedback on STAR Level 1 submissions (optional, not a certification).