Skip to content
Glossary

CAIQ (Consensus Assessments Initiative Questionnaire)

The CAIQ (Consensus Assessments Initiative Questionnaire) is a cloud-security self-assessment from the Cloud Security Alliance (CSA), aligned to the Cloud Controls Matrix (CCM). A provider answers each control question — typically yes/no with notes — to document its security posture, and CAIQ submissions can be published in the CSA STAR registry.

Synonyms: Consensus Assessments Initiative Questionnaire, CSA CAIQ, CAIQ questionnaire

The CAIQ (Consensus Assessments Initiative Questionnaire) is a standardized questionnaire from the Cloud Security Alliance that lets a cloud provider document its security controls against the Cloud Controls Matrix (CCM). Each question maps to a specific control domain — identity, encryption, logging, supply chain, and more — and is usually answered yes/no with explanatory notes.

Because the CAIQ is control-mapped and can be published in the CSA STAR registry, it is both a customer-facing artifact and a reusable internal record. Answering it well means grounding each response in the actual control and its evidence, keeping the answers current as controls change, and reviewing sensitive responses before publication — the same discipline that keeps any security questionnaire defensible.

Frequently asked questions

How does CAIQ relate to the Cloud Controls Matrix (CCM)?
The CAIQ is the question form of the CCM: each CAIQ question maps to a CCM control, so answering the CAIQ documents how a provider meets the CCM's cloud-security control domains. They are maintained together by the Cloud Security Alliance.
What is the CSA STAR registry?
STAR (Security, Trust, Assurance and Risk) is the CSA's public registry where cloud providers can publish completed CAIQ self-assessments (and higher assurance levels). A published CAIQ lets customers review a provider's posture without sending a bespoke questionnaire.