CAIQ vs SIG vs custom DDQ — What's the difference?
CAIQ, SIG, and custom DDQs explained. Learn the differences between security questionnaire types, when you'll encounter each one, and how to handle them efficiently.
You're about to close an enterprise deal and the prospect's security team sends over a "questionnaire." But which one? A CAIQ? A SIG? A custom DDQ? Something else entirely?
Here's a clear breakdown of what each one is, when you'll encounter it, and how to handle it.
The three main types
CAIQ (Consensus assessments initiative questionnaire)
The CAIQ is the most structured of the three. Each question has a Control ID (e.g., AIS-01), and your answer is typically "Yes," "No," or "Not Applicable" with a description.
Example CAIQ question:
AIS-04: Do you use an automated source code analysis tool to detect security defects in code prior to production? Answer: Yes Description: We use Snyk for SAST integrated into our CI/CD pipeline. All pull requests require a passing security scan before merge. Annual DAST performed by [vendor]. Ref: SOC 2 CC8.1.
SIG (Standardized information gathering)
The SIG is the beast. It's the most thorough standardized questionnaire and covers 19 domains. If a prospect sends you a SIG Core, clear your calendar.
The good news: most companies use SIG Lite for initial assessments and only request SIG Core for high-risk vendors.
Custom DDQ (due diligence questionnaire)
Custom DDQs are the wild card. Some are well-structured. Others look like someone dumped a CAIQ, half a SIG, and some questions from a compliance blog into a Word document.
Side-by-side comparison
| CAIQ | SIG Lite | SIG Core | Custom DDQ | |
|---|---|---|---|---|
| Questions | ~260 | ~200 | 800+ | 20–500 |
| Format | Standardized Excel | Standardized Excel | Standardized Excel | Anything |
| Time (manual) | 3–6 hours | 4–8 hours | 20–40 hours | 1–15 hours |
| Time (automated) | 15–30 min | 15–30 min | 1–2 hours | 10–60 min |
| Overlap with SOC 2 | ~75% | ~80% | ~70% | ~60% |
| Standardized | Yes | Yes | Yes | No |
| Common in | Cloud/SaaS sales | Financial services | Financial, healthcare | Everywhere |
The overlap problem (and opportunity)
Here's what most people don't realize: 70–80% of questions overlap across all three formats. They just phrase them differently.
CAIQ asks: "Do you encrypt data at rest using industry-accepted algorithms?" SIG asks: "Describe the encryption mechanisms used for stored data." Custom DDQ asks: "What encryption do you use? Describe."
Same question. Three formats. If you're manually answering each one from scratch, you're doing triple the work for the same information.
This is exactly why a centralized knowledge base matters. Answer the core question once with a source citation, and it maps to all three formats automatically.
Which one will you encounter?
If you sell to:
- Tech companies (B2B SaaS) → Mostly custom DDQs, occasional CAIQ
- Financial services → SIG (Lite or Core), custom DDQs
- Healthcare → Custom DDQs with HIPAA focus, occasional SIG
- Government → Custom questionnaires, FedRAMP-related
- Retail / e-commerce → Custom DDQs, PCI DSS focus
If your company is:
- Pre-SOC 2 → You'll mostly get custom DDQs (buyers know you're early)
- SOC 2 Type I/II → All three. SOC 2 is the baseline, questionnaires go deeper.
- ISO 27001 + SOC 2 → Still all three, but you'll have more answers ready.
How to handle any questionnaire fast
- Build your knowledge base once — SOC 2 report + 5 core policies + 3 past questionnaires = 80% coverage
- Use the overlap — An answer to a CAIQ question works for the SIG equivalent and vice versa
- Standardize your evidence — Keep policy documents, pen test summaries, and architecture diagrams up to date
- Automate the repetitive parts — Tools like FillBase handle format detection, question matching, and source-cited response generation across all three types
The format doesn't matter if your knowledge base is solid. Whether it's a CAIQ, SIG, or a custom DDQ written in a Google Doc, the answers come from the same source documents.
