Complete a CAIQ online — AI-powered cloud security assessment in minutes
Need to complete a CAIQ (Consensus Assessments Initiative Questionnaire) online? Upload your SOC 2, submit the CAIQ, and get source-cited answers for 260+ cloud security questions.
Your prospect's security team just sent a CAIQ — the Cloud Security Alliance's 260+ question assessment for cloud service providers. Every question needs a Yes/No/NA answer plus a detailed description with evidence references.
If you're a SaaS company selling to enterprise, you'll see this questionnaire a lot. Here's how to complete it online in minutes instead of hours.
What is the CAIQ?
The CAIQ (Consensus Assessments Initiative Questionnaire) is published by the Cloud Security Alliance (CSA). It maps to the CSA Cloud Controls Matrix (CCM) and covers 17 security domains specific to cloud service providers.
Key facts:
- ~260 questions across 17 domains
- Each question has a Control ID (e.g., AIS-01, DSP-04)
- Response format: Yes / No / Not Applicable + free-text description
- Most questions expect an evidence reference (policy name, SOC 2 section, etc.)
- Standard Excel format — same structure across all implementations
If you've completed a SOC 2, you already have answers to 70–80% of CAIQ questions. The overlap is significant because both frameworks cover access control, encryption, incident response, and operational security.
The 17 CAIQ domains
| Code | Domain | SOC 2 overlap |
|---|---|---|
| AIS | Application & Interface Security | High |
| BCR | Business Continuity & Operational Resilience | High |
| CCC | Change Control & Configuration Mgmt | High |
| CEK | Cryptography, Encryption & Key Mgmt | High |
| DSP | Data Security & Privacy | High |
| GRC | Governance, Risk & Compliance | High |
| HRS | Human Resources | Medium |
| IAM | Identity & Access Management | High |
| IPY | Interoperability & Portability | Low |
| IVS | Infrastructure & Virtualization Security | High |
| LOG | Logging & Monitoring | High |
| SEF | Security Incident Mgmt, E-Discovery & Forensics | High |
| STA | Supply Chain Mgmt, Transparency & Accountability | Medium |
| TVM | Threat & Vulnerability Management | High |
| UEM | Universal Endpoint Management | Medium |
| A&A | Audit & Assurance | High |
| DCS | Datacenter Security | Medium (if cloud-hosted) |
Domains with "High" SOC 2 overlap are almost entirely auto-fillable if you've uploaded your SOC 2 report.
How to complete a CAIQ online: Step by step
1. Upload your knowledge base (10 minutes, one-time)
For a CAIQ, the highest-value documents are:
- SOC 2 Type II report — Covers 70–80% of CAIQ questions directly
- Information Security Policy — Fills gaps in AIS, DSP, IAM domains
- Encryption / Key Management documentation — Critical for CEK domain
- Incident Response Plan — Covers SEF domain
- Business Continuity Plan — Covers BCR domain
Upload these to FillBase — drag and drop, processing takes about 30 seconds per document.
2. Submit the CAIQ Excel file (1 minute)
Upload the CAIQ spreadsheet. FillBase recognizes the CSA's standard format — it maps Control IDs, parses Yes/No/NA columns, and identifies the description field for each question.
3. Review auto-generated answers (10–15 minutes)
For each CAIQ question, you'll see:
- Yes/No/NA classification — Based on what your documents say you do
- Description — A detailed answer citing the specific source document and section
- Control ID mapping — Linked to the CCM control for context
Typical breakdown with a good knowledge base:
- ~180 questions (70%) — High confidence, auto-approved. Source-cited, ready to go.
- ~50 questions (20%) — Medium confidence. Usually needs a quick verification — the AI found relevant info but wants you to confirm a detail.
- ~30 questions (10%) — Flagged for input. Questions about specific tooling, vendor names, or metrics not in your documents.
4. Export and submit (1 minute)
Export in CAIQ Excel format with all fields populated — Control IDs, Yes/No/NA, descriptions, evidence references. Submit to the prospect or upload to the CSA STAR Registry if applicable.
CAIQ-specific advantages of automation
The CAIQ is highly repetitive. Many controls ask the same underlying question across different domains. "Do you encrypt data at rest?" appears in CEK and DSP. "Do you have a formal policy?" appears in nearly every domain. AI catches these overlaps and ensures consistent answers.
Evidence references are built-in. The CAIQ expects you to cite evidence for every control. Manually, this means cross-referencing your SOC 2 report page-by-page. With FillBase, source citations are generated automatically — "SOC 2 Type II, Control CC6.1" or "Information Security Policy, Section 4.3."
CSA STAR Registry submission. If you publish your CAIQ to the CSA STAR Registry (which many enterprise buyers check before even sending a questionnaire), having source-cited, consistent answers builds trust. Publish once, reduce future CAIQ requests by 30–50%.
CAIQ vs. Other questionnaires
Not sure if you're looking at a CAIQ or something else? Here's a quick comparison:
| CAIQ | SIG Core | Custom DDQ | |
|---|---|---|---|
| Questions | ~260 | 800+ | 50–300 |
| Format | Standardized Excel | Standardized Excel | Varies wildly |
| Answer type | Yes/No/NA + description | Free text | Free text |
| Cloud-specific | Yes | Partially | Depends |
| Auto-fill accuracy | Very high (standardized) | High | Medium-high |
For a detailed breakdown of all three types, see our CAIQ vs SIG vs Custom DDQ comparison.
Frequently asked questions
Can I complete a CAIQ online for free? Yes. FillBase's free tier covers 200 requirements per month. A standard CAIQ (~260 questions) slightly exceeds this, but you can start with the free tier and upgrade to Starter ($149/mo) for the full questionnaire.
How accurate are AI-generated CAIQ answers? With a SOC 2 report and 3–4 policies uploaded, expect 85–92% accuracy. The CAIQ's standardized format means the AI can map questions to controls reliably. After your first completed CAIQ with corrections fed back, accuracy reaches 90–95%.
Does FillBase support CAIQ v4? Yes. FillBase parses the CAIQ structure dynamically — it works with v3, v4, and custom-modified versions.
What if my prospect modified the CAIQ with additional questions? Custom additions are treated as regular DDQ questions and matched against your knowledge base. The standard CAIQ questions are still handled with the same high accuracy.
Should I publish my CAIQ to the CSA STAR Registry? If you sell to enterprises that care about cloud security (most SaaS B2B), yes. It reduces inbound CAIQ requests and signals security maturity. FillBase exports in the format the registry accepts.
Get your CAIQ done today
You don't need to spend a full day on 260 questions you've probably answered before in different formats. Sign up for FillBase, upload your SOC 2, and complete your CAIQ online in one sitting.
Your answers carry over to every future questionnaire — SIG, DDQ, or security questionnaire.
