Security Questionnaires Explained: CAIQ, SIG, and VSA Compared
One of the most common questions we get at Agency is which security questionnaire framework a company should prepare for first. Here is what we tell clients about CAIQ, SIG, and VSA.
One of the most common questions we get at Agency is: "We keep receiving different security questionnaires from prospects, and they all look different. Which ones actually matter, and how do we prepare for all of them without losing our minds?" The answer depends on your buyer profile, but three frameworks dominate the landscape — and understanding how they differ is what separates teams that spend weeks on questionnaires from teams that turn them around in days.
If you sell software to enterprises, you will encounter security questionnaires. They are a non-negotiable part of the vendor evaluation process. But not all questionnaires are created equal. The three major standardized frameworks — the Consensus Assessments Initiative Questionnaire (CAIQ) from the Cloud Security Alliance, the Standardized Information Gathering (SIG) questionnaire from Shared Assessments, and the Vendor Security Alliance Questionnaire (VSA) — each serve different buyer populations and evaluate different aspects of your security posture.
This guide covers what each framework includes, when you will encounter each one, how SOC 2 and ISO 27001 reports pre-answer large portions of them, and how to build a response library that lets you handle any questionnaire efficiently. We wrote this for compliance leads, sales engineers, and anyone responsible for completing security questionnaires during the sales process.
CAIQ: The Cloud Security Alliance Standard
What It Is
The Consensus Assessments Initiative Questionnaire is published by the Cloud Security Alliance (CSA) and is specifically designed to evaluate cloud service providers. The current version, CAIQ v4, contains approximately 260 questions organized across 17 control domains that align with the CSA Cloud Controls Matrix (CCM).
What we tell clients is that CAIQ is the questionnaire you will encounter most frequently when selling to organizations with mature cloud governance programs. It is particularly common among financial services firms, large technology companies, and government-adjacent buyers who rely on CSA's STAR registry to evaluate cloud vendors.
Scope and Structure
CAIQ covers the following domains:
| Domain | Focus Area | Example Questions |
|---|---|---|
| Application and Interface Security | API security, application hardening | Do you use secure coding practices? Is input validation enforced? |
| Audit Assurance and Compliance | Third-party audits, compliance monitoring | Do you undergo independent security assessments? |
| Business Continuity and Disaster Recovery | Resilience, recovery planning | What is your RTO/RPO? Do you test DR plans annually? |
| Change Control and Configuration | Change management, configuration baselines | Do you maintain configuration baselines for production? |
| Data Security and Privacy | Encryption, data classification, retention | Is data encrypted at rest and in transit? |
| Encryption and Key Management | Key lifecycle, algorithm standards | How are encryption keys managed and rotated? |
| Governance and Risk Management | Risk assessment, policy framework | Do you conduct annual risk assessments? |
| Human Resources Security | Background checks, training, termination | Do employees complete security awareness training? |
| Identity and Access Management | Authentication, access controls, MFA | Is MFA enforced for all administrative access? |
| Infrastructure and Virtualization | Network security, virtualization controls | How is network segmentation implemented? |
| Interoperability and Portability | Data portability, vendor lock-in | Can customers export their data in standard formats? |
| Mobile Security | Mobile device management, BYOD | How are mobile devices secured? |
| Security Incident Management | Detection, response, notification | What is your incident notification timeline? |
| Supply Chain Management | Vendor assessment, third-party risk | Do you assess the security of your sub-processors? |
| Threat and Vulnerability Management | Scanning, patching, penetration testing | How frequently do you conduct vulnerability scans? |
| Universal Endpoint Management | Endpoint protection, patching | Are all endpoints managed with EDR solutions? |
| Logging and Monitoring | Log collection, SIEM, alerting | Do you centralize logs and monitor for anomalies? |
When You Will Encounter It
In our experience, CAIQ appears most frequently in the following scenarios: the prospect references CSA STAR when discussing vendor security requirements, the buyer operates in a regulated industry with specific cloud governance mandates, the RFP or vendor evaluation process explicitly requests CAIQ completion, or the prospect has a cloud-first security evaluation methodology.
How SOC 2 and ISO 27001 Help
What we recommend is completing your SOC 2 and ISO 27001 certifications before tackling CAIQ in earnest. A current SOC 2 Type II report directly addresses approximately 60-70% of CAIQ questions. ISO 27001 certification covers an additional 10-15% of questions that SOC 2 may not fully address, particularly around ISMS governance, management review, and formal risk treatment processes. Combined, the two certifications pre-answer roughly 75-80% of the CAIQ.
The remaining 20-25% of questions are cloud-specific and require responses about your particular architecture, data handling practices, and operational procedures. These cannot be answered by a certification alone but can be documented once and reused across every CAIQ submission.
SIG: The Shared Assessments Standard
What It Is
The Standardized Information Gathering questionnaire is published by Shared Assessments, a member-driven organization focused on third-party risk management. SIG is the most comprehensive of the three frameworks, with the full SIG Core questionnaire containing over 800 questions across 20 risk domains. There is also a lighter version, SIG Lite, which contains approximately 250 questions and is intended for lower-risk vendor assessments.
What we tell clients is that SIG is the questionnaire you dread — and the one you cannot avoid if you sell to financial institutions, insurance companies, or large enterprises with sophisticated third-party risk management programs.
Scope and Structure
SIG goes well beyond information security. It evaluates your entire third-party risk profile:
| Domain | Focus Area | Unique to SIG? |
|---|---|---|
| Access Control | Logical and physical access | No — overlaps with CAIQ and VSA |
| Application Security | Secure development lifecycle | No — overlaps with CAIQ |
| Asset and Information Management | Data classification, asset inventory | Partially — more detailed than CAIQ |
| Business Continuity | BC/DR planning, testing, recovery | No — overlaps with CAIQ |
| Cloud Hosting Services | Cloud-specific controls | No — overlaps with CAIQ |
| Compliance Management | Regulatory adherence, audit results | Partially — broader regulatory scope |
| Cybersecurity | Threat detection, incident response | No — overlaps with CAIQ and VSA |
| Endpoint Security | Device management, EDR | No — overlaps with CAIQ |
| Enterprise Risk Management | Risk framework, risk appetite | Yes — enterprise risk beyond infosec |
| Environmental and Social | ESG practices, sustainability | Yes — unique to SIG |
| Financial Condition | Financial stability, insurance coverage | Yes — unique to SIG |
| Human Resources | Background checks, training, termination | No — overlaps with CAIQ |
| IT Operations | Change management, configuration management | No — overlaps with CAIQ |
| Network Security | Segmentation, firewalls, monitoring | No — overlaps with CAIQ |
| Nth Party Management | Sub-processor oversight, supply chain | Partially — more depth than CAIQ |
| Operational Resilience | Operational continuity beyond IT | Yes — broader than BC/DR |
| Physical Security | Facility access, environmental controls | Partially — more detail |
| Privacy | Data subject rights, privacy impact assessments | No — overlaps with CAIQ |
| Server Security | Hardening, patching, monitoring | No — overlaps with CAIQ |
| Threat Management | Vulnerability management, penetration testing | No — overlaps with CAIQ |
SIG Core vs SIG Lite
In our experience, the version you receive depends on how the buyer classifies your risk:
- SIG Core (800+ questions): Used for vendors classified as high-risk or critical — meaning you handle sensitive data, have significant system access, or your service is critical to the buyer's operations. Financial institutions almost always use SIG Core.
- SIG Lite (250 questions): Used for lower-risk vendors or as an initial screening tool. Some organizations start with SIG Lite and escalate to SIG Core based on the results.
How SOC 2 and ISO 27001 Help
A SOC 2 Type II report addresses approximately 40-50% of the SIG Core questionnaire. The coverage is lower than with CAIQ because SIG extends into domains that SOC 2 does not cover — financial condition, ESG practices, operational resilience, and enterprise risk management. ISO 27001 adds another 10-15% of coverage, particularly around ISMS governance, risk treatment, and management review.
What we recommend is mapping your SOC 2 control descriptions directly to SIG question numbers so that when you receive a SIG questionnaire, your team can immediately populate 40-50% of responses by referencing specific sections of your SOC 2 report. The remaining questions require responses about business operations, financial health, and operational practices that fall outside the scope of security certifications.
VSA: The Vendor Security Alliance Questionnaire
What It Is
The Vendor Security Alliance Questionnaire (VSA, sometimes referred to as VSAQ) was created by a coalition of technology companies — including Uber, Palantir, Dropbox, and others — to standardize the vendor security evaluation process. The current version contains approximately 100-140 questions and is designed to be concise, practical, and focused on the security controls that matter most to technology companies evaluating SaaS vendors.
What we tell clients is that VSA is the most approachable of the three frameworks. It is shorter, more focused, and increasingly common among technology companies and growth-stage enterprises that want thorough security evaluation without the overhead of SIG.
Scope and Structure
VSA focuses on seven core categories:
| Category | Focus Area | Question Count (Approximate) |
|---|---|---|
| Company Security Program | Security governance, policies, certifications | 15-20 |
| Data Protection | Encryption, classification, retention, deletion | 15-20 |
| Access Control | Authentication, authorization, access reviews | 15-20 |
| Application Security | SDLC, code review, vulnerability management | 15-20 |
| Network Security | Segmentation, monitoring, perimeter controls | 10-15 |
| Incident Response | Detection, notification, response procedures | 10-15 |
| Compliance and Audit | Certifications held, audit frequency, penetration testing | 10-15 |
When You Will Encounter It
In our experience, VSA is most common when selling to technology companies, SaaS platforms, and digitally native enterprises. These buyers tend to prefer VSA because it was designed by companies like them — the questions are relevant to SaaS evaluation rather than adapted from banking or government frameworks. VSA is also increasingly used by mid-market companies that are building vendor security programs for the first time and want a reasonable starting point.
How SOC 2 and ISO 27001 Help
A SOC 2 Type II report addresses approximately 70-80% of the VSA questionnaire. The coverage is high because VSA was designed with the SaaS security model in mind, and SOC 2 covers the same territory. ISO 27001 adds minimal incremental coverage beyond SOC 2 for VSA purposes — perhaps 5-10% — because VSA questions are operationally focused rather than governance-focused.
What we recommend is that if your buyer profile is primarily technology companies, prioritize SOC 2 and build your VSA response library from your SOC 2 control descriptions. The overlap is significant enough that a well-documented SOC 2 program makes VSA responses nearly automatic.
Side-by-Side Comparison
| Dimension | CAIQ | SIG Core | VSA |
|---|---|---|---|
| Publisher | Cloud Security Alliance | Shared Assessments | Vendor Security Alliance |
| Question count | ~260 | ~800+ | ~100-140 |
| Primary audience | Cloud-focused enterprises | Financial institutions, large enterprises | Technology companies |
| Scope | Cloud security controls | Full third-party risk (security, financial, ESG) | SaaS security fundamentals |
| SOC 2 coverage | 60-70% | 40-50% | 70-80% |
| SOC 2 + ISO 27001 coverage | 75-80% | 50-65% | 75-85% |
| Completion time (first time) | 2-3 weeks | 4-8 weeks | 1-2 weeks |
| Completion time (with library) | 2-4 days | 1-3 weeks | 1-2 days |
| Update frequency | Annual (CSA updates CCM) | Annual (Shared Assessments updates) | Periodic (coalition-driven) |
| Cost to access | Free (CSA STAR) | Membership required (Shared Assessments) | Free (open source) |
Building a Questionnaire Response Library
What we recommend to every client is building a centralized questionnaire response library before you receive your first questionnaire. This is the single highest-leverage investment you can make toward questionnaire efficiency.
Step 1: Map Your SOC 2 Controls to Common Questions
Start with your SOC 2 control descriptions. For each control, write a plain-language response that explains what you do, how you do it, and what evidence supports it. In our experience, a SOC 2 program with 80-100 controls maps to approximately 150-200 unique questionnaire questions across all three frameworks.
Step 2: Fill the Gaps Beyond SOC 2
Identify the question categories that SOC 2 does not cover: financial stability, ESG practices (for SIG), cloud-specific architecture details (for CAIQ), and data portability (for CAIQ and VSA). Draft responses for these categories once and store them alongside your SOC 2-derived responses.
Step 3: Organize by Topic, Not by Framework
What we tell clients is to organize your library by security topic rather than by questionnaire framework. A response about MFA enforcement should be stored once under "Access Control — Multi-Factor Authentication" and mapped to the relevant question numbers across CAIQ, SIG, and VSA. This prevents duplication and ensures consistency.
Step 4: Assign Ownership and Review Cadence
Each response in your library needs an owner — the person responsible for keeping it accurate. In our experience, the most effective cadence is quarterly reviews of the full library, with immediate updates triggered by material changes to your security program (new tools, new certifications, policy changes, infrastructure changes).
Step 5: Integrate with Your SOC 2 Lifecycle
Every time you complete a SOC 2 audit cycle, update your response library to reflect any new controls, control modifications, or changes to your system description. What we recommend is making library maintenance a standard step in your post-audit activities.
Practical Tips for Faster Questionnaire Turnaround
In our experience working with hundreds of clients across all three frameworks, these practices consistently reduce questionnaire response times:
Lead with your SOC 2 report. When you receive a questionnaire, respond immediately with your SOC 2 Type II report and ask the evaluator to review it before requiring full questionnaire completion. We see this eliminate the questionnaire entirely in 15-25% of cases — the SOC 2 report satisfies the buyer's security team without additional paperwork.
Pre-populate from your library. Before assigning questions to subject matter experts, run the questionnaire through your response library and pre-populate every answer you can. What we tell clients is that this should cover 60-80% of questions if your library is well-maintained.
Standardize your "not applicable" responses. Some questions will not apply to your environment. Draft standard responses that explain why — "This control is not applicable because we do not operate physical data centers; our infrastructure is hosted on AWS and managed under the shared responsibility model." A well-crafted N/A response demonstrates security maturity rather than avoidance.
Track which questionnaires you receive most frequently. If 80% of your prospects send VSA questionnaires, invest disproportionately in VSA preparation. If you primarily sell to financial institutions, SIG is your priority. What we recommend is letting your buyer profile drive your preparation strategy.
Keep evidence artifacts linked to responses. Every library entry should include a reference to the supporting evidence — the SOC 2 report section, the policy document, the configuration screenshot, or the audit log. When a prospect asks for evidence behind a response, your team should be able to produce it in minutes, not days.
Key Takeaways
- We advise clients to understand the three major security questionnaire frameworks — CAIQ, SIG, and VSA — because each serves a different buyer population; CAIQ for cloud-focused enterprises, SIG for financial institutions and large enterprises, and VSA for technology companies
- In our experience, a current SOC 2 Type II report pre-answers 40-80% of any standardized security questionnaire depending on the framework; combined with ISO 27001, coverage increases to 50-85%; the investment in SOC 2 pays dividends across every questionnaire you will ever receive
- What we recommend is building a centralized response library organized by security topic rather than by framework — this eliminates duplication, ensures consistency, and reduces first-time questionnaire completion from weeks to days
- SIG is the most comprehensive and time-consuming framework at 800+ questions; what we tell clients is to map SOC 2 controls to SIG question numbers proactively so that when you receive a SIG Core questionnaire, half the responses are already populated
- The single most effective tactic we see is leading with your SOC 2 report before completing the questionnaire — in 15-25% of cases, the report alone satisfies the buyer's security evaluation and eliminates the questionnaire entirely
- We recommend quarterly reviews of your response library with immediate updates triggered by material changes to your security program; a stale library creates more risk than no library at all
Frequently Asked Questions
Which questionnaire should we prepare for first?
What we tell clients is to let your buyer profile decide. If most of your prospects are technology companies, start with VSA — it is the shortest and has the highest SOC 2 overlap. If you sell to financial services, prioritize SIG. If your buyers reference the Cloud Security Alliance or CSA STAR, start with CAIQ. In our experience, most SaaS companies encounter VSA or CAIQ first and SIG later as they move upmarket into regulated industries.
Can we refuse to complete a security questionnaire?
Technically, yes. Practically, refusing a questionnaire typically ends the sales conversation. What we recommend instead is proactively offering your SOC 2 report and Trust Center link as alternatives. Some buyers will accept the report in lieu of a full questionnaire. Others will require the questionnaire but accept report references as valid answers to individual questions.
How often do these frameworks change?
Each framework publishes updates roughly annually, though the cadence varies. In our experience, the year-over-year changes are incremental — typically adding questions around emerging topics like AI governance, zero trust architecture, or supply chain security. What we tell clients is to review framework updates annually and update your response library accordingly, but major overhauls are rare.
Do we need to complete all three frameworks?
No. You complete whichever framework your prospect sends you. What we recommend is maintaining a response library that covers all three so you are prepared regardless of which one arrives. The overlap between frameworks means that preparing for one significantly reduces the effort required for the others.
Agency Team
Agency Insights
Expert guidance on cybersecurity compliance from Agency's advisory team.
LinkedIn
