CSA CAIQ

CSA Consensus Assessments Initiative Questionnaire v4.1

CertificationInternational

The CAIQ v4.1 is a standardised security assessment questionnaire with 283 questions mapped to the Cloud Controls Matrix v4.1. Used for CSA STAR Level 1 self-assessment, it enables cloud providers to document their security posture and customers to evaluate provider compliance. Released January 2026, it replaces CAIQ v4.0 (transition deadline December 2027).

Also explore

GDPR DORA NIS2 SOC 2 HIPAA PCI DSS ISO 27001 CMMC IEC 62443 NERC CIP MITRE ATT&CK ICS CISA CPGs Saudi OTCC NIST CSF 2.0 NIST 800-53 NIST 800-171 CIS Controls CSA CCM

283

Questions

CCM Domains

STAR L1

Self-Assessment

v4.1

Current (Jan 2026)

Who Needs to Comply

Cloud Service Providers

CSPs completing CAIQ for CSA STAR Registry publication
Providers responding to customer security questionnaires
SaaS, PaaS, and IaaS providers of all sizes
Providers transitioning from CAIQ v4.0 to v4.1 before December 2027

Enterprise Customers

Procurement teams evaluating cloud provider security
Compliance teams conducting vendor risk assessments
Organisations using CAIQ as standardised security questionnaire
Auditors performing cloud security due diligence

Key Compliance Areas

GRM, AAC

Security Governance & Compliance

Governance, risk management, audit assurance, compliance policies, and third-party assessment requirements.

DSP, EKM

Data Protection & Encryption

Data security lifecycle management, encryption and key management, data residency, and privacy controls.

IAM, IVS, DCS

Infrastructure & Access Control

Identity management, virtualisation security, datacenter security, and network security controls.

BCR, SEF, TVM

Operations & Incident Management

Business continuity, incident management, change management, vulnerability management, and logging.

How Orizon Helps

CCM Mapping

Align CAIQ questions to applicable CCM v4.1 controls and determine organisational scope.

Self-Assessment

Complete all 283 Yes/No questions with supporting evidence and implementation details.

Gap Documentation

Identify 'No' responses and create remediation timelines with responsible owners.

STAR Level 1 Submission

Publish completed CAIQ to the CSA STAR Registry for public transparency.

STAR Level 2 (Optional)

Engage a third-party auditor for CCM-based certification and enhanced assurance.

Annual Renewal

Update CAIQ annually; adopt v4.1 format before the December 2027 transition deadline.

Official Sources

Assess Your Compliance

Expert guidance for your CSA CAIQ compliance journey.

Get Started

CSA CAIQ

CSA Consensus Assessments Initiative Questionnaire v4.1

CertificationInternational

Who Needs to Comply

Cloud Service Providers

CSPs completing CAIQ for CSA STAR Registry publication
Providers responding to customer security questionnaires
SaaS, PaaS, and IaaS providers of all sizes
Providers transitioning from CAIQ v4.0 to v4.1 before December 2027

Enterprise Customers

Procurement teams evaluating cloud provider security
Compliance teams conducting vendor risk assessments
Organisations using CAIQ as standardised security questionnaire
Auditors performing cloud security due diligence

Key Compliance Areas

GRM, AAC

Security Governance & Compliance

Governance, risk management, audit assurance, compliance policies, and third-party assessment requirements.

DSP, EKM

Data Protection & Encryption

Data security lifecycle management, encryption and key management, data residency, and privacy controls.

IAM, IVS, DCS

Infrastructure & Access Control

Identity management, virtualisation security, datacenter security, and network security controls.

BCR, SEF, TVM

Operations & Incident Management

Business continuity, incident management, change management, vulnerability management, and logging.

How Orizon Helps

CCM Mapping

Align CAIQ questions to applicable CCM v4.1 controls and determine organisational scope.

Self-Assessment

Complete all 283 Yes/No questions with supporting evidence and implementation details.

Gap Documentation

Identify 'No' responses and create remediation timelines with responsible owners.

STAR Level 1 Submission

Publish completed CAIQ to the CSA STAR Registry for public transparency.

STAR Level 2 (Optional)

Engage a third-party auditor for CCM-based certification and enhanced assurance.

Annual Renewal

Update CAIQ annually; adopt v4.1 format before the December 2027 transition deadline.