Security Questionnaires Decoded: SIG, CAIQ, and How to Stop Dreading Them
What the big standardized questionnaires actually are, when to use which, and how to answer them once instead of fifty times.
The first time a customer sent me a SIG, I opened the spreadsheet and counted the tabs. There were more than a dozen, and one of them ran past 800 rows. The deal was real and the buyer was serious, so somebody had to fill it in — and that somebody was me, answering questions I'd already answered for three other customers that quarter in slightly different words.
That's the security questionnaire experience for most teams: a tax you pay on both ends. You send them to vendors and groan when one lands in your own inbox. The good news is the chaos is mostly self-inflicted. Once you know what the standardized ones actually are, when to use each, and how to stop answering the same thing fifty times, the dread drops away.
What a security questionnaire is actually for
Strip away the format and a questionnaire is one thing: structured proof of a vendor's security posture, in writing, that you can file and hold them to later. Sending one is a control. Receiving one and answering it well is how you unblock deals.
The problem is that everyone invented their own. So the industry built standardized ones to stop reinventing the wheel — and then, naturally, ended up with several competing standards. The two that matter most are the SIG and the CAIQ.
The SIG (Shared Assessments)
The SIG — Standardized Information Gathering questionnaire, from the Shared Assessments program — is the heavyweight. It's a maintained, updated library of questions covering everything from access control to physical security to fourth-party risk, organized into domains. It comes in two main flavors:
- SIG Core is the full thing: comprehensive, deep, and a real commitment to complete. You'd send Core to a critical vendor holding regulated data.
- SIG Lite is the trimmed version — a high-level subset for a faster read on lower-risk vendors or an initial screen.
The SIG's strength is its rigor and the fact that it's actively maintained against current regulations. The catch is that the full Core questionnaire is genuinely long, and sending one by reflex is how you burn a vendor relationship before it starts. Reserve it for vendors whose tier earns it.
The CAIQ (Cloud Security Alliance)
The CAIQ — Consensus Assessments Initiative Questionnaire, from the Cloud Security Alliance — is purpose-built for cloud and SaaS providers. It maps directly to the CSA's Cloud Controls Matrix, so the questions are framed around cloud-specific concerns: multi-tenancy, data location, virtualization, shared-responsibility boundaries.
The reason people like the CAIQ is the CSA STAR registry. Many cloud vendors publish a completed CAIQ publicly, which means you can often download their answers instead of sending anything. For a SaaS-on-SaaS world, that's the closest thing to a free lunch in this whole process. If you run cloud infrastructure or sell a cloud product, having a current CAIQ ready to hand out short-circuits a huge amount of inbound.
Your ad-network slot renders here
VSAQ-style and custom questionnaires
Then there's everyone else. Google open-sourced the VSAQ (Vendor Security Assessment Questionnaire) years ago, and plenty of companies forked it or built their own bespoke spreadsheet that reflects their specific risk appetite.
Custom questionnaires aren't inherently bad — a tightly scoped 40-question custom set beats an 800-row SIG nobody finishes. The danger is the bloated custom questionnaire, the one that's grown by accretion as every team added their pet question and nobody ever deletes any. If you're building one, the discipline is ruthless pruning: every question should map to a decision you'd actually make differently based on the answer.
When to send which
Match the questionnaire to the vendor's tier, the same way you match every other check.
| Questionnaire | Source | Best for | Length | Public answers available? |
|---|---|---|---|---|
| SIG Core | Shared Assessments | Critical vendors, regulated data | Very long | No (membership-based) |
| SIG Lite | Shared Assessments | Initial screen, lower-risk vendors | Moderate | No |
| CAIQ | Cloud Security Alliance | Cloud / SaaS vendors | Moderate | Often, via CSA STAR |
| VSAQ / custom | Google / in-house | Scoped, specific concerns | You decide | Depends |
My rule of thumb: don't send anything until you've checked whether the vendor's existing evidence already answers your questions. Which brings us to the shortcut nobody uses enough.
How a SOC 2 report makes most of this disappear
Here's the move that saves the most time on both sides: a current SOC 2 Type 2 report answers most of what a questionnaire is trying to learn. An independent CPA already watched the vendor's controls operate over months and wrote it down. When a vendor sends me a clean, recent SOC 2, I send back a short list of gaps — the handful of things the report genuinely doesn't cover — instead of an 800-row SIG.
It works the other way too. When you get sent a questionnaire, leading with your SOC 2 report (and a trust center page) deflects a large share of the questions outright. Many security teams will accept the report in lieu of the full questionnaire, or let you answer "see Section IV of the attached SOC 2." If you don't have one yet, the SOC 2 guide is where to start — it's the single best questionnaire-reduction tool you can buy.
Build an answer library so you answer once
The reason questionnaires feel infinite is that teams answer each one from scratch. They aren't infinite — the questions overlap by 80% or more. So build a reusable answer library:
- Keep one canonical document of approved answers, mapped to common questions (access control, encryption, incident response, sub-processors, data retention).
- Write answers in reusable language, not deal-specific phrasing, so they paste cleanly into the next spreadsheet.
- Assign an owner to keep it current — a stale answer about your encryption is worse than no answer.
- Reference your evidence in each answer ("documented in our SOC 2, Section X") so reviewers can verify instead of just trusting.
The first time you do this it's a slog. Every time after, a questionnaire goes from a two-day project to an afternoon of copy, paste, and tailor. Pair the library with the contracts side of vendor reviews — questionnaires tell you how a vendor operates, but you still need the right data agreements signed — and you've covered both halves of due diligence. The whole approach fits inside the broader vendor risk program.
Do the library once and the next questionnaire stops being a wall. It becomes a form you've mostly already filled out.