SIG vs CAIQ vs VSAQ: the security questionnaires explained
SIG, CAIQ, and VSAQ are the three standard security questionnaires you are most likely to be handed. SIG is the broad, all-industries one, CAIQ is the cloud-specific one, and VSAQ is the lighter, engineer-friendly one. They overlap a lot, so a single well-written answer can usually satisfy all three if you map it carefully.
Why standard questionnaires exist
For years, every customer wrote their own security spreadsheet, and every vendor answered the same questions in a slightly different shape each time. Standard questionnaires were created to stop that. When a customer sends a recognised template, you can reuse an answer you have already written and approved, and they can compare you against other vendors on the same basis. It is less work on both sides.
SIG (Standardized Information Gathering)
SIG comes from Shared Assessments and is the broad, industry-agnostic option. It is updated each year and covers a wide set of risk domains, from access control to resilience. It ships in two sizes: a fuller SIG (sometimes called SIG Core) and a shorter SIG Lite for lower-risk or first-pass reviews. You will see SIG a lot in financial services and from larger procurement teams.
CAIQ (Consensus Assessments Initiative Questionnaire)
CAIQ is from the Cloud Security Alliance and is built specifically for cloud providers. Its questions line up with the CSA Cloud Controls Matrix, so the answers map cleanly onto a recognised cloud control set. Many providers publish a completed CAIQ in the CSA STAR registry so customers can self-serve it. If you sell a cloud product, expect this one.
VSAQ (Vendor Security Assessment Questionnaire)
VSAQ was open-sourced by Google and is the lightest of the three. It runs as a web form with conditional questions, so it only asks what is relevant based on your earlier answers. It tends to show up with engineering-led teams who want a quick, practical read on a vendor rather than a 300-row spreadsheet.
How they relate to SOC 2 and ISO 27001
It helps to keep two things separate. SIG, CAIQ, and VSAQ are questionnaires: questions you answer. SOC 2 and ISO/IEC 27001 are independent attestations: a SOC 2 report or an ISO certificate is evidence produced by an auditor. A current SOC 2 or ISO often answers, or removes the need for, large parts of a questionnaire, which is why so many reviews start by asking whether you have one.
Answer once, reuse everywhere
The practical takeaway is to write your security answers once, map them to the underlying controls, and reuse them. The same approved statement about, say, encryption at rest should satisfy the SIG row, the CAIQ control, and a customer's bespoke wording. A framework-mapped answer library is what turns each new questionnaire from a writing job into a matching job.
Frequently asked questions
Is SIG or CAIQ better?
Neither is better; they have different scopes. SIG is broad and industry-agnostic, while CAIQ is built for cloud providers and maps to the CSA Cloud Controls Matrix. Many teams maintain answers for both, because different customers ask for different ones.
Do I have to complete every questionnaire from scratch?
No. Most of the questions repeat across SIG, CAIQ, VSAQ, and bespoke spreadsheets, so a mapped answer library lets you reuse approved responses. A current SOC 2 report or ISO 27001 certificate can also satisfy or shortcut many items.
What is the difference between a security questionnaire and a SOC 2 report?
A security questionnaire is a set of questions a customer asks you to answer. A SOC 2 report is an independent audit of your controls that you hand over as evidence. Questionnaires gather your assertions; a SOC 2 report backs them up.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.