How to respond to a customer security questionnaire (SIG, CAIQ, or custom)
Your customer sent you a security questionnaire. It's a spreadsheet with 100, 300, or 1,000 questions, depending on which one landed in your inbox. You have to fill it out as part of the vendor onboarding, a contract renewal, or a procurement review. The deadline is short. You're not sure where to start.
The questionnaires look intimidating, but most of them come from a small number of standard sources. Once you know which standard your customer is using, the questionnaire stops looking like a wall of unrelated questions and starts looking like an organized assessment of your security program. The same answers, sourced from the same documentation, work across different questionnaires with minimal rewriting.
The three sources
Most customer security questionnaires come from one of three sources: SIG, CAIQ, or a custom questionnaire your customer's procurement or security team built themselves. Knowing which one you're looking at changes how you respond.
SIG: the Shared Assessments questionnaire
SIG stands for Standardized Information Gathering, and it's published by Shared Assessments, a nonprofit focused on third-party risk management. The 2025 version is the current release. SIG comes in three sizes:
SIG Lite has 128 questions and is meant for lower-risk vendors or preliminary assessments. It's the version most small businesses receive when a customer wants a baseline read on their security posture. SIG Core has 627 questions covering 21 risk domains and is the standard depth for assessing a vendor that handles sensitive data or provides a critical service. SIG Detail, the full version, has 1,936 questions and is used for the deepest vendor assessments.
The 21 risk domains sit under four control areas: governance and risk management, information protection, IT operations and business resilience, and security incident and threat management. Each domain has a focused set of questions; the four control areas correspond roughly to the layers most security programs already organize themselves around.
SIG isn't free. Shared Assessments licenses it through their member program or a paid subscription. Your customer paid for their license, which means the questionnaire they sent you is theirs to share with you for the assessment, but you're not authorized to redistribute the question set. That distinction matters if you build a response library: store your answers separately from the source questions.
CAIQ: the Cloud Security Alliance questionnaire
CAIQ stands for Consensus Assessments Initiative Questionnaire, and it's published by the Cloud Security Alliance. The current version is CAIQ v4.1 with 283 yes-or-no questions. CAIQ-Lite is a shorter version with 124 questions.
CAIQ is specifically designed for cloud service providers (infrastructure, platform, and software as a service). The questions map to CSA's Cloud Controls Matrix and ask whether specific cloud-security controls are in place. The format is yes-or-no, which makes it look simpler than SIG but doesn't necessarily make it easier; a credible "yes" still requires evidence to back it up.
CAIQ is free to download. Your customer, if they're asking you to complete one, expects you to fill it out and return it. Many CSPs publish their completed CAIQs publicly, either through the CSA STAR Registry or on their own trust pages, which lets prospective customers see the answers before asking.
Custom questionnaires: built by your customer's team
The third source is whatever your customer's security or procurement team assembled themselves. These vary widely. Some are short and focused, covering only the controls the customer cares about. Some are long and exhaustive, often borrowing from SIG, CAIQ, NIST CSF, ISO 27001, or all of the above.
Custom questionnaires are often where the work feels hardest, because the questions aren't standardized and you can't reuse answers across customers without rewriting. But the underlying topics are usually the same: identity and access management, data protection, vulnerability and patch management, incident response, vendor risk, business continuity. If you've answered SIG or CAIQ recently, you've answered most of what a custom questionnaire will ask, just in different phrasing.
Custom questionnaires also tend to carry industry-specific layers on top of the standard control areas. Questionnaires from manufacturing customers often add supply chain attestation and intellectual property protection questions; questionnaires from healthcare contexts add HIPAA-specific language about protected health information; questionnaires from law firm clients sometimes touch attorney-client privilege and matter-specific access; questionnaires from defense contractors layer in NIST 800-171 and CUI handling. The standard control areas still anchor the response, but the industry-specific layers need answers your business has actually thought through. The reusable response file below works for the standard layer; the industry-specific layers need separate documentation your business maintains.
What each questionnaire is testing for
The four control areas in SIG, the seventeen domains in CAIQ, and the headings in a typical custom questionnaire all converge on the same operational questions. A customer sending you any of these wants to know:
- Identity and access: Do you control who can access your systems? Do you enforce multi-factor authentication? Do you review access on a recurring cadence and remove access when employees leave?
- Data protection: Do you know what data you handle, where it's stored, and who has access to it? Do you classify data by sensitivity? Do you encrypt data at rest and in transit?
- Vulnerability and patch management: Do you scan your environment for vulnerabilities? Do you patch on a defined cadence? Do you have endpoint protection?
- Incident response: Do you have a written incident response plan? Have you tested it? Do you know how you'd notify the customer if their data were affected?
- Vendor risk: Do you manage your own vendors with similar diligence? Do you tier your vendors by risk and review the high-risk ones?
- Business continuity: Do you back up your data? Have you verified the backups can restore? Do you have a documented recovery plan?
- Governance: Do you have written policies? Is someone named as the security coordinator? Have employees acknowledged the policies?
A questionnaire that doesn't ask about most of these is unusual. A questionnaire that asks deeply about all of them is comprehensive but not surprising. The control areas are how the industry has converged on assessing vendor security.
How to build a reusable response file
The work of answering the first questionnaire is substantial. The work of answering the second is a fraction of that if you've structured the first one well. The pattern that makes this work is a single response file you populate once and reuse across customers.
The file is organized by control area rather than by source questionnaire. Each control area has your business's answer, written once in your business's voice, with the supporting documentation referenced. When a new questionnaire arrives, you map each question to the control area it belongs to, copy the answer, and adapt the phrasing if necessary.
Three rules make the reusable file work:
The answers stay your own, not copied from SIG or CAIQ phrasing. If you copy the source questionnaire's exact wording into your response file, you create a licensing problem with the standards body and a maintenance problem with yourself (their questions change; your answers should be stable). Write your answers in your own language; map them to the questions when needed.
The answers reference documentation rather than asserting facts. "Yes, we enforce multi-factor authentication" is weaker than "Yes, multi-factor authentication is enforced per our Access Control Policy and operationalized via our MFA Enforcement Procedure (both available on request)." The document reference is what makes the answer durable; the assertion is what fails under follow-up.
The answers get reviewed quarterly or whenever your underlying program changes. The response file is a living document. If you change your backup procedure, your file's backup answer changes too. If you adopt a new endpoint protection product, the answer updates. The quarterly review is what keeps the file from becoming a fiction.
What this means practically
The first time you receive a customer security questionnaire, the work is heavy. You're answering questions for the first time and assembling the documentation behind each answer. The second one is meaningfully easier because most of the questions overlap with the first. By the third or fourth, the work is mostly mapping new questions to existing answers.
That trajectory only works if the first response file is built deliberately. A first response that's just copy-pasted from the SIG or CAIQ template, with answers written in the questionnaire's voice rather than yours, doesn't generalize. A first response that's organized by control area with your own answers and documentation references becomes the foundation for every customer questionnaire that follows.
If you'd rather not build the response file from scratch, TACSOP includes a Customer Security Questionnaire Response Template organized by control area, with pre-populated answers drawn from the kit's policies, procedures, and operational evidence. You populate it once and adapt it for SIG, CAIQ, or any custom questionnaire your customers send. The kit is here.