CAIQ V3 Updates

Cloud Security Alliance (CSA) would like to present the next version of the Consensus Assessments Initiative Questionnaire (CAIQ) v3.1.

The CAIQ offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM). Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.

CAIQ v3.1 represents a minor update to the previous CAIQ v3.0.1. In addition to improving the clarity and accuracy, it also supports better auditability of the CCM controls. The new updated version aims to not only correct errors but also appropriately align and improve the semantics of unclear questions for corresponding CCM v3.0.1 controls. In total, 49 new questions were added, and 25 existing ones were revised.

For this new CAIQ version, CSA took into account the combined comprehensive feedback that was collected over the years from its partners, the industry and the CCM working group.

Introducing CAIQ-Lite

By Dave Christiansen, Marketing Director, Whistic

CAIQ-Lite: A New Framework for Cloud Vendor Assessment report cover

The Cloud Security Alliance and Whistic are pleased to release CAIQ-Lite beta, a new framework for cloud vendor assessment.

CSA and Whistic identified the need for a lighter-weight assessment questionnaire in order to accommodate the shift to cloud procurement models, and to enable cybersecurity professionals to more easily engage with cloud vendors. CAIQ-Lite was developed to meet the demands of an increasingly fast-paced cybersecurity environment, where adoption is becoming paramount when selecting a vendor security questionnaire.

With the initial objective of developing an effective questionnaire containing 100 or less questions, CAIQ-Lite contains 73 questions compared to the 295 found in the CAIQ, while maintaining representation of 100 percent of the original 16 control domains present in the Cloud Controls Matrix (CCM) 3.0.1. Contributing research leveraged multiple sources of CSA member and Whistic customer feedback, as well as a panel of hundreds of IT security professionals. Research behind Whistic’s proprietary scoring algorithm was utilized as a part of the final CAIQ-Lite question selection process.

We look forward to community feedback on CAIQ-Lite, which can be accessed by CSA members for free at Whistic,  as well as from CSA. The current version will be improved over the next 12 months, based on additional community input. Also, any members that already have a CAIQ on the CSA STAR Program will automatically have a CAIQ-Lite generated for them on the Whistic Platform.

Click to access the full whitepaper, containing further details regarding the creation and deployment of this new cloud service questionnaire.