← All questionnaires
ALIGNED WITH CSA CCM · 28 QUESTIONS · FREE TEMPLATE

Cloud Provider Security Questionnaire — CSA CCM-aligned, 30 questions

When a buyer's cloud-security team gets involved, they pull from the Cloud Security Alliance's CCM. This 30-question template covers the same 10 domains and tells you exactly what evidence to have ready.

Total questions
28
Categories
10
Typical timeline
7–14 business days
Effort
12–30 hours
Who requests it
  • Enterprise cloud security architects
  • Banks, insurers, and regulated industries doing pre-purchase due diligence
  • Federal contractors who need FedRAMP-style assurance
Who fills it out
  • Cloud / platform engineering plus security
  • Often co-signed by the CISO and Head of Infrastructure

The questionnaire — every question, inline

1. Audit, Assurance & Compliance

3 questions
External attestations and audit rights.
  1. 1.1
    Provide current SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 reports and the audit firm name.
    Critical
  2. 1.2
    Do customers have the right to audit your controls directly, or only via pooled audits?
    High
  3. 1.3
    How are findings from internal audits tracked to remediation? Provide an example CAR/CAPA cycle.
    Medium

2. Identity & Access Management

3 questions
Tenant identity, federated access, privileged accounts.
  1. 2.1
    Do you support SAML 2.0 and OIDC federation for customer identity? Any tier restriction?
    Critical
  2. 2.2
    Are privileged customer-environment access events logged with operator identity and reason-for-access?
    Critical
  3. 2.3
    What break-glass procedure exists for emergency access, and how is it reviewed?
    High

3. Encryption & Key Management

3 questions
At-rest, in-transit, and customer-managed keys.
  1. 3.1
    Specify algorithms and key lengths for at-rest encryption (e.g. AES-256-GCM).
    Critical
  2. 3.2
    Can customers bring or hold their own encryption keys (BYOK / HYOK)? Describe the supported KMS integrations.
    High
  3. 3.3
    How are TLS certificates rotated and what is the minimum protocol version accepted?
    High

4. Data Center & Physical Security

3 questions
Where data physically lives.
  1. 4.1
    List all data center regions and the underlying provider (AWS / GCP / Azure / Equinix / own).
    Critical
  2. 4.2
    Are data centers SSAE 18 SOC 2 + ISO 27001 audited? Provide the upstream provider attestations.
    High
  3. 4.3
    Can customer data residency be pinned to a single country / region? Describe failover behaviour.
    Critical

5. Threat & Vulnerability Management

3 questions
Patching, scanning, pen testing.
  1. 5.1
    Maximum window from public CVE disclosure (CVSS ≥ 9) to deployed fix in production?
    Critical
  2. 5.2
    Frequency, scope, and provider of external penetration tests? When was the last one?
    High
  3. 5.3
    Do you run a coordinated vulnerability disclosure or bug-bounty program? Provide the public policy URL.
    Medium

6. Security Incident Management

3 questions
Detection, response, customer notification.
  1. 6.1
    What is your maximum SLA from confirmed customer-impacting security incident to first customer notice?
    Critical
  2. 6.2
    Describe your 24/7 SOC capability — in-house, MSSP, or hybrid? Name the provider if MSSP.
    High
  3. 6.3
    Are post-incident reports (RCA) shared with affected customers? Provide a sample structure.
    High

7. Business Continuity & Disaster Recovery

3 questions
Resilience, RTO, RPO.
  1. 7.1
    Published RTO and RPO for the production service? Provide the SLA document URL.
    Critical
  2. 7.2
    Are DR scenarios tested at least annually with full failover? Provide the most recent test summary.
    High
  3. 7.3
    How geographically diverse are backup copies (single-region, multi-region, multi-provider)?
    High

8. Interoperability & Portability

2 questions
Getting in and getting out.
  1. 8.1
    What APIs and bulk-export formats are available for customers to retrieve their data?
    High
  2. 8.2
    On termination, what is the SLA to deliver a final data export and to confirm complete deletion?
    Critical

9. Supply Chain Management

3 questions
Subprocessors, open source.
  1. 9.1
    Public subprocessor list URL — must include name, function, country, and data categories accessed.
    Critical
  2. 9.2
    Notice period for new or replaced subprocessors? Is opt-out available?
    High
  3. 9.3
    Do you produce an SBOM for the platform and share it with enterprise customers on request?
    Medium

10. AI / ML Use Disclosure

2 questions
If applicable to the service.
  1. 10.1
    Does the service use customer data to train any AI/ML models? If yes, describe consent and opt-out.
    Critical
  2. 10.2
    List third-party AI/LLM providers in the data path (OpenAI, Anthropic, AWS Bedrock, etc.) and the data categories they receive.
    Critical
Email me a clean copy of this questionnaire
Polished HTML — paste into Word, Sheets, or a Notion page. We'll send one delivery email plus one invitation to build an auto-answered version from your audit. No drip spam.
We'll send the questionnaire + one audit-invitation follow-up. Unsubscribe anytime.

Common pitfalls

Want this pre-filled with YOUR controls?

Run a free ISO 27001 / CSA CCM audit. ComplianceIQ uses your audit responses and generated policies to populate an answer pack you can paste into any SIG, CAIQ, or custom enterprise questionnaire — in minutes, not days.

Run free ISO27001 audit See answer-pack plans

FAQ

Is this the same as the CSA CAIQ?
CAIQ is the proprietary checklist published by the Cloud Security Alliance and aligned to their CCM. We don't reproduce CAIQ wording — but the 10 CCM domains and the spirit of the questions are public, and this template gives you a SaaS-friendly version you can use today.
Should we submit this to the CSA STAR Registry?
Eventually, yes. Public STAR Level 1 self-assessment is a huge sales unlock. Use this template to draft your answers internally, then submit the formal CAIQ to STAR when you're ready.
How do AI/LLM disclosure questions affect us?
Every enterprise contract in 2026 is being amended with AI clauses. If you embed any third-party LLM, you must disclose it, name the provider, and document whether customer data is used for training. ComplianceIQ Pro auto-generates this disclosure from your subprocessor list.

Related free policy templates

ISO 27001 Information Security PolicyVendor / Third-Party Risk Management Policy

What happens when these answers are wrong

Amazon Europe Core
€746M
Largest GDPR fine at the time — behavioural ad targeting without valid consent
Meta Platforms
€1.2B
Largest GDPR fine ever — EU→US data transfers under invalidated Privacy Shield framework

More questionnaires

SaaS VendorHIPAA BA AssessmentSOC 2 SubserviceGDPR Art. 28PCI DSS SP