Worked example

See exactly how it comes back.

A real slice of a CAIQ security questionnaire, completed from a sample MSP's own documents. Notice the range: a confident answer where the evidence supports it, an honest partial where it only half does, and a flag where the answer simply isn't in the documents yet.

Supported by your docs Partially in place Needs your input

Consensus Assessments Initiative Questionnaire (CAIQ)COMPLETED · SAMPLE MSP LTD

3 DAYS

A&A-01.1

Are audit and assurance policies, procedures and standards established, documented and maintained?

Basis: ISO 27001 certificate (valid to 2026) and Information Security Policy, section 4. Reviewed annually by the directors.

YES

A&A-02.1

Are independent audits and assessments conducted at least annually?

Basis: External ISO 27001 surveillance audit completed annually; most recent certificate provided.

YES

A&A-03.1

Are assessments performed on a risk-based schedule, triggered by significant change?

Basis: Risk reviews happen, but a documented change-triggered schedule isn't evidenced in the policy. [Confirm with you]

PARTIAL

IAM-01.1

Is an identity and access management policy established and enforced?

Basis: Access Control Policy, section 2. MFA enforced across all admin accounts per the same document.

YES

DSP-05.1

Is data classification applied to all data and objects containing data?

Basis: Not found in the documents provided. We've flagged it rather than guess, so you can confirm before it's submitted. [Needs your input]

CONFIRM

Illustrative sample using fictional company data. CAIQ is a standard of the Cloud Security Alliance.

YES

Confident answers, but only where your documents actually support them.

PARTIAL

Honest where a control is only half in place, with exactly what's missing.

CONFIRM

Flagged, never bluffed, when an answer isn't in your documents. This is what protects you in a review.

Get yours done in 3 days Download as PDF

£349 per questionnaire. You only pay if you're happy with the result.