CSA Official Press Release

Published 03/01/2019

CSA and Whistic Unveil Streamlined Consensus Assessments Initiative Questionnaire (CAIQ)

CSA and Whistic Unveil Streamlined Consensus Assessments Initiative Questionnaire (CAIQ)

Beta release of CAIQ-Lite, based on Whistic and CSA research, available for community review

Seattle – March 1, 2019 –The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, and Whistic, the Complete Vendor Security Assessment Platform, today announced the beta release of a Lite version of CSA’s Consensus Assessments Initiative Questionnaire (CAIQ). The new, streamlined version of CAIQ, named CAIQ-Lite, was developed by Whistic in conjunction with CSA and combines data from an independent research panel of hundreds of Information Security professionals, Whistic customer feedback, and CSA member feedback. The project will allow companies throughout the world to more easily use CSA’s industry-leading thought leadership in their cloud vendor security assessments. CSA and Whistic are soliciting community feedback on the project throughout the coming year.

The beta version of CAIQ-Lite released today represents every security control domain from the original questionnaire in a shorter, 73 question format. Citing the increased focus on cloud vendor security and the need for organizations worldwide to perform a significantly higher volume of assessments on a growing population of cloud vendors, Whistic and CSA worked together to develop a Lite version that focused more on accessibility and ease of use for both cloud vendors and the enterprises performing the vendor security risk assessments.

As a part of this beta release, Whistic will make a self-assessment version of CAIQ-Lite available in its vendor security software platform free of charge to all CSA corporate members. Whistic CEO Nick Sorensen said, “In addition to the offer for CSA members, we are excited to accompany this announcement with an offer to assist any cloud vendor in converting their existing CAIQ to the new CAIQ-Lite format by leveraging the technology inside our vendor security platform. We encourage both cloud vendors and enterprises to take advantage of this opportunity and to begin using CAIQ-Lite today.” He further said, “The shared vision among Whistic and CSA on this initiative has always been making the industry-leading research behind CAIQ more accessible to more companies throughout the world. We feel like this streamlined version, along with the ability to leverage the questionnaire in the Whistic Vendor Security Platform, is a giant leap forward in achieving that goal.”

Jim Reavis, CEO and co-founder of the Cloud Security Alliance said, “On the eve of the 10-year anniversary of the founding of the Cloud Security Alliance, I am delighted to make this announcement in partnership with Whistic and to further demonstrate our commitment to improving cloud security. Since we first released CAIQ years ago, there has always been a significant amount of pent-up demand for a less resource demanding version of the questionnaire--and we are excited that Whistic finally helped make CAIQ-Lite happen. The importance of establishing best practices and standards related to the security of cloud vendors continues to increase, and we remain committed to raising awareness and taking action as the number of third-party related data breaches continues to rise. We invite companies throughout the world to join the discussion and collectively work together with us to improve this once-overlooked aspect of cloud security.”

In conjunction with the release of CAIQ-Lite, Whistic is also pleased to announce that it has completed a full integration of CSA’s STARWatch API into the Whistic Vendor Security Platform. CSA’s STAR (Security, Trust and Assurance Registry) program is the industry’s most powerful program for security assurance in the cloud. One of most essential features of the STAR program is its registry that documents the security and privacy controls provided by over 500 popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions, helping organizations save time with research and aiding in quicker decision making.

For those cloud vendors who have a CAIQ listed with CSA’s STAR registry, Whistic has automatically generated a CAIQ-Lite for them that is available today within Whistic. Juan Rodriguez, Whistic Chief Technology Officer stated, “The integration of the STARWatch API in conjunction with the release of CAIQ-Lite further enhances the effectiveness of the Whistic Platform and allows our customers to seamlessly leverage the power of CSA’s expansive library of publicly available CAIQ and Cloud Controls Matrix (CCM) documentation inside of their existing vendor assessment workflow. We’re committed to making the vendor security process more about security and less about the back-and-forth spreadsheet nightmare that plagues the vast majority of companies. The fact that you no longer have to wait for a CSA STAR cloud vendor to complete an assessment request (because we deliver that information instantaneously within our platform) is another example of that commitment and will free up more time for companies to better assess their cloud vendors.”

Companies can get access CAIQ-Lite within Whistic or from CSA. In addition, companies can learn more about CAIQ-Lite and the Whistic STARWatch integration at the upcoming RSA Conference 2019 by visiting with Cloud Security Alliance (booth #1535 South) or Whistic (booth #3103) in-person at the event.

About Whistic

Whistic enables companies to conduct and respond to vendor security reviews on a single platform. Software vendors and other companies that store or process sensitive data are undergoing an increasing amount of scrutiny from their prospects, customers and partners as it relates to information security and compliance. Whistic reduces friction by automating and streamlining security reviews, enabling InfoSec and compliance teams to more efficiently understand the security and compliance posture of a given company and empowering sales teams to standardize their responses to security questionnaires. Whistic is currently located in the heart of the Silicon Slopes in Utah. Our award-winning platform is now backed by incredible investors and used by top security teams throughout the world, and is The Complete Vendor Security solution for both sides of the supply chain. For further information, visit us at and follow us on Twitter @Whistic_Inc.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.