What is SWIFT Customer Security Programme (CSP)?
All SWIFT users have to attest to their level of compliance with a set of mandatory controls as described in the Customer Security Controls Framework (CSCF), which are prioritized to set realistic near-term goals, for noticeable increase in security posture and lower risk. With the release of the Customer Security Controls Framework (CSCF) v2020, SWIFT mandates that attestations will be required to be independently assessed by qualified assessors, in accordance to the Community Standard Assessment for better accuracy of the attestations.
Internal Assessment
Carried out by the company’s second- or third- line of defense such as the users’ internal compliance, internal risk of internal audit departments (independent from the first line of defense function submitting the attestation).
External Assessment
Carried out by an independent external organization with cyber security assessment experience and individual assessors who have relevant security industry certification.
As a minimum, the security assessments must cover all mandatory controls in the latest version of the Customer Security Controls Framework (CSCF) which are applicable based on a user’s CSP architecture type and infrastructure. Users that have attested against advisory controls may also include these controls during the evaluation by the assessor.