SWIFT Customer Security Controls Framework (CSCF) Independent Assessment

We are independent assessors for SWIFT Community Standard Assessments, covering all mandatory controls under the Customer Security Controls Framework.

Ensure compliance with our independent assessment for SWIFT CSCF

Each July, SWIFT updates its Customer Security Compliance Framework (CSCF), and users must complete an annual Security Attestation (KYC-SA). Attestation is a guarantee that your organisation meets all mandatory controls outlined in the latest version of the CSCF. Since 2021, the attestation process requires a Community Standard Assessment performed by an independent assessor.

As a leading cybersecurity provider across ANZ, Tesserent offers SWIFT Community Standard Assessments as an independent assessor certified under SWIFT’s CSP Certified Assessors program.

Our independent Community Standard Assessment will determine your level of compliance with the most up-to-date mandatory controls for SWIFT CSCF. With this assessment in hand, you’re able to complete your mandatory annual KYC Security Attestation with the assurance you are meeting your strict cyber obligations.

What is the SWIFT Customer Security Controls Framework?

The SWIFT Customer Security Controls Framework is a key global cybersecurity framework published by SWIFT, for financial services institutions using the SWIFT banking and payments system. The prescriptive framework is designed to help financial organisations secure their environments, know and limit access, and detect and respond to incidents. The CSCF sets both mandatory and advisory controls and varies depending on the organisation’s SWIFT architecture and infrastructure. By meeting the mandatory controls in the framework, cybersecurity is fortified across both your organisation and the SWIFT network.

The CSCF is a key component of SWIFT's Customer Security Programme (CSP), which details the security of the SWIFT network, the CSCF assessment process, and user attestation of compliance with the CSCF.

Why is Independent Assessment important?

Independant Assessment against the mandatory controls set out in the annual edition of the CSCF is required for your annual KYC Security Attestation. The attestation is mandatory, thus Independent Assessment is also mandatory. Self-assessment has been deemed as non-compliant since 2021.

How does an Independent Assessment work?

SWIFT CSP Assessors follow the Independent Assessment Framework (IAF), which contains supporting templates for both the mandatory controls and the advisory controls of the CSCF.

While internal Independent Assessment is possible, most organisations find it difficult to find a suitable internal independent auditor without a conflict of interest. The assessor must have performed a similar (PCI DSS, ISO 27001) assessment within the past year and hold a relevant security certification such as Certified Information Security Manager (CISM).

By choosing an external independent assessor who is a SWIFT CSP Certified Assessor, such as Tesserent, organisations are assured their assessment is truly independent and valid.


How often should I obtain an Independent Assessment

Organisations must obtain an Independent Assessment before each annual attestation.

Independent Assessments are valid for up to two years, so long as there are no changes to the Swift User environment requiring a re-assessment or introduction of new changes to mandatory controls that would impact the existing assessment.


What are the benefits of Tesserent’s SWIFT Customer Security Controls Framework (CSCF) Independent Assessment?

  • Meet your SWIFT compliance obligations for continued network participation

  • Complete your SWIFT KYC Security Attestation with confidence

  • Detect and mitigate risks, enhancing the overall security of your organisation

  • Gain assurance with an assessment from a trained team of assessors

  • Underpin the integrity, security and consistency of your organisation and the SWIFT finance network

The Tesserent SWIFT CSCF Independent Assessment process

Our assessors will leverage all relevant SWIFT documentation tailored to your chosen architecture, including the SWIFT decision tree, test plan, and other essential resources.

Preparation

Organisations must first understand the CSCF, which outlines mandatory and advisory security controls. These controls are designed to protect the confidentiality, integrity, and availability of their SWIFT-related infrastructure.

Assessment Execution

The assessment involves a thorough review of the implementation of CSCF controls. Assessors verify that all mandatory controls are in place and functioning as intended. This includes evaluating the effectiveness of security measures and identifying any gaps or weaknesses. If requested, advisory controls may be included in the assessment.

Documentation and Reporting

Assessors document their findings in a detailed report. This report includes an assessment of each control, noting any deficiencies and providing recommendations for improvement. Organisations must submit this report to SWIFT as part of annual security attestation.

Attestation Submission

Organisations must submit their security attestation to SWIFT annually, confirming their compliance with the CSCF. This attestation is shared with the SWIFT community to promote transparency and accountability.

Follow-Up and Remediation

Based on the assessment findings, organisations must address any identified issues. This may involve implementing additional controls or enhancing existing ones to meet CSCF requirements.


How we can assist:

Tesserent can provide an unbiased independent assessment of your organisation’s security measures, ensuring all implemented controls are aligned to the standards required by SWIFT’s CSCF.

Tesserent is a certified SWIFT CSP Certified Assessment provider organisation, as listed on the SWIFT website. Our teams are led by qualified Assessors who will lead your organisation through its SWIFT attestation.

Tesserent has leading financial market services industry experience, with a team of qualified staff who are certificated in cyber security across PCI DSS, ISO 27001 Lead Auditors, CISSP, CISA, and many more.


FAQs

How long does an assessment take?

Our assessment process takes a minimum of 23 days for organisations for A1 architecture (for production only).

Do I need to assess Mandatory and Advisory controls?

Typically, our engagements only involve an assessment of the CSCF’s mandatory controls. If required, you can request to include advisory controls.

How much involvement will be required from my side?

You will need to provide a project lead, who can invoke various team members responsible for the relevant controls under assessment.

What is the process if our organisation does not pass the assessment?

This needs to be reported to SWIFT, complete with a timeframe for remediation of all issues identified.

Contact us

Speak with a Tesserent
Security Specialist

Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

Let's Talk
Tess head 9 min