Header logo

The global provider
of secure financial messaging services

Skip to main content
  • English
    Discover SWIFT
  • Español
    Descubra nuestros contenidos en español
  • Français
    Découvrez notre contenu disponible en français
  • 中文
    了解我们提供的中文内容
  • 日本語
    日本で入手可能なコンテンツをお探しください

Independent assessment

All SWIFT users have to attest their level of compliance with a set of mandatory controls as described in the Customer Security Controls Framework (CSCF).

As documented in the Independent Assessment Framework (IAF), as of 2021, all SWIFT users have to perform a Community Standard Assessment to further enhance the accuracy of their attestations. SWIFT mandates that attestations submitted are independently assessed through either an internal or/and an external assessment. The option to self-assess remains available but is considered as non-compliant as of 2021.

Independent Assessment Framework

Overview of the Independent Assessment Framework

External or internal assessment

Users are free to select internal and/or external resources to conduct the assessment.

Users opting for an external assessment need to engage with an external organisation. 

Users opting for an external assessor must ensure that:
  • The selected assessor has existing cybersecurity assessment experience to an industry standard such as PCI DSS.
  • At least the lead assessor holds at least one industry-relevant professional certification, e.g. CISA; Other Individuals assessors should also have relevant security industry certification(s).
  • When an internal department is used to execute a Community-Standard Assessment, users are advised to take steps to ensure that those involved in the assessment execute their duties in an objective fashion, free from undue influence (including but not limited to independent reporting lines between assessors and controls owners).

A non-prescriptive CSP Assessment Providers directory is available to help you find an external assessor.

Consult directory

 

Users opting for an internal assessment must ensure that:
  • The assessment team is independent from the 1st line of defence (CISO): eligible teams are typically Internal Audit (3d line of defence), Risk Office (2nd line of defence) or a tailored independent team established for the assessment.
  • The selected assessor has existing cybersecurity assessment experience to an industry standard such as PCI DSS.
  • At least the lead assessor holds at least one industry-relevant professional certification, e.g. CISA; Other Individuals assessors should also have relevant security industry certification(s).

An option can also be to appoint as assessor a mixed team composed of internal/external professionals and lead by an internal or external staff. Such set up can enable cross expertise breeding and costs containments for subsequent assessments.

All options i.e. internal, external assessor or a mixed team are equally valid for SWIFT.

For detailed requirements, see section 5 in the IAF.

Last year I have already performed an Independent Assessment, can I refer to it in my KYC-SA attestation for this year?

When re-attesting, you could still refer to a previous assessment. This re-use must obey to the following conditions:

  • The assessor agrees on still referencing the assessment they have performed earlier
  • The user in-scope SWIFT footprint under assessment has not undergone significant changes that invalidate the conclusions of the previous assessment
  • The new CSCF does not include new mandatory controls or changes to the controls that were not covered in the previous assessment
  • In any case, an independent assessment has a maximum validity of two years (i.e. date of the issuance report + 2 years; e.g. a report issued on the 30 June 2020, can be potentially reusable until 30 June 2022).
Should a particular internal department do the internal assessment?

It is up to the user to select an internal department, as long as it is independent from the first line of defence: No one should assess his own work. At least, the lead assessor must be certified and the rest of the team should ideally be certified.

Should we communicate in our KYC-SA attestation, the identity of the individual assessors or the department that performed the assessment?

Providing the name of the internal department or the external company in your attestation is mandatory; however, providing and/or sharing the name of the lead assessor contact details is advisory.

For further insights, refer to the Independent Assessment Process Guidelines and the FAQ’s.

To stay updated on CSP news, subscribe to our quarterly updates.

Log in to CSP applications and portals

Find the dedicated login links to KYC-SA application, Attestation support page and ISAC portal

Loading...