swift-logo
Understand Controls Customer Security Programme

Understand Controls

Understanding the controls is the essential first step in your CSP compliance journey. This is where you determine what is required and identify which controls apply to your Swift setup. It also helps you prepare your organisation to implement those controls, assess the implementation, and ultimately submit your KYC‑Security Attestation.

Understand Controls

What is the CSCF and why it matters?

The Customer Security Controls Framework (CSCF) defines the security baseline applicable to all Swift users*.

It includes:
  • Mandatory security controls:
    These must be implemented by all users to protect their Swift-related infrastructure. They are prioritised to deliver tangible security gains and reduce risk across the community.
  • Advisory security controls:
    These are recommended best practices that may become mandatory over time. They reflect evolving threats, new technologies, regulatory developments, and user feedback.
The framework is structured around three core objectives:
  • Secure your environment
    • Restrict Internet access and segregate critical systems from general IT environment
    • Reduce attack surface and vulnerabilities
    • Physically secure the environment
  • Know and limit access
    • Prevent compromise of credentials
    • Manage identities and segregate privileges
  • Detect and respond
    • Detect anomalous activity to system or transaction records
    • Plan for incident response and information sharing

Each control is defined in line with recognised information security standards such as ISO 27002, PCI DSS, SOC2, and NIST CSF. This ensures consistency with broader industry practices and helps institutions align their internal security programmes with global benchmarks.

*Controls in scope depend on the user connectivity to Swift.

CSCF document

What do you need to do?

This step is about building a clear understanding of the controls and preparing your organisation for controls design and implementation, independent assessment and attestation publication. Here’s what it involves:

  1. Review the CSCF documentation
    Start by reading the latest CSCF document carefully. It outlines all mandatory and advisory controls, their objectives, and applicability. This is your foundation for compliance.
    The CSCF defines general, product-agnostic security controls that apply across all Swift users. These must be understood in full before any implementation begins.
     
  2. Identify your Swift architecture
    Your applicable controls depend on your Swift setup. Determine which of the five architecture types applies to your organisation with the architecture decison tree. This will define which controls you need to implement.
     
  3. Map applicable controls
    Use the CSCF and product-specific Security Guidance (SG) documents to identify which controls apply to your Swift components. SG documents provide minimum security recommendations and detailed configuration guidance for Swift’s messaging interfaces.
     
  4. Perform a gap analysis
    Compare your current security posture against the applicable controls. Identify gaps, risks, and areas for improvement. This is not yet the implementation phase, but a strategic internal review to prepare for it.
     
  5.  Perform an independent assessment
    Implement the controls and perform an independent assessment to validate that the implemented controls meet Swift expectations as explained in the CSCF
     
  6. Understand the attestation process
    Familiarise yourself with the attestation process outlined in the Swift Customer Security Controls Framework.

    This includes:
    • The annual requirement to attest against mandatory controls.
    • Timelines for submitting your attestation via the KYC-Security Attestation application.
    • Follow-up actions in case of non-compliance.

Change Management: Planning for updates

The CSP is a yearly process.

Swift publishes an updated version of the CSCF annually in July, a year before it comes into effect to allow you to prepare for controls implementation. The following year, you have from 01 July until 31 December to submit your attestation reflecting your level of compliance against the latest mandatory controls (at least).

The change management process ensures users have up to 18 months to prepare for new or updated controls. Also, new controls or components are introduced as advisory first, giving users time to plan, budget, and implement.

Emergency releases are rare but may occur in response to urgent threats.
Community feedback is gathered throughout the year to inform updates.
To stay informed, users are encouraged to subscribe to Swift’s CSP Newsletter.

CSP

Need help implementing controls?

If you need support navigating the CSCF or preparing for implementation, you can refer to a Directory of Cyber Security Service Providers (CSSP). These providers offer tailored guidance and strategic planning to ensure your organisation is aligned with the latest controls requirements. Whether you're implementing controls, conducting a gap analysis or preparing for attestation, working with a CSSP provider can support your progress and strengthen your security posture.

Learn more

Related content

  • CSP

    CSP: Implement Controls

    Once you’ve understood which controls apply to your organisation, the next step is to implement them effectively.
  • CSP

    CSP: Perform an Independent Assessment

    Independent assessment is a key step in validating your level of compliance with the applicable CSCF controls.
  • CSP

    CSP: Submit KYC-Security Attestation

    Submitting your annual Security Attestation is a key milestone in your CSP compliance journey.