Perform an Independent Assessment
Independent assessment is a key step in validating your level of compliance with the applicable CSCF controls. It ensures that your yearly declared level of compliance in the KYC-SA application accurately reflects your actual design and implementation of, at minimum, the mandatory controls defined in the Customer Security Controls Framework (CSCF).
As outlined in the Independent Assessment Framework (IAF), all Swift users must undergo a Community Standard Assessment, either internally by an internal independent department like internal audit, or externally by an assessment provider, to meet compliance requirements. An independent assessment is required also on yearly basis to support the Security Attestation submitted in KYC-SA.
Perform an Independent Assessment
External assessment
Why choose a Swift CSP Certified Assessor?
- Higher Confidence
Swift users can rely on assessment providers who meet strict certification standards. Using a Certified Assessor is reflected in the user’s attestation and ensures the provider has the expertise to perform thorough, accurate evaluations.
- Consistent, Standardised Assessments
The certification programme ensures all providers follow the same approach when assessing CSP controls. This supports a clear assessment scope, fair pricing, and alignment with Swift’s expectations—no matter which provider is chosen.
- Easy Access to Certified Providers
Swift publishes a directory of CSP assessment providers and their Certified Assessors on swift.com, making it easier for users to compare options and select a trusted provider.
Users opting for an external assessor have the following options:
- Select a Swift CSP Certified External Assessor from the directory of Swift CSP certified Assessors lists assessment providers in your region. These companies have met specific eligibility criteria and employ assessors who have successfully completed the Swift CSP Assessor certification by passing an exam.
- Select a non-certified (by Swift) assessor and ensure that they have existing cybersecurity assessment experience to an industry standard such as PCI DSS, ISO27002, or NIST CSF, as examples.
The lead assessor holds at least one industry-relevant professional certification, e.g. CISA; Other Individuals assessors should also have relevant security industry certification(s).
Those Assessors can perform your independent external assessment (community or mandated) as described in the Independent Assessment Framework. They will help you to assess your level of compliance toward the implementation of the CSP mandatory and advisory controls that apply to your connectivity configuration with Swift.
Internal assessment
Users opting for an internal assessor have the following options:
- Select an internal Swift CSP Certified Internal Assessor thus ensuring your internal independent CSP Assessments are done guaranteeing a high level of expertise and strict adherence to the required methodology. While participation is optional, this certification guarantees that internal assessors adhere to the same high standards as external assessors.
- Select a non-Swift CSP Certified Internal Assessor from an assessment team which is independent from the 1st line of defence (CISO): eligible teams are typically Internal Audit (3d line of defence), Risk Office (2nd line of defence) or a tailored independent team established for the assessment.
The selected assessor has existing cybersecurity assessment experience to an industry standard such as PCI DSS, ISO27002, or NIST CSF, as examples.
The lead assessor holds at least one industry-relevant professional certification, e.g. CISA; Other Individuals assessors should also have relevant security industry certification(s).
An alternative approach could also be to appoint as assessor a mixed team composed of internal/external professionals and lead by an internal or external staff. Such set up can enable cross expertise breeding and costs containments for subsequent assessments.
All options i.e. internal, external assessor or a mixed team are equally valid for Swift as long as the assessment is done in an independent way.
For detailed requirements, see the Independent Assessment Framework (IAF).
Become an assessor
We understand the critical role played by the independent assessor in supporting and maintaining the security and integrity of Swift users. To enhance the effectiveness and reliability of independent assessors, Swift launched the Customer Security Programme Assessor Certification.
We aim to raise the expertise of independent Assessors and to standardise the CSP assessment methodology for a better alignment of the assessment scope and costs. This certification programme is available to:
- external assessors (working for assessments companies) and providing assessment to Swift users
- internal assessors (working at Swift Customers) and providing assessment for the BICs in their traffic hierarchy
Specific report templates and effort estimate for standardisation and cost containment are available, ensuring the reliability and credibility of assessments. Swift CSP certified assessors will be subject to service monitoring by Swift.
A certification track is offered for both independent external and internal assessments.
Participation to the Assessor Certification programme is optional for assessment companies. Swift users can still opt to non-certified assessors (external or internal) to perform their assessments.
FAQs
Last year I have already performed an Independent Assessment, can I refer to it in my KYC-SA attestation for this year?
When re-attesting, your independent assessor could rely to a previous assessment. This re-use must obey to the following conditions (as outlined in the Independent Assessment Framework):
- The assessor agrees on still referencing the assessment performed in the previous cycle
- The user in-scope Swift footprint under assessment has not undergone significant changes that invalidate the conclusions of the previous assessment
- The new CSCF does not include new mandatory controls or changes to the controls that were not covered in the previous assessment
In any case, it is not possible to rely on the previous assessment more than one time (e.g. in case of reliance in 2026 on the assessment 2025, a full assessment will be required in 2027)
Should a particular internal department do the internal assessment?
It is up to the user to select an internal department, as long as it is independent from the first line of defence: No one should assess his own work or if involved in the design of controls. At least, the lead assessor must be certified (not Swift certified): at least one industry-relevant professional certification, e.g. CISA; and the rest of the team should ideally also have relevant security industry certification(s).
Should we communicate in our KYC-Security Attestation, the identity of the individual assessors or the department that performed the assessment?
Providing the name of the internal department or the external company in your attestation is mandatory; however, providing and/or sharing the name of the lead assessor contact details is advisory.
For further insights, refer to the Independent Assessment Process Guidelines and the FAQ’s.
To stay updated on CSP news, subscribe to our quarterly updates