What is SWIFT CSP?

The SWIFT CSP requires each organisation to define, document, implement and attest that their SWIFT environment is compliant with SWIFT’s CSCF objectives, principles and controls as listed in the table below.

The SWIFT CSCF includes mandatory and optional security controls for SWIFT users. As a response to a constantly changing cyber threat landscape, SWIFT security controls are regularly reviewed and updated. It is recommended that the currently optional controls be made mandatory and new security controls be initially introduced as optional. The number of controls that a SWIFT member organisation must follow depends on the design of the SWIFT organisation’s environment.

SWIFT compliance requirements

Since 2021, SWIFT has required its members to attest their compliance with CSCF by independent assessments either by internal resources or by an external independent auditor. What matters is that sufficient evidence is collected and reviewed by an independent party. An internal assessment can be carried out by the organisation's risk management or internal audit units. However, an external assessment can provide clear independence in a SWIFT compliance assessment, giving assurance to internal and external stakeholders.

All SWIFT members must annually attest their compliance with at least the CSCF mandatory controls requirement by 31 of December.

What we offer and our tools

KPMG can help clients assess the design and implementation of the SWIFT CSCF controls the organisation has applied in their local SWIFT environment. We can help organisations pinpoint possible areas needing improvement and suggest actions to improve the security of the organisation’s local SWIFT environment to achieve compliance with the SWIFT controls requirements.

KPMG assessment of compliance with SWIFT CSCF

The KPMG SWIFT CSCF engagement starts with a client meeting to understand the client’s business and gather necessary information so that we can develop a detailed plan for the assessment. During the planning phase, the scope and limitations of the engagement are defined, points of contact identified and key deadlines agreed on. The planning phase lasts around two weeks.

After the completion of the planning activities, the assessment fieldwork begins. The fieldwork includes interviews with key contacts and representatives of the organisation, review of documentation, as well as onsite physical security and configuration reviews. The fieldwork takes about 3-5 days depending on the design of the organisation’s SWIFT environment.

Success of the fieldwork phase depends on the availability and co-operation of the client’s employees. Most of the fieldwork activities can be carried out via remote interviews but some activities, such as physical security reviews, are performed on-site. After fieldwork, a SWIFT CSCF assessment report with assessment results is written. The reporting phase takes two weeks: KPMG performs required quality assurance activities and provides progress updates to the client.

Deliverables

The key deliverables of SWIFT CSCF assessment are the assessment report provided in accordance with the SWIFT CSCF reporting template and an independent assessment completion letter. The CSCF report includes the description of the design and implementation of controls applied within the local SWIFT environment as well as the level of compliance with CSCF requirements. Where appropriate, areas needing improvement with suggestions to increase the level of security for the local SWIFT environment are included.


To ensure that the required assessment is carried out before the year end, we recommend that the independent SWIFT CSCF assessment is performed in Q3 or Q4. This leaves sufficient time to remediate any identified nonconformities and perform required follow-up activities before the end of current year‘s attestation period.


Provide a safe and sustainable business environment for your company! We will help you build a resilient and reliable digital world, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
itaudit@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
${item.title}
KPMG Baltics KPMG Küberkaitse KPMG Global Privacy Policy
Oma veebilehel kasutame küpsiseid. Küpsised aitavad analüüsida veebiliiklust ning annavad meile statistilist teavet.
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: