Inspection or regular audit of the SWIFT Customer Security Programme (CSP).

Our staff includes Swift Certified Assessors in the subject area: CSP Assessments. SWIFT Customer Security Programme (CSP) provides a verified set of security controls designed to help users establish a secure infrastructure and internal environment. Feel free to contact us for cyber advisory options and a guide to implementing CSP compliance, which we will tailor to your needs.

Since the establishment of the SWIFT Customer Security Programme (SWIFT CSP), we have been providing independent assessment, audit, and advisory services to meet compliance needs. Our auditors possess over 10 years of relevant experience in IT auditing and IT security within banks, payment institutions, and central banks in Croatia, Bosnia and Herzegovina, Serbia, Slovenia, Albania, North Macedonia and other countries. Our staff includes Swift Certified Assessors in the subject area: CSP Assessments.

We typically provide comprehensive assessment or audit services, without limitations regarding the scope of the assessment (such as delta assessments based on previous data and other relevant and available audit reports).

Our assessments include both mandatory and optional controls as part of the standard assessment practice.

A complete assessment (described in more detail in the Independent Assessment Process Guidelines) includes:

  • preparation for the preliminary assessment and consultations (initial preparatory meeting),
  • preparation of testing for all controls (gathering information, defining and sending details of the plan and the list of required data/planned tests), defining specific evidence retention requirements, expected SWIFT architecture diagram,
  • on-site assessment – testing and review of compliance data (two auditors), using the latest SWIFT Excel templates, limited use of the Nessus scanner (locally or through our license),
  • technical discussion on the draft report,
  • post-assessment activities – final reporting, follow-up activities, support in the remediation process, and additional KYC updates – no later than December 31 of the current year, project
  • completion and documentation, deletion of evidence from our systems within 30 days (our standard practice).

During the project, we offer a reassessment to update the status of non-compliant controls and report on all changes within the regulatorily defined timeframe.

For most clients, we typically conduct on-site assessments, especially for our initial evaluations, and recommend early planning for on-site assessments.

The framework has continued to expand, with additional clarification of existing mandatory and advisory controls, through more detailed explanations of the existing controls.

SWIFT has announced changes to the existing CSCF controls for 2025 and previews for 2026.

Compliance can be reported starting from early July of the current year.

  

About SWIFT CSP

The reality is that increasingly powerful and sophisticated cyber threats underscore the importance of a proactive, long-term, and agile response. SWIFT customers are responsible for securing their own environment and network access. SWIFT’s Customer Security Programme (CSP) was introduced to support users in controlling and protecting against information fraud.

The CSP provides a proven set of security controls carefully designed to contribute/help users secure their local environment/infrastructure and establish a more reliable and secure financial ecosystem.

The SWIFT Customer Security Control Framework (CSCF) describes a set of mandatory and advisory security controls for SWIFT users. Mandatory security controls establish a security 1 base for the entire community and must be implemented by all users on their local SWIFT infrastructure. SWIFT has prioritized these mandatory controls to set a realistic goal for short-term, achievable security and risk reduction. Advisory controls are based on good practice that SWIFT recommends users to implement.
All controls are grouped around three main objectives:

  • "Secure your environment",
  • "Know and limit access", and
  • "Detect and respond"

Controls are proactively refined through ongoing user feedback, cyber threat research, expert analysis, and adherence to industry security standards.

 

CSCF based on Cyber Security Advisory and Audit

We offer the implementation or verification of CSP controls based on the updated list of mandatory controls for the current year. More details about the certification of the latest version and the attestation process (between July and December) using the KYC Registry Security Attestation application are available on the SWIFT website and in the Customer Security Controls Framework document.

Additional details about our advisory services and independent control assessment are available upon request.

Contact persons: Nebojsa Bulatović, Ljiljana V. Radovanović

Phone: +38765666468