The "Independent Assessment Process for Assessors Guidelines" and "Independent Assessment Framework" provide guidance on using external audit reports (e.g., ISAE 3000) to support CSP assessments. ISAE 3000 is an international standard for assurance engagements. Let’s evaluate each option:
•Option A: No, that is too old, the maximum is 18 months
This is correct. The CSP specifies that external reports like ISAE 3000 must be no older than 18 months to ensure relevance, as security environments can change. The "Independent Assessment Framework" and "CSP_controls_matrix_and_high_test_plan_2025" set this time limit to validate current compliance status.
•Option B: Yes, there is no time limit for an ISAE 3000 report
This is incorrect. A time limit is enforced to ensure the report reflects the current security posture, as per CSP guidelines.
•Option C: No, an ISAE 3000 report is no valid substitute as a rule
This is incorrect. An ISAE 3000 report can be used as supporting evidence if relevant and recent, but it is not a full substitute for the independent assessment, per the "Independent Assessment Process for Assessors Guidelines."
•Option D: Yes, provided there is no change to the SWIFT user’s infrastructure
This is incorrect. Even with no changes, the 18-month limit applies to ensure the report’s currency, not just infrastructure stability.
Summary of Correct Answer:
An assessor cannot rely on an ISAE 3000 report dating back 2 years; the maximum is 18 months (A).
References to SWIFT Customer Security Programme Documents:
•Independent Assessment Process for Assessors Guidelines: Limits ISAE 3000 reports to 18 months.
•Independent Assessment Framework: Specifies timeframe for external evidence.
•CSP_controls_matrix_and_high_test_plan_2025: Enforces currency of supporting reports.
========
