The "Swift Customer Security Controls Framework v2025" and "Independent Assessment Framework" define the scope of controls to be assessed based on the user’s architecture type (A1-A4). Let’s evaluate each option:
•Option A: Yes
This is incorrect. Not all controls (mandatory and advisory) must be assessed; only those applicable to the user’s architecture and attested to are required, per the "CSP Architecture Type - Decision tree."
•Option B: No, only the mandatory controls
This is incorrect. While mandatory controls must be assessed, users may also attest to advisory controls voluntarily, and these must be included in the assessment if attested, as per the "Assessment template for Mandatory controls" and "Assessment template for Advisory controls."
•Option C: No, only the attested controls (with as a minimum the mandatory ones according to the architecture type)
This is correct. The CSP requires assessment of all mandatory controls applicable to the user’s architecture type, plus any advisory controls the user chooses to attest to. The "Independent Assessment Process for Assessors Guidelines" and "Swift_CSP_Assessment_Report_Template" confirm that the assessment focuses on attested controls, ensuring minimum mandatory coverage.
•Option D: No, the controls selection is agreed upfront between the SWIFT User and the assessor
This is incorrect. Control selection is not negotiable; it is determined by the architecture type and user attestation, not an ad-hoc agreement, as per the "CSP Architecture Type - Decision tree."
Summary of Correct Answer:
Only the attested controls, with a minimum of mandatory ones per architecture type, must be assessed (C).
References to SWIFT Customer Security Programme Documents:
•Swift Customer Security Controls Framework v2025: Defines mandatory and advisory controls.
•Independent Assessment Framework: Focuses on attested controls.
•CSP Architecture Type - Decision tree: Guides control applicability.
