Financial Services Security
SWIFT CSP Assessment Services
Independent community-standard assessments powered by a purpose-built assessment platform. Perseus covers all 5 architecture types and the 32 controls of the CSCF v2026 with a rigorous 6-stage quality-gate process.
CSCF Controls (v2026)
Architecture Types
Control Principles
Quality-Gate Stages
What is SWIFT CSP?
The SWIFT CSP defines mandatory security controls for every institution connected to the SWIFT network.
The SWIFT Customer Security Programme (CSP) is SWIFT's mandatory initiative requiring all network participants to attest their compliance with the Customer Security Controls Framework (CSCF). Introduced after high-profile cyber attacks targeting SWIFT infrastructure at financial institutions worldwide, the programme establishes a security baseline that every SWIFT user must meet and independently verify each year.
The CSCF defines 32 security controls organised into three objectives: Secure Your Environment, Know and Limit Access, and Detect and Respond. Controls are classified as either mandatory (required for attestation) or advisory (strongly recommended). The number of applicable controls depends on your architecture type, which is determined by which SWIFT components you deploy locally versus outsource to a service bureau.
Since 2021, all SWIFT users must submit an independent assessment conducted by an authorised external assessor through the KYC Security Attestation (KYC-SA) application. Your compliance status is visible to counterparties, making non-compliance a direct business risk. Perseus is an authorised SWIFT CSP assessor with a purpose-built assessment platform that brings rigour, consistency, and efficiency to every engagement.
Authorised Assessor
Authorised to conduct independent community-standard SWIFT CSP assessments
All 5 Architectures
Assessment coverage for A1, A2, A3, A4 (both subtypes), and B architecture types
Purpose-Built Platform
Custom assessment platform automating the full QG1-QG6 lifecycle
Swift Certified Assessors
Our staff includes Swift Certified Assessors for Customer Security Programme Assessment, holding CISA, CISM, CISSP, or ISO 27001 LA.
SWIFT Architecture Types
Your architecture type determines which controls apply and the assessment effort required.
A1 — Full Local Stack
User owns both the messaging interface and the communication interface, operated locally. The most comprehensive architecture with the largest assessment footprint.
Component Scope: Full local SWIFT infrastructure in scope
Architecture A1: Both the messaging and communication interfaces run in-house — the most comprehensive footprint. This is an illustrative reference set-up — your exact scope is confirmed during assessment scoping.
| Architecture | Mandatory | Advisory | Total |
|---|---|---|---|
| A1 — Full Local Stack | 25 | 6 | 31 |
| A2 — Messaging Interface Only | 25 | 6 | 31 |
| A3 — SWIFT Connector | 24 | 6 | 30 |
| A4 — Customer Connector | 21 | 8 | 29 |
| B — No Local Footprint | 17 | 7 | 24 |
Connecting via a connectivity provider
If you reach Swift through a connectivity provider — a service bureau, Lite2 Business Application (L2BA), or Enabler — their shared infrastructure is covered under Swift's dedicated Shared Infrastructure Programme and sits outside your CSP scope. Your own components and operator access still need to be assessed.
Connecting via a group hub
Where you connect through a group hub, the compliance conclusion for shared controls can be supported by the hub's own assessment — avoiding duplicate testing while each entity still reaches its own attestation.
Framework Objectives & Principles
Objectives and Principles
The CSCF is built on three overarching objectives, supported by seven security principles that group the 32 controls. The set that applies — and whether each is mandatory or advisory — depends on your architecture type.
Objective 1: Secure Your Environment
- 1.Restrict Internet Access & Protect Critical Systems
- 2.Reduce Attack Surface and Vulnerabilities
- 3.Physically Secure the Environment
Objective 2: Know and Limit Access
- 4.Prevent Compromise of Credentials
- 5.Manage Identities and Segregate Privileges
Objective 3: Detect and Respond
- 6.Detect Anomalous Activity
- 7.Plan for Incident Response and Information Sharing
Controls by Architecture Type
32 controls — applicability varies by architecture type
Mandatory Controls
Required for attestation. Compliance is verified through independent assessment and reported in KYC-SA. Non-compliance is visible to counterparties and may trigger regulatory escalation.
Advisory Controls
Strongly recommended best practices. A control can be mandatory for one architecture and advisory for another. They may become mandatory in future CSCF versions and are viewed positively by counterparties.
Architecture A1 — Owns both the messaging and communication interfaces locally.
Source: SWIFT Customer Security Controls Framework (CSCF) v2026. A control can be mandatory for one architecture and advisory for another — select an architecture above to focus its column.
SWIFT Components in Scope
Which components are in scope depends on your architecture type
Every Swift-related component in your environment is identified, inventoried, and assessed. The precise set in scope follows your architecture type — anything co-hosted with an in-scope component, or sharing its secure zone, is treated as in scope too.
Interfaces & Messaging
- Messaging Interface
- Communication Interface
- GUI
- SWIFTNet Link
Connectors & Data Exchange
- SWIFT Connector
- Customer Connector
- Data Exchange Layer
- Bridging Server
Cryptographic Hardware
- HSM
- New-generation HSM
- Authentication Tokens
Supporting Infrastructure
- Virtualisation / Cloud Platform
- Jump Server
- VPN Box
- Network Devices
- Peripherals
Operator Endpoints
- Dedicated Operator PC
- General-purpose Operator PC
Shared Responsibility in the Cloud
Who secures what when your SWIFT environment runs in the cloud
When you host SWIFT infrastructure with an IaaS, PaaS, or SaaS provider, responsibility for the underlying stack is shared. Select a model to see where the line falls — and remember that accountability for your attestation always stays with you.
As you move from on-premises to SaaS, more of the stack shifts to the cloud provider — but you remain accountable for your CSP attestation. Where a provider operates controls on your behalf, that assurance is typically evidenced through their SOC 2, ISO 27001, or PCI-DSS reporting and mapped back to the relevant CSCF controls during the assessment.
6-Stage Quality Gate Process
A structured, repeatable methodology with built-in quality controls at every stage.
QG1 — Engagement Acceptance & Scoping
Architecture-type determination through a detailed infrastructure questionnaire, component inventory mapping, and assessment-team assignment with independence and conflict-of-interest checks. Formal engagement acceptance with defined scope boundaries.
Click a step or drag to explore the assessment journey
Sampling Methodology
Four sampling methods ensure statistically sound and defensible assessments.
Complete coverage
Full-Population Review
Applied when the population is small (typically ten items or fewer). Every item is examined, providing complete coverage with no sampling risk — used for critical controls with an inherently small population, such as administrator accounts or HSM devices.
Large populations
Systematic Random Sampling
Applied to large, homogeneous populations. A statistically representative sample is selected at fixed intervals from a randomly ordered population, with sample size driven by population size and the desired confidence level.
Risk-based
Judgmental Sampling
Risk-based selection where certain items are believed to carry higher risk. The assessor uses professional judgment to select items most likely to reveal non-compliance — based on recent changes, known incidents, or complexity.
Mixed populations
Stratified Sampling
Applied when a population contains distinct subgroups. The population is divided into strata and samples are drawn from each proportionally, ensuring representation across operating systems, locations, device types, or administrative domains.
Team & Qualifications
Certified, independent, and continuously trained assessment professionals.
As a Swift CSP Assessment Provider, our staff includes Swift Certified Assessors in the subject area Customer Security Programme Assessment. Verify us in the Swift CSP Certified Assessor Directory.
Lead Assessor
- Swift Certified Assessor — Customer Security Programme
- CISA, CISM, CISSP, or ISO 27001 Lead Auditor
- SWIFT CSP-specific training completed
- Ongoing professional education maintained
- Independent from any advisory work for the client
Quality Reviewer
- Independent from the assessment team
- Certified with SWIFT CSP experience
- Executes a structured quality-review checklist
- Reviews scope, sampling, and findings
- Final sign-off authority on reports
Engagement Manager
- Client relationship management
- Schedule and resource coordination
- Conflict-of-interest oversight
- Engagement acceptance decisions
- Archival and compliance tracking
Assessment Deliverables
A comprehensive deliverable set generated from a single assessment engagement.
Assessment Templates
- Mandatory Assessment Template — per-control compliance determination for all applicable mandatory controls
- Advisory Assessment Template — per-control compliance determination for all applicable advisory controls
Reports & Letters
- Assessment Report — executive summary, scope, methodology, and per-control findings
- Detailed Findings Report — technical findings with evidence references and remediation guidance
- Completion Letter — formal confirmation of assessment scope, outcome, and validity
Quality Assurance
- Independent quality-review sign-off confirming scope, sampling, evidence sufficiency, and reporting consistency
Engagement Record
- Complete engagement documentation package, securely archived with a full audit trail
Multi-BIC Group Assessments
Efficient group assessments for organisations operating multiple BICs.
Shared Control Assessment
Where multiple BICs share the same SWIFT infrastructure and security controls, our platform supports shared control assessments that eliminate redundant testing while maintaining per-BIC compliance determination.
- Full sharing — all controls assessed once for the group
- Policy-only sharing — governance at group level, technical per-BIC
- Per-BIC individual assessments where infrastructure diverges
Group-Level Quality
Each BIC receives its own compliance determination while benefiting from assessment efficiency. Our quality review process covers both group-level and per-BIC assessment completeness.
- Group-level quality review covering shared assessments
- Per-BIC compliance determination and reporting
- Unified evidence management across all BICs
The Perseus Platform Advantage
Most assessors use spreadsheets. We built a platform.
Full Lifecycle Automation
Custom-built platform automates the entire QG1 through QG6 lifecycle. Every stage is tracked, every deliverable is generated, every deadline is monitored.
Automated Deliverable Generation
The full deliverable set — assessment report, mandatory and advisory templates, completion letter, detailed findings report, and engagement record — generated from a single data entry point.
Per-Control Sampling Guidance
Structured sampling methodology with automated guidance for each control. Documents rationale, sample selection, and results systematically.
Client Self-Service Portal
Secure evidence submission portal where clients upload, categorise, and track evidence completeness against each applicable control in real time.
Automated Gap Analysis
Built-in evidence checks flag completeness gaps and inconsistencies and prompt for the additional evidence each control needs — before formal assessment begins.
Complete Audit Trail
Every action, decision, evidence item, and quality-review point is logged with timestamps, and securely archived with instant retrieval for regulatory inquiries.
Frequently Asked Questions
Expert answers to common SWIFT CSP assessment questions.
The SWIFT CSP is a mandatory programme requiring all SWIFT users to attest their compliance with the Customer Security Controls Framework (CSCF). Established after high-profile attacks targeting SWIFT infrastructure at financial institutions, the CSCF v2026 defines 32 security controls across three objectives. All SWIFT users must submit an annual independent assessment verifying compliance with mandatory controls through the KYC Security Attestation (KYC-SA) application. Non-compliance is visible to counterparties and may be reported to regulators.
Ready for Your SWIFT CSP Assessment?
As an authorised SWIFT CSP assessor with a purpose-built assessment platform, Perseus delivers thorough, efficient assessments across all 5 architecture types. Contact us to scope your assessment and receive a detailed effort estimate.