SWIFT Customer Security Controls Framework

The SWIFT (Society for Worldwide Interbank Financial Telecommunication) Customer Security Controls Framework describes a set of mandatory and advisory security controls for SWIFT users. Mandatory security controls establish a security baseline for the entire SWIFT user community, and must be implemented by all users on their local SWIFT infrastructure. The 2020 version of the framework is consisting of 7 security control categories with 21 mandatory and 10 advisory controls. To comply with a SWIFT CSP security control, user must implement solution that:

  • Meets the stated control objective

  • Addresses the risk driver, and

  • Covers the documented in-scope components relevant for the user’s architecture (there are four architecture types – A1, A2, A3, and B)

SWIFT CSP controls apply to local SWIFT infrastructure, operators, operator PCs, data exchange layer, and middleware server. With effect from 2021, users are required to have third party attestation of compliance. The table below shows the 7 security control categories of the framework.

Our Related Services

Our team of experienced consultants can help financial institutions in the following areas:

  • Establishing a compliance management solution for ongoing monitoring, maintenance, and maturation of your compliance efforts for SWIFT CSP and other relevant frameworks, standards and regulations

  • Performing gap analysis between current security controls and requirements of the standard

  • Developing or enhancing requisite security policies and procedures

  • Performing a third party attestation of compliance assessment

Give us a call at 954-362-7113 or schedule an appointment for a free consultation to get started.

More about other frameworks and standards
NIST SP800-53
NIST Cybersecurity Framework (CSF)
CSA Cloud Controls Matrix (CCM)
ISO/IEC 27001/27002
Payment Cards Industry Data Security Standard (PCI DSS)
Cybersecurity Maturity Model Certification (CMMC) 2.0 Framework
General Data Protection Regulation (GDPR)