Free Swift CSP-Assessor Practice Exam with Questions & Answers

The "Swift Customer Security Controls Framework v2025" and "Independent Assessment Framework" define the scope of controls to be assessed based on the user’s architecture type (A1-A4). Let’s evaluate each option:

•Option A: Yes

This is incorrect. Not all controls (mandatory and advisory) must be assessed; only those applicable to the user’s architecture and attested to are required, per the "CSP Architecture Type - Decision tree."

•Option B: No, only the mandatory controls

This is incorrect. While mandatory controls must be assessed, users may also attest to advisory controls voluntarily, and these must be included in the assessment if attested, as per the "Assessment template for Mandatory controls" and "Assessment template for Advisory controls."

•Option C: No, only the attested controls (with as a minimum the mandatory ones according to the architecture type)

This is correct. The CSP requires assessment of all mandatory controls applicable to the user’s architecture type, plus any advisory controls the user chooses to attest to. The "Independent Assessment Process for Assessors Guidelines" and "Swift_CSP_Assessment_Report_Template" confirm that the assessment focuses on attested controls, ensuring minimum mandatory coverage.

•Option D: No, the controls selection is agreed upfront between the SWIFT User and the assessor

This is incorrect. Control selection is not negotiable; it is determined by the architecture type and user attestation, not an ad-hoc agreement, as per the "CSP Architecture Type - Decision tree."

Summary of Correct Answer:

Only the attested controls, with a minimum of mandatory ones per architecture type, must be assessed (C).

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Defines mandatory and advisory controls.

•Independent Assessment Framework: Focuses on attested controls.

•CSP Architecture Type - Decision tree: Guides control applicability.

The "Outsourcing Agents - Security Requirements Baseline v2025" and "Independent Assessment Framework" address reliance on outsourcing agents’ assessments. Let’s evaluate each option:

•Option A: Yes, after confirmation and validation of the scope

This is correct. The SWIFT user can rely on the outsourcing agent’s independent assessment report if it covers the relevant CSP components and uses the latest CSCF version. However, the user’s assessor must confirm and validate the scope and findings to ensure alignment with the user’s attestation, as per the "Independent Assessment Process for Assessors Guidelines."

•Option B: Yes, only if the outsourcing agent is a global trusted provider and published the report on their compliance portal

This is incorrect. The CSP does not require the outsourcing agent to be a "global trusted provider" or publish the report publicly; validation by the user’s assessor is sufficient.

•Option C: No, an audit report (and not an assessment) is required from the outsourcing agent as an external provider

This is incorrect. An independent assessment report is acceptable, not necessarily an audit report, as long as it meets CSCF standards, per the "Outsourcing Agents - Security Requirements Baseline v2025."

•Option D: No, except if the cloud provider components are partially covered by the SWIFT Alliance Connect Virtual programme

This is incorrect. The Alliance Connect Virtual programme’s coverage is irrelevant; the key is the report’s validity and scope validation.

Summary of Correct Answer:

The report is sufficient after confirmation and validation of the scope (A).

References to SWIFT Customer Security Programme Documents:

•Outsourcing Agents - Security Requirements Baseline v2025: Allows reliance on agent assessments.

•Independent Assessment Process for Assessors Guidelines: Requires scope validation.

•Swift_CSP_Assessment_Report_Template: Supports integrated reporting.

========

This question assesses whether a short interview with the HR manager providing one example of security training implementation is acceptable for a small infrastructure with only two operators, under the Swift Customer Security Programme (CSP).

Step 1: Understand Security Training Requirements

TheSwift Customer Security Controls Framework (CSCF) v2024, underControl 5.1: Security Training and Awareness, mandates that all personnel with access to Swift-related systems (including operators) receive regular, documented security training. This includes awareness of security policies, procedures, and incident response. The control applies regardless of the size of the infrastructure.

Step 2: Analyze the Scenario

The entity has a small infrastructure with two operators, and the HR manager provides a short interview with one example of security training implementation.

TheIndependent Assessment Frameworkrequires assessors to validate the effectiveness of controls, including evidence of training completion, content, frequency, and attendance records. A risk-based approach allows flexibility, but minimum evidence standards must still be met.

Step 3: Evaluate Against CSCF Guidelines

Control 5.1specifies that training must be documented, with evidence such as training logs, attendance records, or certification. A single interview with one example does not provide sufficient evidence to demonstrate:

That all operators (both in this case) have been trained.

The frequency and comprehensiveness of the training program.

The effectiveness of the training (e.g., understanding and application).

TheSwift CSP FAQandSecurity Best Practicesnote that even for small entities, assessors must see multiple pieces of evidence (e.g., training schedules, materials, test results) to confirm compliance, especially during an independent assessment.

A risk-based testing approach (mentioned in option A) allows tailoring the depth of evidence based on risk, but it does not exempt small entities from providing more than a single anecdotal example. TheIndependent Assessment Frameworkrequires objective evidence, not just verbal assurances.

Step 4: Conclusion and Verification

The answer isB, as a short interview with one example is insufficient to meet the evidence requirements ofControl 5.1in theCSCF v2024. More evidence (e.g., training records, attendance logs, or test results) is required to validate compliance, even for a small infrastructure.

References

Swift Customer Security Controls Framework (CSCF) v2024, Control 5.1: Security Training and Awareness.

Swift Independent Assessment Framework, Section: Evidence Requirements.

Swift Security Best Practices, Section: Training Documentation.

Swift CSP FAQ, Section: Small Entity Compliance.

The Swift Alliance Gateway is a critical component in the Swift ecosystem, designed to facilitate secure messaging and connectivity. Let’s evaluate each option based on theSwift Customer Security Controls Framework (CSCF) v2024and related documentation.

Step 1: Understand the Role of Swift Alliance Gateway

The Swift Alliance Gateway (SAG) is a software component that serves as a centralized entry point for SwiftNet messaging services. It handles traffic concentration, security, and connectivity management. This is detailed in theSwift Alliance Gateway User Guideand referenced in theCSCF v2024underControl 1.1: Swift Environment Protection.

Step 2: Evaluate Each Option

A. It acts as the single window to SwiftNet messaging services by concentrating your traffic flowsThe SAG is designed to consolidate and manage all SwiftNet traffic from a user’s environment,acting as a single point of access to SwiftNet services. This is a primary function, as confirmed in theSwift Alliance Gateway Technical Documentationand aligns withControl 1.1, which emphasizes secure traffic management.Conclusion: This statement is correct.

B. It allows sharing of PKI profiles between application or individuals, through the use of virtual profilesThe SAG supports the use of virtual PKI profiles to enable secure sharing of cryptographic identities across applications or users within the Swift environment. This feature enhances flexibility while maintaining security, as noted in theSwift Security Best PracticesandControl 2.5B: Cryptographic Key Management.Conclusion: This statement is correct.

C. It allows the creation and/or modification of some Swift messages (depending on the types &/or formats)The SAG is a gateway for message routing and security, not a tool for creating or modifying Swift messages. Message creation and modification are handled by applications like Alliance Access or Entry, not the Gateway. This is clarified in theSwift Alliance Gateway User Guide, which specifies its role as a connectivity and security layer.Conclusion: This statement is incorrect.

D. The Alliance Gateway can only be accessed by a SWIFTNet userThe SAG is accessed by authorized systems and users within the Swift user’s environment, not exclusively by SwiftNet users. It interfaces with operator systems, middleware, and other components, as perControl 1.2: Logical Access Control, which allows controlled access by authorized entities, not just SwiftNet users.Conclusion: This statement is incorrect.

Step 3: Conclusion and Verification

The verified statements areAandB, as they accurately reflect the SAG’s role in traffic concentration and PKI profile management, consistent with Swift CSP documentation.

References

Swift Alliance Gateway User Guide, Section: Functionality Overview.

Swift Customer Security Controls Framework (CSCF) v2024, Control 1.1: Swift Environment Protection, Control 2.5B: Cryptographic Key Management.

Swift Security Best Practices, Section: Alliance Gateway Configuration.

The "Independent Assessment Process for Assessors Guidelines" governs the conduct of CSP assessments, including location and method. Let’s evaluate each option:

•Option A: Remote assessments are not permitted under any circumstances

This is incorrect. The CSP allows remote assessments under specific conditions, as clarified in the guidelines, not an absolute prohibition.

•Option B: This is permitted provided the same level of comfort can be guaranteed

This is incorrect. While ensuring equivalent assurance is important, the CSP requires formal validation for remote assessments, not just assessor discretion.

•Option C: It is possible to perform an assessment remotely only with valid reasons. These reasons must be formally validated by SWIFT CSP office

This is correct. The "Independent Assessment Process for Assessors Guidelines" permits remote assessments when justified (e.g., geographical distance, logistical challenges), but such arrangements must be approved by the SWIFT CSP office to ensure compliance and security. This aligns with the "Independent Assessment Framework" emphasis on maintaining assessment integrity.

•Option D: It is not allowed to conduct an assessment remotely under any circumstances. However, force majeure circumstances like the global pandemic are an exception to this

This is incorrect. The CSP does not categorically ban remote assessments; it allows them with prior validation, not just as exceptions for force majeure.

Summary of Correct Answer:

Remote assessments are permitted with valid reasons and formal validation by the SWIFT CSP office (C).

References to SWIFT Customer Security Programme Documents:

•Independent Assessment Process for Assessors Guidelines: Allows remote assessments with approval.

•Independent Assessment Framework: Ensures assessment integrity.

•CSP_controls_matrix_and_high_test_plan_2025: Supports validated remote methods.

========

SWIFT Public Key Infrastructure (PKI) certificates are cryptographic credentials used to secure communications over the SWIFT network. Let’s evaluate each option:

•Option A: Asymmetric signing and encryption end to end

This is correct. SWIFT PKI certificates utilize asymmetric cryptography (public and private key pairs) for both signing and encryption. Signing ensures the authenticity and integrity of messages (e.g., verifying the sender), while encryption provides confidentiality end to end—from the sender’s environment to the receiver’s environment across the SWIFT network. This end-to-end security is achieved using PKI certificates managed by Hardware Security Modules (HSMs), as mandated by CSCF Control "1.3 Cryptographic Failover." SWIFT documentation confirms that PKI supports full message security throughout the transmission process.

•Option B: Asymmetric signing and encryption end to SWIFT only

This is incorrect. The security provided by PKI certificates extends beyond just the connection to SWIFT (e.g., to the SWIFT Secure IP Network). It covers the entire message journey, including the recipient’s environment, ensuring end-to-end protection rather than stopping at SWIFT’s boundary.

•Option C: Symmetric encryption only

This is incorrect. SWIFT PKI relies on asymmetric cryptography for key exchange and signing, not symmetric encryption alone. While symmetric encryption may be used internally (e.g., for session keys derived from asymmetric key exchange), the PKI certificates themselves are based on asymmetric algorithms (e.g., RSA), as outlined in SWIFT’s security guidelines.

•Option D: Asymmetric signing only

This is incorrect. PKI certificates are used for both asymmetric signing (for authenticity and integrity) and encryption (for confidentiality), not just signing. The dual purpose is essential for the secure transmission of SWIFT messages.

Summary of Correct Answer:

SWIFT PKI certificates are used for asymmetric signing and encryption end to end (A), ensuring comprehensive security.

References to SWIFT Customer Security Programme Documents:

•SWIFT Customer Security Controls Framework (CSCF) v2024: Control 1.3 specifies the use of PKI for end-to-end security.

•SWIFT Security Guidelines: Details PKI usage for asymmetric signing and encryption.

•SWIFT PKI Documentation: Confirms end-to-end cryptographic protection using PKI certificates.

========

This question addresses the obligations of a Swift user who has switched from one Service Bureau (SB) to another under the Customer Security Programme (CSP).

Step 1: Understand CSP Obligations for Changes

TheSwift Customer Security Controls Framework (CSCF) v2024andIndependent Assessment Frameworkrequire Swift users to maintain accurate and up-to-date information regarding their infrastructure,including changes in service providers like Service Bureaus. Such changes may impact compliance and architecture types.

Step 2: Evaluate Each Option

A. To inform the SB certification office at Swift WWThere is no specific "SB certification office" mentioned in theCSCF v2024orSwift CSP Guidelines. Notifications are typically handled through attestation updates, not a dedicated office.Conclusion: Incorrect.

B. To reflect that in the next attestation cycleWhile changes must be reflected in attestations, delaying this until the next cycle (e.g., annually) is insufficient if the change affects compliance. TheSwift CSP Compliance Guidelinesrequire timely updates for significant changes.Conclusion: Incorrect.

C. None if there is no impact in the architecture typeEven if the architecture type (e.g., A2, A4) remains unchanged, a switch in Service Bureau may affect security controls, vendor management, or connectivity. TheCSCF v2024underControl 1.1: Swift Environment Protectionrequires users to report changes that could impact compliance, regardless of architecture type.Conclusion: Incorrect.

D. To submit an updated attestation reflecting this change within 3 monthsTheSwift CSP Compliance GuidelinesandIndependent Assessment Frameworkmandate that significant changes (e.g., switching Service Bureaus) be reported through an updated attestation within 3 months. This ensures Swift is informed of potential compliance impacts and allows for review.Conclusion: Correct.

Step 3: Conclusion and Verification

The correct answer isD, as theCSCF v2024andSwift CSP Compliance Guidelinesrequire an updated attestation within 3 months to reflect a change in Service Bureau.

References

Swift Customer Security Controls Framework (CSCF) v2024, Control 1.1: Swift Environment Protection.

Swift Independent Assessment Framework, Section: Change Reporting.

Swift CSP Compliance Guidelines, Section: Timely Updates.

The CSCF defines the scope of environments for a SWIFT user CSP assessment, focusing on environments that handle live SWIFT transactions or are critical to operational continuity. The "Swift Customer Security Controls Framework v2025" and "Independent Assessment Framework" provide guidance on scope. Let’s evaluate each option, assuming the environments are separated:

•Option A: SWIFT infrastructure (sometimes known as Live)

This is in scope. The live environment, where actual SWIFT transactions are processed (e.g., Alliance Access sending MT103 messages), is the primary focus of the CSCF. Controls like "1.1 SWIFTEnvironment Protection" and "2.1 Internal Data Transmission Security" apply directly to this environment.

•Option B: Development

This is not in scope. Development environments, used for building or testing applications before deployment, are typically out of scope if they are fully separated from live systems and do not process real SWIFT data. The "Independent Assessment Framework" excludes development environments unless they are integrated with live systems, which the question assumes is not the case.

•Option C: Disaster Recovery

This is in scope. Disaster Recovery (DR) environments are designed to take over in case of a failure in the live environment. Since they can process live SWIFT transactions during a failover, they must comply with CSCF controls (e.g., Control "1.1") to ensure continuity and security.

•Option D: Cold backup systems

This is in scope. Cold backup systems, while not actively processing transactions, are part of the SWIFT infrastructure’s resilience strategy. They must be secured to prevent compromise (e.g., CSCF Control "1.2 Physical Security") and are included in the assessment scope per the "Assessment template for Mandatory controls."

Summary of Correct Answer:

The Development environment (B) is not in scope for a SWIFT user CSP assessment if separated from live systems.

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Excludes development environments from scope if separated.

•Independent Assessment Framework: Focuses on live, DR, and backup environments.

•Assessment template for Mandatory controls: Includes DR and backup systems in scope.

========

The Customer Security Controls Framework (CSCF), part of the SWIFT Customer Security Programme, aims to enhance the security of the SWIFT ecosystem by defining mandatory and advisory security controls for users. The three main objectives are explicitly outlined in the CSCF documentation and reflect a holistic approach to security. Let’s evaluate each option:

•Option A: 1. Secure your environment, 2. Know and Limit Access, 3. Detect and Respond

This is correct. These three objectives align directly with the core principles of the CSCF:

oSecure your environment: This involves implementing controls to protect the SWIFT-related infrastructure (e.g., CSCF Control 1.1 SWIFT Environment Protection, 1.2 Physical Security) against unauthorized access and threats.

oKnow and Limit Access: This focuses on managing access controls and authentication (e.g., CSCF Control 2.2 External Transmission Security, 6.1 Security Awareness) to ensure only authorized personnel can interact with the SWIFT environment.

oDetect and Respond: This emphasizes monitoring and incident response (e.g., CSCF Control 4.1 Logging and 5.1 Operational Incident Response) to identify and mitigate security incidents. These objectives are explicitly stated in the "Swift Customer Security Controls Framework v2025" and reinforced across related documents like the "CSP_controls_matrix_and_high_test_plan_2025."

•Option B: 1. Restrict Internet Access and Protect Critical Systems from General IT Environment, 2. Reduce Attack Surface and Vulnerabilities, 3. Physically Secure the Environment

This is incorrect. While these are specific controls within the CSCF (e.g., Control 1.1, 2.3 System Hardening, 1.2), they are not the overarching objectives. They are implementation details rather than the high-level goals of the framework.

•Option C: 1. Secure and Protect, 2. Prevent and Detect, 3. Share and Prepare

This is incorrect. These terms are vague and do not match the official CSCF objectives. "Share and Prepare" is not a recognized objective, and the phrasing does not align with SWIFT documentation.

•Option D: 1. Raise pragmatically the security bar, 2. Maintain appropriate cyber-security hygiene, 3. React promptly

This is incorrect. While these concepts are related to security improvement, they are not the specific objectives outlined in the CSCF. The language is more general and lacks the structured focus of the official objectives.

Summary of Correct Answer:

The three main objectives of the CSCF are to Secure your environment, Know and Limit Access, and Detect and Respond (A), as defined in the framework’s core principles.

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Outlines the three main objectives (Secure, Know and Limit, Detect and Respond).

•CSP_controls_matrix_and_high_test_plan_2025: Aligns controls with these objectives.

•Independent Assessment Framework: Supports the assessment of these objectives.

========