SWIFT CSP independent assessments and KYC-SA submissions.
Independent CSP assessment by a UK QSAC. We map your architecture, test the CSCF controls, and submit your annual attestation through the KYC-SA platform.
What is SWIFT CSP?
The SWIFT Customer Security Programme (CSP) is the security framework SWIFT operates for the institutions that use its messaging network. It exists to reduce the risk of cyber attacks on SWIFT users — historically the soft underbelly of the financial messaging system.
CSP requires every SWIFT user to attest annually against the Customer Security Controls Framework (CSCF) — a set of mandatory and advisory security controls covering operator workstations, privileged access, secure zones, monitoring, and incident response. The attestation is submitted through the KYC-SA platform and is visible to counterparties.
Key facts
- Customer Security Controls Framework
- CSCF
- Architecture types
- 5
- Attestation platform
- KYC-SA
- Attestation cadence
- Annual
What we do
Four engagement components covering architecture, controls, assessment, and submission.
Architecture review and gap assessment
We confirm your SWIFT architecture type, the controls in scope, and where your current state sits against the current Customer Security Controls Framework.
Mandatory control implementation
Where mandatory CSCF controls are not yet in place, we work with your team on the design, implementation, and evidence gathering required to attest.
Independent assessment (CSP-IA)
Independent CSP Assessment by our team — testing each in-scope control, gathering evidence, and producing the assessment report SWIFT requires.
KYC-SA submission support
We support the annual attestation through SWIFT’s KYC-Security Attestation platform, including counterparty visibility settings and remediation tracking.
How a CSP engagement runs
Five stages from scoping call to KYC-SA submission. Annual cycle thereafter.
- 1
Scoping call
30 minutes, freeWe confirm your SWIFT architecture type (A1, A2, A3, A4, or B) and the in-scope CSCF controls. The architecture type is the single biggest driver of scope.
- 2
Architecture review
1–2 weeksWe map your SWIFT environment — operator users, secure zone, jump servers, messaging interfaces, file-transfer gateways. Confirms the architecture type if there is any ambiguity.
- 3
CSCF gap assessment
2–4 weeksTest each in-scope control. Mandatory controls must be Achieved before you can attest as compliant; advisory controls inform your security posture but are not blockers.
- 4
Independent CSP assessment
2–3 weeksFormal CSP-IA — control-by-control testing, evidence gathering, and the assessment report SWIFT requires for independent assessment.
- 5
KYC-SA submission
1 weekWe support the attestation submission through the KYC-SA platform, including counterparty access settings and any post-submission remediation tracking.
SWIFT architecture types
The architecture type sets the scope of your CSP assessment. We confirm the right type during the scoping call.
Why 1 Sequence Cyber
PCI SSC-listed QSAC
Listed on the PCI Security Standards Council website as a Qualified Security Assessor Company. Independent assessment is what we do; CSP-IA is the SWIFT-specific equivalent.
CREST DPT alignment
Penetration Testing aligned to the CREST Defensible Penetration Test specification — directly relevant to CSP control 7.3 (operator-targeted phishing) and 7.4 (network-level intrusion testing).
Ready for your next CSP attestation?
Tell us your SWIFT architecture type and your last attestation date. We’ll come back with a fixed-fee proposal within 48 hours.
Back to all services.