Question 1

Must all CSCF controls be subject to an assessment?

Options :

A : Yes

B : No, only the mandatory controls

C : No, only the attested controls (with as a minimum the mandatory ones]

D : No, the control selection is defined between the Swift User and their assessor

Answer: C

Question 2

A Treasury Management System (TMS) application is installed on the same machine as the customer connector, connecting to a Service Bureau. Are these applications/systems in scope of CSCF? (Select the correct answer)

•Swift Customer Security Controls Policy

•Swift Customer Security Controls Framework v2025

•Independent Assessment Framework

•Independent Assessment Process for Assessors Guidelines

•Independent Assessment Framework - High-Level Test Plan Guidelines

•Outsourcing Agents - Security Requirements Baseline v2025

•CSP Architecture Type - Decision tree

•CSP_controls_matrix_and_high_test_plan_2025

•Assessment template for Mandatory controls

•Assessment template for Advisory controls

•CSCF Assessment Completion Letter

•Swift_CSP_Assessment_Report_Template

Options :

A : The TMS application, the customer connector, and the hosting system are in the scope of the CSCF

B : Only the customer connector application is in scope of the CSCF. The TMS application is a back-office

C : The TMS application is the highest risk and must be secured appropriately. The customer connector should be secured on a best effort basis

D : The TMS application, the customer connector, and the hosting system are in scope only if they connect directly to SWIFT, not towards a Service Bureau

Answer: A

Question 3

A Swift user has moved from one Service Bureau to another What are the obligations of the Swift user in the CSP context?

Options :

A : To inform the SB certification office at Swift WW

B : To reflect that in the next attestation cycle

C : None if there is no impact in the architecture tope

D : To submit an updated attestation reflecting this change within 3 months

Answer: D

Question 4

For which reasons (as per the "CSP Independent Assessment Process for Assessors Guidelines") is it required to keep minutes of all key meetings related to a CSP assessment process (examples: kick-off, scope definition, exit meeting)? (Select all answers that apply)

•Swift Customer Security Controls Policy

•Swift Customer Security Controls Framework v2025

•Independent Assessment Framework

•Independent Assessment Process for Assessors Guidelines

•Independent Assessment Framework - High-Level Test Plan Guidelines

•Outsourcing Agents - Security Requirements Baseline v2025

•CSP Architecture Type - Decision tree

•CSP_controls_matrix_and_high_test_plan_2025

•Assessment template for Mandatory controls

•Assessment template for Advisory controls

•CSCF Assessment Completion Letter

•Swift_CSP_Assessment_Report_Template

Options :

A : To support quality review (audit) processes

B : For documentation purpose

C : To keep key information that can be used as input for the next step in the assessment process

D : To be uploaded in KYC-SA at the end of the assessment (mandated by SWIFT)

Answer: A,B,C

Question 5

Where is the implementation of multi-factor authentication deemed sufficient to support control 4.2 compliance? (Choose all that apply.)

Options :

A : When accessing an outsourcing agent or an L2BA Swift-related application

B : When logging-in on an interface, a connector, or the system running such component

C : When login on the jump server filtering access to local Swift secure zone

D : On the General Operator PC used to access a Swift-related component

Answer: A,B,C,D

Free CSP-Assessor Mock Exam – Practice Online Confidently

Buying Options: