Exam CSP-Assessor Topic 3 Question 17 Discussion
Actual exam question for Swift's CSP-Assessor exam
Question #: 17
Topic #: 3
Question #: 17
Topic #: 3
A SWIFT user has had part of controls assessed by their internal audit department, and the other remaining controls using an external assessor company. Is this acceptable? (Select the correct answer)
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
*CSCF Assessment Completion Letter
*Swift_CSP_Assessment_Report_Template
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
*CSCF Assessment Completion Letter
*Swift_CSP_Assessment_Report_Template
Suggested Answer: D Vote an answer
The SWIFT CSP requires a consistent and independent assessment process, as specified in the "Independent Assessment Framework" and "Independent Assessment Process for Assessors Guidelines." Let's evaluate each option:
*Option A: Yes, a SWIFT user can combine multiple assessment types (internal and external assessment) as long as all controls are covered This is incorrect. The CSP mandates that the assessment be conducted by a single, independent assessor or firm to ensure uniformity and objectivity. Mixing internal audits (which lack independence) with external assessments does not meet the requirement, as per the "Independent Assessment Framework."
*Option B: No, because the SWIFT user cannot be sure the same approach and quality will be delivered This is incorrect as the primary reason. While consistency is a concern, the main issue is the lack of independence, not just quality variation.
*Option C: Yes, but only if there is a signed agreement between all involved assessors This is incorrect. A signed agreement does not resolve the CSP's requirement for a single independent assessment. The "Independent Assessment Process for Assessors Guidelines" does not allow hybrid assessments.
*Option D: No, SWIFT can reject the attestation in such situations
This is correct. SWIFT reserves the right to reject attestations if the assessment process does not comply with the requirement for a fully independent assessment by a certified assessor. The
"Swift_CSP_Assessment_Report_Template" and "CSCF Assessment Completion Letter" must reflect a single, consistent evaluation, and the "Independent Assessment Framework" explicitly prohibits reliance on internal audits for compliance attestation.
Summary of Correct answer:
This approach is not acceptable, and SWIFT can reject the attestation (D).
References to SWIFT Customer Security Programme Documents:
*Independent Assessment Framework: Requires a single independent assessor.
*Independent Assessment Process for Assessors Guidelines: Prohibits mixed assessment types.
*Swift_CSP_Assessment_Report_Template: Reflects a unified assessment process.
========
*Option A: Yes, a SWIFT user can combine multiple assessment types (internal and external assessment) as long as all controls are covered This is incorrect. The CSP mandates that the assessment be conducted by a single, independent assessor or firm to ensure uniformity and objectivity. Mixing internal audits (which lack independence) with external assessments does not meet the requirement, as per the "Independent Assessment Framework."
*Option B: No, because the SWIFT user cannot be sure the same approach and quality will be delivered This is incorrect as the primary reason. While consistency is a concern, the main issue is the lack of independence, not just quality variation.
*Option C: Yes, but only if there is a signed agreement between all involved assessors This is incorrect. A signed agreement does not resolve the CSP's requirement for a single independent assessment. The "Independent Assessment Process for Assessors Guidelines" does not allow hybrid assessments.
*Option D: No, SWIFT can reject the attestation in such situations
This is correct. SWIFT reserves the right to reject attestations if the assessment process does not comply with the requirement for a fully independent assessment by a certified assessor. The
"Swift_CSP_Assessment_Report_Template" and "CSCF Assessment Completion Letter" must reflect a single, consistent evaluation, and the "Independent Assessment Framework" explicitly prohibits reliance on internal audits for compliance attestation.
Summary of Correct answer:
This approach is not acceptable, and SWIFT can reject the attestation (D).
References to SWIFT Customer Security Programme Documents:
*Independent Assessment Framework: Requires a single independent assessor.
*Independent Assessment Process for Assessors Guidelines: Prohibits mixed assessment types.
*Swift_CSP_Assessment_Report_Template: Reflects a unified assessment process.
========
by Joseph at Aug 10, 2025, 12:35 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).