The "Independent Assessment Process for Assessors Guidelines" and "Independent Assessment Framework" provide guidance on using external audit reports (e.g., ISAE 3000) to support CSP assessments. ISAE 3000 is an international standard for assurance engagements. Let’s evaluate each option:

• Option A: No, that is too old, the maximum is 18 months

This is correct. The CSP specifies that external reports like ISAE 3000 must be no older than 18 months to ensure relevance, as security environments can change. The "Independent Assessment Framework" and "CSP_controls_matrix_and_high_test_plan_2025" set this time limit to validate current compliance status.

• Option B: Yes, there is no time limit for an ISAE 3000 report

This is incorrect. A time limit is enforced to ensure the report reflects the current security posture, as per CSP guidelines.

• Option C: No, an ISAE 3000 report is no valid substitute as a rule

This is incorrect. An ISAE 3000 report can be used as supporting evidence if relevant and recent, but it is not a full substitute for the independent assessment, per the "Independent Assessment Process for Assessors Guidelines."

• Option D: Yes, provided there is no change to the SWIFT user’s infrastructure

This is incorrect. Even with no changes, the 18-month limit applies to ensure the report’s currency, not just infrastructure stability.

Summary of Correct Answer:

An assessor cannot rely on an ISAE 3000 report dating back 2 years; the maximum is 18 months (A).

References to SWIFT Customer Security Programme Documents:

• Independent Assessment Process for Assessors Guidelines: Limits ISAE 3000 reports to 18 months.

• Independent Assessment Framework: Specifies timeframe for external evidence.

• CSP_controls_matrix_and_high_test_plan_2025: Enforces currency of supporting reports.

========

This question involves the role of the Hardware Security Module (HSM) and cryptographic operations in the Swift environment. Let’s evaluate each option.

Step 1: Understand HSM and Cryptographic Operations in Swift

The HSM is a secure device used to manage cryptographic keys and perform encryption/decryption operations, as detailed in Control 2.5B: Cryptographic Key Management of the CSCF v2024 . Swift uses public key infrastructure (PKI) for secure messaging, with HSMs storing keys and certificates.

Step 2: Evaluate Each Option

A. The public and private keys of a Swift certificate are stored on the Hardware Security Module In the Swift environment, the HSM stores both the private key (for signing/decryption) and the public key (for verification/encryption) as part of the certificate pair. This is a standard practice for secure key management, as confirmed in the Swift Security Best Practices and Control 2.5B , which mandates secure storage of cryptographic keys in HSMs. Conclusion : This statement is correct.

B. The certificate stored on the Swift Hardware Security Module is used during the decryption operation of a message The HSM uses the private key stored in the certificate to perform decryption of incoming Swift messages. This is part of the secure message handling process, as outlined in Control 2.5B and the Swift Alliance Gateway Technical Documentation . Conclusion : This statement is correct.

C. The decryption operation uses the encryption private key of the receiver Decryption uses the private key of the receiver, not the “encryption private key” (a misnomer). The correct term is the receiver’s private key, which corresponds to the public key used for encryption. This error makes the statement technically incorrect, despite the intended meaning. Conclusion : This statement is incorrect.

D. To verify the signature the SwiftNetLink uses the signing private key of the receiver Signature verification requires the sender’s public key, not the receiver’s private key. The SwiftNetLink (SNL) uses the public key to verify the signature, as per Control 2.5B and Swift Security Best Practices . The private key is used for signing, not verification. Conclusion : This statement is incorrect.

Step 3: Conclusion and Verification

The verified statements are A and B , as they accurately describe the HSM’s role in key storage and decryption, consistent with Swift CSP documentation.

References

Swift Customer Security Controls Framework (CSCF) v2024 , Control 2.5B: Cryptographic Key Management.

Swift Security Best Practices , Section: HSM Usage.

Swift Alliance Gateway Technical Documentation , Section: Cryptographic Operations.

This question concerns the assessor’s obligations during the CSP assessment kick-off:

Step 1: CSP Assessment Process

The IAF recommends a kick-off meeting to align expectations between the assessor and SWIFT user, including explaining the testing methodology (e.g., HLTP, sampling, evidence collection).

CSCF Control "6.1 Security Awareness" mandates training for individuals with SWIFT-critical roles (e.g., LSO, RSO, operators) to ensure they understand security policies and procedures. Let’s evaluate each option:

• Option A: Yes, and a track record must show that both awareness and specific training are performed annually

This is correct. Control 6.1 requires annual security awareness training for all SWIFT-critical personnel, with additional specific training as needed to maintain knowledge. The "Swift Customer Security Controls Framework v2025" and "Assessment template for Mandatory controls" mandate annual training and require a track record (e.g., logs or certificates) to demonstrate compliance.

• Option B: No, both awareness and specific trainings are planned when deemed required

This is incorrect. The CSCF mandates annual awareness training, not just ad-hoc planning, to ensure consistent security awareness.

• Option C: No, awareness training expected to be performed yearly; specific training to maintain the required knowledge only when needed

This is incorrect. While specific training can be as needed, awareness training is explicitly required annually, making this option partially inaccurate.

• Option D: No, a track record must show that both awareness and specific training are performed at least bi-yearly (every 2 years)

This is incorrect. The CSCF requires annual awareness training, not bi-yearly, as specified in the guidelines.

Summary of Correct Answer:

It is mandated to perform security awareness and specific trainings every year, with a track record (A).

References to SWIFT Customer Security Programme Documents:

• Swift Customer Security Controls Framework v2025: Control 6.1 mandates annual training.

• Assessment template for Mandatory controls: Requires annual training records.

• Independent Assessment Framework: Verifies training frequency.

========