SWIFT CSP · Independent Assurance

SWIFT CSP
Attestation
You Can
Defend.

Independent risk and assurance services for financial institutions navigating the SWIFT Customer Security Programme — across A1 and B architectures, in every regulatory environment. The output is a structured assessment report formatted for regulatory review, board reporting, and attestation defensibility.

Request a Scope Review
Aligned with
SWIFT CSP ISO 27001 A1 & B
SWIFT CSP Framework aligned
ISO 27001 Security baseline
A1 & B Architecture types
Multi-Jurisdiction Global experience
2nd & 3rd Line Both assurance lines

We are listed in the SWIFT CSP Directory of Cyber Security Service Providers delivering independent assessments and advisory guidance across all mandatory and advisory SWIFT CSCF controls.

DISCLAIMER: SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory. The inclusion of Eonta Risk & Security Limited in this directory confirms only that our assessors meet the qualification requirements defined by SWIFT for conducting CSP assessments. Any reference to SWIFT is made solely for descriptive purposes to indicate the scope of our services. SWIFT is a registered trademark of S.W.I.F.T. SCRL.

The challenge

The attestation
environment has changed.

Annual attestation pressure is intensifying. Regulators, correspondent banks, and supervisory authorities are raising the evidence bar — and internal teams face structural limitations they cannot self-resolve.

Regulators are raising the evidence bar

Supervisory bodies and correspondent banking counterparties are scrutinising CSP attestation quality with increasing rigour. Self-assessment — however thorough — is no longer considered sufficient for systemically important institutions. The expectation has shifted toward independent, documented, and defensible assurance that can withstand external review.

Internal teams carry an inherent conflict

When the teams responsible for implementing SWIFT security controls are also responsible for assessing them, the independence that regulators and audit committees expect is structurally compromised. The result is assurance that is difficult to defend — not because it is wrong, but because it cannot be credibly seen as objective by those evaluating it.

Engagement models

Two models.
One independent standard.

EONTA delivers SWIFT CSP assurance through two structured engagement models — each calibrated to your assurance line, governance structure, and attestation timeline.

2nd Line / Management Assurance

Gap & Risk Assessment

A risk-focused preparedness evaluation designed to support internal challenge, management assurance, and informed decision-making — ahead of or following a formal attestation cycle.

  • Validate CSP scope and SWIFT architecture classification
  • Identify control vulnerabilities and audit exposure areas
  • Anticipate regulatory and supervisory scrutiny
  • Support management assurance before attestation
  • Can be performed pre- or post-formal assessment

No pass/fail opinion — risk-focused lens throughout

Does not replace the official assessor requirement

Structured for audit committee and board review

"Are we confident our CSP assessment delivers defensible assurance proportional to risk and cost?"
3rd Line / External Assurance

Independent Assurance

A formal, structured evaluation aligned with the SWIFT CSP supporting annual attestation requirements — delivering the independence and evidence quality that regulators, supervisors, and counterparties require.

  • Structured control assessment across mandatory CSCF controls
  • Evidence-based testing and documentation validation
  • Formal CSP reporting outputs for the attestation cycle
  • Direct support to the attestation submission process
  • Documented and fully auditable assessment trail

Independent and externally auditable

High regulatory and reputational defensibility

Designed for correspondent bank and regulator review

"Do we meet CSP requirements this cycle — defensibly, with independent, documented evidence?"

Core capabilities

What we assess.

Each capability is delivered as a structured, evidence-based evaluation — documented for regulatory review, board reporting, and attestation defensibility.

Architecture & Scope Validation

Independent verification of SWIFT architecture classification (A1 vs B) and attestation scope boundaries — ensuring mandatory controls are correctly applied to all in-scope components and that scope gaps are identified before they reach regulators.

Control Gap Assessment

Structured gap analysis across mandatory and advisory CSCF controls — mapped against current implementation evidence to identify remediation priorities and exposure before formal attestation submissions are made.

Regulatory Scrutiny Preparation

Forward-looking assessment of supervisory expectations — anticipating the specific questions regulators and correspondent banks will ask, and ensuring your evidence package provides clear, documented answers before those questions are posed.

Evidence Review & Documentation

Quality validation of control evidence packages — assessing completeness, accuracy, and the defensibility of documentation assembled to support attestation outcomes. Gaps identified before submission, not after.

3rd Line Attestation Support

Formal independent assurance evaluation producing structured CSP reporting outputs — designed to meet the independence and documentation standards required for annual attestation and regulatory submission.

Management Assurance (2nd Line)

Risk-focused evaluation supporting internal challenge and governance oversight — providing management with an independent view of CSP readiness that complements, but does not replace, the formal attestation process.

Service framework

Scope. Methodology.
Deliverables. Engagement model.

The information procurement and risk management teams need before approving an external assurance engagement.

Scope

  • CSCF mandatory controls across all SWIFT architectures (A1 and B)
  • Architecture classification and in-scope component boundary validation
  • Advisory control assessment by client election
  • Correspondent bank and third-party connectivity review where applicable
  • Exclusions: SWIFT network operations, remediation/implementation work

Methodology

  • Control walkthrough against CSCF v2026 mandatory and advisory requirements
  • Independent review of policies, configurations, network diagrams, and logs
  • Evidence package quality assessment — completeness, accuracy, defensibility
  • Technical testing for applicable mandatory controls
  • Structured findings documentation aligned to attestation reporting standards

Deliverables

  • CSCF-mapped gap analysis report with risk-rated findings
  • Evidence quality assessment and documentation checklist
  • Management response framework for open findings
  • Board-ready executive summary
  • Attestation-cycle calendar and remediation priority matrix

Engagement Model

  • 3rd Line Assurance — independent, attestation-grade formal assessment
  • 2nd Line Management Assurance — internal challenge and governance oversight
  • Remote or on-site delivery; hybrid available
  • Typical timeline: 4–8 weeks depending on architecture complexity
  • Engagements scoped and contracted before access to any client environment

How it works

From scoping to
attestation-ready.

A structured, four-phase engagement — designed to minimise disruption to your operations while maximising the evidence quality and defensibility of the outcome.

Diagnosis

Define your SWIFT architecture type, in-scope components, preferred engagement model, and assessment timeline aligned to your attestation cycle.

Assess

Structured control walkthrough, evidence review, and independent testing across CSCF mandatory and relevant advisory requirements.

Evidence

Documentation quality validation and gap identification — evidence packages reviewed for completeness, accuracy, and regulatory defensibility.

Report

Formal structured outputs: risk-rated findings, management response framework, and board-ready summary for governance and regulatory review.

Why EONTA

What independence
actually means.

Never an Implementation Vendor

EONTA does not implement SWIFT infrastructure, sell security products, or provide managed services. Our only interest is the quality of your assurance — which is precisely why our conclusions can be trusted by those who matter most: regulators, audit committees, and correspondent banking counterparties.

Multi-Continent Programme Experience

EONTA assessors have supported SWIFT CSP programmes across multiple continents and regulatory environments — including institutions subject to the most demanding supervisory regimes in Europe, Asia-Pacific, and the Americas. That breadth of experience shapes every engagement we take on.

Risk-Focused, Not Tick-Box

Our methodology goes beyond confirming control existence. We evaluate whether controls are designed to address the risks they are meant to mitigate, and whether they operate effectively under real conditions — the distinction that regulators and internal audit committees now require as their standard expectation.

Who this is for

Built for the people
who carry the risk.

EONTA's SWIFT CSP assurance services are designed for the professionals and governance functions directly accountable for attestation quality, regulatory standing, and institutional credibility.

Primary stakeholders

Chief Information Security Officers Compliance Officers Internal Audit Functions Treasury Operations Board Risk Committees Chief Risk Officers Correspondent Banking Teams Regulatory Affairs

Common engagement triggers

Annual attestation cycle approaching

Institutions seeking independent assurance before submitting their CSP attestation to SWIFT and supervisory bodies.

Regulatory or audit committee challenge

Governance functions requiring independent validation of CSP assessment quality following internal or external scrutiny.

Architecture change or scope expansion

Institutions that have migrated SWIFT topology or expanded in-scope environments requiring re-validation of control boundaries.

Frequently asked

Questions before
every engagement.

The Gap & Risk Assessment is a 2nd line management assurance activity — risk-focused, non-opinion, and designed to support internal challenge ahead of formal attestation. It does not produce formal attestation outputs and does not replace the official assessor requirement. The Independent Assurance engagement is a formal 3rd line evaluation that produces structured outputs directly supporting the annual SWIFT CSP attestation cycle. The right model depends on your governance structure, assurance line requirements, and where you are in the attestation calendar.
The Gap & Risk Assessment (2nd line) does not replace the formal assessor requirement — it is a management assurance activity designed to complement and strengthen it. The Independent Assurance engagement (3rd line) is structured to directly support the attestation cycle and is designed to meet the independence and documentation standards required for formal CSP attestation purposes. The appropriate structure for your situation is always discussed and confirmed during the scoping conversation.
Engagement duration depends on your architecture complexity (A1 vs B), the number of in-scope components, and existing evidence maturity. A Gap Assessment for a single-architecture institution typically concludes in 3–5 weeks from engagement start. An Independent Assurance engagement for a more complex, multi-component architecture typically requires 5–8 weeks from scope confirmation to final report delivery. A scoped timeline is provided at the outset of every engagement.
Yes. EONTA has supported SWIFT CSP programmes for institutions operating across Europe, Asia-Pacific, and the Americas — including environments subject to overlapping regulatory requirements from multiple national supervisory authorities. We are structured to accommodate multi-jurisdiction engagements where regulatory expectations and CSP requirements must be assessed in parallel across different legal and supervisory frameworks.
Very little to begin. An initial scoping conversation requires only a general understanding of your SWIFT architecture type (A1 or B), your attestation timeline, and a brief description of your current assurance posture. From that conversation, we can produce a scoped engagement proposal within three business days. There is no obligation, and all scoping conversations are treated as strictly confidential.
For Gap & Risk Assessments: a structured risk and findings report covering control gap analysis, risk rating by domain, remediation priorities, and a management response framework — designed for internal governance and audit committee review. For Independent Assurance engagements: formal CSP assurance reporting output structured to support attestation submission, including control assessment results, evidence evaluation conclusions, and a fully auditable assessment trail.
Yes. EONTA regularly structures engagements as 3rd line reviews that validate rather than duplicate 2nd line work. The deliverable is designed to be handed directly to your external auditor or SWIFT relationship manager — with a chain of evidence that distinguishes EONTA's independent findings from internal management review. We discuss scope boundaries explicitly at the outset to ensure there is no overlap, no dependency, and no conflict with work already in progress.

Take the next step

Are you confident your CSP assessment is defensible this attestation cycle?

Book a confidential scoping call with EONTA. No obligation. Response within one business day from our Dublin team.

Book a Scope Review Email Our Team

All scoping conversations are confidential. EONTA does not share engagement details with third parties.