SWIFT CSP: Internal vs. External Assessments

By Willem Marais on May, 12 2023

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Willem Marais

In the world of business and even more so in the payments and banking industries, assessments are a critical part of ensuring that organizations operate in compliance with regulations, standards, and best practices to help ensure that critical sensitive data is adequately protected.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a cooperative society providing services related to the execution of financial transactions and payments between banks worldwide. Its principal function is to serve as the main messaging network through which international payments are initiated.

The SWIFT Customer Security Programme (CSP) defines security requirements within the Customer Security Controls Framework (CSCF) for participating institutions. The Customer Security Programme (CSP) consists of three types of assessments: internal assessments, external assessments, and mandated external – noting that one can also opt for a hybrid approach given certain conditions. The internal and external assessments are self-explanatory with the mandated assessments only applying to organizations randomly selected by SWIFT for a compulsory external assessment.




The latest figures shared by SWIFT at SIBOS 2022 indicate there is almost 50/50 split of internal vs. external assessments in the industry since self-assessments were phased out in 2021. All types of assessments have their advantages and disadvantages, and it's important to understand them to determine which type of assessment is most appropriate for your organization.




Internal Assessments 

The internal assessment function is usually nested in the second line of defense within an organization, normally performed by internal audit department who are responsible for evaluating and improving the effectiveness of the organization’s risk management, control, and governance processes. Ideally this function is provided by an independent part of an organization that can provide objective assurance and consulting designed to add value and improve an organization's operations, oftentimes reporting to the board of directors (or similar). Internal assessors are responsible for conducting a wide range of assessments of an organization's operations, financial reporting, compliance with laws and regulations, and other areas as needed.


Advantages of Internal Assessments

  • Cost-Effective: Internal assessments are typically less expensive than external assessments as they are performed by employees of the organization, who may already have operational context of the SWIFT connected systems.

  • Broad Scope: Internal assessments can cover a broad range of areas within the organization, including financial reporting, operational processes, and compliance with regulations and standards. This may allow for a greater scope of assessment than just the standard being assessed.

  • Continuous Monitoring: Internal assessments can be performed on an ongoing basis, which means that the organization can identify issues and take corrective action in a timely manner.

  • Institutional Knowledge: The use of internal assessors often allows for the incorporation of more historic knowledge in determining scope and retaining knowledge of issues and recommendations.


External Assessments

External SWIFT CSP assessments are performed by an independent third-party assessor who has no stake in the organization being assessed. External assessments must be conducted by qualified organizations like Online that meet the criteria defined by SWIFT, and can be found in their Directory of CSP assessment providers. The main purpose of an external assessment is to provide fully independent assurance to stakeholders as the assessing firm has no material financial dependency on the entity being assessed. External assessments firms often have governing bodies / institutions to ensure their independence, quality assurance and engagement consistency

Advantages of External Assessments

  • Independence: As can be extrapolated from the definition of external assessors, they are independent of the organization being assessed, which means they can often provide an unbiased and objective opinion about the accuracy of the standard being assessed. This is important because stakeholders such as investors, regulators, and customers need to have confidence in the accuracy of the compliance artifacts produced.

  • Expertise: External assessments are typically highly skilled and experienced professionals in a specific field who have a deep understanding of the standards being assessed and have conducted numerous such security assessments. Contrarily, internal assessments tend to be performed by internal auditors with more generalized skillsets and less exposure to common security issues and regulatory standards.

  • Credibility: External assessments provide credibility to the assessments. When an organization's financial statements have been assessed by an independent third party, stakeholders can have more confidence in the accuracy of the information presented and demonstrate more robust due-diligence over internal assessments.

  • Out-of-the-Box Thinking: Good external assessors usually act as excellent consultants during assessments as they work with a greater variety of industries, and tools; they deal with wide ranging issues and topics and often can suggest solutions which may save organizations significant costs by clever design.
    NOTE: It is recommended that you consult the SWIFT CSP Independent Assessment Framework when considering such an approach.

Both external assessments and internal assessments have their advantages and disadvantages. Ultimately, the choice between external and internal assessments depends on the organization's specific needs, skills, and resources. As previously mentioned, a hybrid approach is also possible – for example: an internal audit function may contract an external assessor to either lead or assist in specialized standards assessments. NOTE: It is recommended that you consult the SWIFT CSP Independent Assessment Framework when considering such an approach.





Online’s seasoned SWIFT CSP assessors have completed the most recent SWIFT CSP training course and also are PCI DSS QSAs in good standing.  Our global consulting team consists of over 35 QSAs, with a minimum of 10 years of cybersecurity experience.

Download our Service Overview today for more information on how to get started.



Submit a Comment

Get latest articles directly in your inbox, stay up to date