Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an organization's SWIFT infrastructure and systems is examined in detail to ensure adequate protection against potential security risks and vulnerabilities.
Recently, an update of the framework, namely CSCFv2025, was published. Tobias Weber, Managing Security Consultant at usd AG and auditor of several international security standards, took a closer look at the new framework for us:
Tobias, when will the new framework be applicable?
The frameworks are typically published in the summer of each year, but are not applicable until the following year. So all assessments from July 2025 onwards will be based on the CSCFv2025. SWIFT Assessments conducted in 2024 will be audited against the framework v2024 published last year. SWIFT is thus creating a transition phase of 1 year for the companies.
My personal tip for my customers: The timely release of the future frameworks allows us as auditors to include the upcoming requirements in this year's assessment.
You have had a look at the new framework. What changes should I be aware of?
In brief: CSCFv2025 does not contain any major changes. The update mainly consists of minor adjustments and clarifications, e.g. with regard to the scope of individual controls.
Contrary to expectations, no further advisory control was raised to “mandatory”. According to SWIFT, the requirement level should remain stable after having been continuously raised in recent years.
Does this mean that affected companies will not need to make any significant changes for 2025?
From this perspective, no. It should be noted that the transition phase for Control 2.4A (Back Office Data Flow Security) continues with this update. Further developments are scheduled for the v2026 framework. However, I recommend preparing for this ahead of time, as bridging servers and new direct data flows between the secure zone and back-office first hop must then also be protected. From v2028, this will also be extended to legacy flows.
Do you have any questions or need support with your upcoming SWIFT assessment? Contact us, we will be happy to help.
