This question explores the process for updating an attestation after remediating an exception identified by an assessor:
Step 1: CSP Attestation and Remediation Process
The SWIFT CSP requires users to submit an annual attestation via the KYC Security Attestation (KYC-SA) application, reflecting compliance with CSCF controls. If anexception (non-compliance) is reported, remediation must occur, followed by validation before updating the attestation.
[Reference: SWIFT CSP Policy, Section 4 – Attestation Process; KYC-SA User Guide., Step 2: Role of Independent Assessment, The Independent Assessment Framework (IAF) mandates that compliance assessments, including exceptions, be validated by an independent assessor (either internal second-line or external third-party). After remediation, the exception must be re-assessed to confirm compliance before the attestation can be updated. This ensures objectivity and adherence to CSP standards., Reference: SWIFT CSP IAF, Section 5 – Remediation and Re-assessment., Step 3: Assessor Flexibility, The IAF does not require the same assessor who raised the exception to perform the re-assessment. A different independent assessor is permissible, provided they meet SWIFT’s certification or independence criteria., Reference: SWIFT CSP IAF, Assessor Requirements FAQ., Step 4: Evaluate Options, A. The exception must be re-assessed by an independent assessor. The assessor can be different to the one who initially raised the exception: Correct. This aligns with the IAF’s requirement for independent validation post-remediation, with flexibility on the assessor., B. The exception must be re-assessed by the same independent assessor that raised the exception: Incorrect. The CSP does not mandate the same assessor., C. The first line of defense can confirm their level of compliance using a self-assessment approach: Incorrect. Self-assessment by the first line (e.g., operational staff) lacks the independence required for attestation updates., D. None, if the remediation has been completed, a new attestation can be submitted reflecting the compliance of the control: Incorrect. Remediation alone isn’t sufficient; independent re-assessment is required., Conclusion: Option A is the verified answer, as the CSP mandates independent re-assessment of remediated exceptions, with flexibility on the assessor’s identity., Reference: SWIFT CSP IAF, Section 5.3 – Post-Remediation Validation; KYC-SA Submission Guidelines., ]
