Select regional store:

SWIFT Security Controls

On 27 September 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) announced a new set of core banking security standards and an associated assurance framework as part of its Customer Security Programme.

Compliance with 16 security controls (listed below) will be mandatory for all SWIFT customers – including those connected through service bureaus – from 1 January 2018.

Customers will also be able to choose to implement a further 11 advisory controls.

All SWIFT customers will have to demonstrate their compliance by annual self-attestation. Some randomly selected customers will have to provide additional assurance of their compliance via internal or external audit.

To ensure transparency, SWIFT customers’ compliance status will be available to their counterparts.

Organisations in the financial sector will have only nine months between the final standards being published and their being enforced.

Achieving accredited certification to the international standard for information security management, ISO 27001, is the best way of complying with the international best practice that underpins the new SWIFT controls.

Until the final standards are issued in March 2017, ISO 27001 provides the most obvious starting point for SWIFT customers.

On this page

  • Introduction
  • Implementation timeline
  • SWIFT mandatory and advisory controls – October 2016 version
  • ISO 27001



Following a series of high-profile wire fraud incidents, including the theft of some $81 million from Bangladesh’s central bank in early 2016, the interbank messaging service SWIFT came under increasing pressure to improve cyber security in the financial sector and reduce the risk of wire fraud.

In October 2016, SWIFT released a set of core security standards to “raise the security bar for customers on the SWIFT network”.

More than 11,000 banking and securities organisations, market infrastructures and corporate customers in more than 200 countries use SWIFT’s messaging platform, products and services. All of them must comply with SWIFT’s new baseline cyber security controls by 1 January 2018.


Implementation timeline

  • October 2016
    SWIFT released preliminary details about the controls. These are detailed in the table below.

  • March 2017
    Following a two-month validation period in which SWIFT will engage with nominated security contacts at SWIFT National Member Groups, the final requirements will be published in March 2017. Banking partners will then have just nine months to comply.

  • January 2018
    From 1 January 2018, SWIFT will enforce the use of the controls by reporting any non-compliant customer to their regulators.


SWIFT mandatory and advisory controls – October 2016 version

SWIFT’s assurance framework has three objectives and eight principles, which are underpinned by 27 controls.

16 controls are mandatory (M1 to M16 below) and 11 are advisory (A1 to A11 below).

The 27 controls are mapped against recognised international standards – NIST, the PCI DSS and ISO 27002 (the code of practice for information security controls that supports ISO 27001).

To ensure transparency, SWIFT customers’ compliance status will be available to their counterparts.


3 objectives

8 principles

16 mandatory controls

11 advisory controls

Secure your environment

1. Restrict Internet access


2. Segregate critical systems from general IT environment

M1. Operating system privileged account control

    M2. SWIFT environment segregation  

3. Reduce attack surface and vulnerabilities

M3. Internal data flow security

A1. Back office data flow security


M4. Security patching

A2. External transmission data protection


M5. System hardening

A3. Session integrity


A4. Vulnerability scanning


A5. Critical activity outsourcing


A6. Transaction business controls


4. Physically secure the environment

M6. Physical security


Know and limit access

5. Prevent compromise of credentials

M7. Password policy


M8. Multi-factor authentication


6. Manage identities and segregate privileges

M9. User account management

A7. Personnel vetting process


M10. Token management

A8. Physical and logical password storage

Detect and respond

7. Detect anomalous activity to systems or transaction records

M11. Malware protection

A9. Intrusion detection


M12. Database integrity


M13. Logging and monitoring


M14. Software integrity


8. Plan for incident response and information sharing

M15. Cyber incident response planning

A10. Penetration testing


M16. Security training and awareness

A11. Scenario risk assessment


Please note that these controls are subject to change. The final versions will be released in March 2017.

Organisations in the financial sector will then have only nine months before the standards are enforced, from January 2018. This is not long for a compliance project.


ISO 27001

Until the final controls are issued in March 2017, the international standard for information security management, ISO 27001, is the most obvious starting point for SWIFT customers.

ISO 27001 is the only information security standard against which organisations can achieve independently accredited certification, demonstrating that they have implemented the information security best practice that underpins the new SWIFT controls.

Moreover, as well as relying on attestations of compliance, SWIFT customers will be able to request additional assurance from their counterparts that they have implemented security best practice. ISO 27001 provides such assurance.

Click here for more information about ISO 27001 >>


ISO 27001 implementation packages

IT Governance's ISO 27001 packaged solutions have helped hundreds of organisations implement ISO 27001 at a speed and for a budget that is appropriate to their individual needs and preferred project approach.

Each fixed-price solution combines products and services that can be accessed online and deployed by any company in the world, whatever its size, type or location.

Find out more about our ISO 27001 packaged solutions and which one is right for you >>


ISO 27001 training

IT Governance is responsible for the world’s first accredited programme of ISO 27001 education. The ISO 27001 learning pathway provides training courses from Foundation to Advanced level, and offers opportunities to attain industry-standard qualifications awarded by IBITGQ.

Find out more about IT Governance’s ISO 27001 learning pathway >>


Cyber incident response management

The speed at which you identify a breach, combat the spread of malware, prevent access to data, and remediate the threat will make a significant difference in controlling risk, costs, and exposure during an incident.

With an effective incident response plan, you will be able to detect incidents at an earlier stage and develop an effective defence against the attack.

Find out more about cyber incident response management, and learn how IT Governance can help your organisation prepare for the worst >>


Call us now on +44 (0)845 170 1750 or email us to find out more about how we can help you comply with the mandatory SWIFT security controls.


Information correct as of October 2016. This page will be updated as new information becomes available.

This website uses cookies. View our cookie policy