[Reference: CSCF v2024, Introduction and Control Types section., Step 2: Assessment Scope per CSP Requirements, The SWIFT CSP mandates an annual independent assessment (or self-assessment for certain users) of compliance with the CSCF. However, the Independent Assessment Framework (IAF) specifies that the minimum scope includesall Mandatory controls, and users must attest to these in the KYC Security Attestation (KYC-SA). Advisory controls can be included in the attestation at the user’s discretion but are not required., Reference: SWIFT CSP IAF, Section 1 – Assessment Scope; KYC-SA User Guide., Step 3: Evaluate Options, A. Yes: Incorrect. Not all controls (i.e., Advisory ones) must be assessed; only Mandatory controls are compulsory., B. No, only the mandatory controls: Partially correct but incomplete, as users may choose to attest to Advisory controls, making this too restrictive., C. No, only the attested controls (with as a minimum the mandatory ones): Correct. Users must assess and attest to all Mandatory controls, and may include Advisory controls in their attestation scope, aligning with CSP flexibility., D. No, the control selection is defined between the Swift User and their assessor: Incorrect. The CSP mandates Mandatory controls as a minimum; the selection isn’t arbitrary or solely negotiated., Conclusion: Option C is the verified answer, as the assessment covers attested controls, with Mandatory controls as the minimum requirement., Reference: CSCF v2024, Control Applicability; SWIFT CSP Policy, Section 3 – Attestation Requirements., ]