The object of a SIM3 audit is to use the full SIM3 to audit a CSIRT’s maturity, using all SIM3 parameters. This process can be purely measurement based, certification based or membership related. For pure measurements, no baseline is needed – for certifications there will generally be some kind of baseline with minimum requirements for part or all of the SIM3 parameters. For membership use, to have a membership baseline seems an obvious choice.

In all cases, an audit only deserves the name audit according to OCF standards if:

  • all SIM3 parameters are being tested
  • the procedure is evidence based – this means that there needs to be substantiation for why any parameter scores at a certain level

Only Certified SIM3 Auditors can do SIM3 audits according to OCF standards. A certified SIM3 Auditor has the right (not obligatory) to:

  • Perform SIM3 audits and issue reports and audit certificates using the OCF & SIM3 logos (these are valid for a maximum of 3 years)

and the following duties (obligatory):

  • Perform SIM3 audits adhering to the OCF/SIM3 Code of Ethics
  • Report audits to the OCF – only team name and date, no content
  • If the audit is done using a baseline with minimum requirements (certification/membership related), to make clear who is responsible for what – OCF is responsible for the SIM3 audit standard, organisation ORG is responsible for baseline (current examples of ORG are the NCA and TF-CSIRT)