Code of Ethics for Auditors

For and together with the Certified SIM3 Auditors a Code of Ethics was developed in a meeting of Auditors in Montréal (Canada, 7 June 2023) and finalised in a similar meeting on Tenerife (Spain, 28 February 2024). This codified what is common sense: that a Certified Auditor will in the SIM3 context act honourably, respectfully and professionally, to the best of their knowledge and experience.

The Certified SIM3 Auditors represent not only themselves and the organisation they work for – but when doing a SIM3 Audit or Assessment, also the Open CSIRT Foundation, as long as they are in good standing as Certified Auditors. All Certified SIM3 Auditors listed by OCF on this website are in good standing.1

All Certified SIM3 Auditors are expected to act, in spirit as well as in real, according to the Code of Ethics as presented here:

GENERAL PRINCIPLES

  • Auditors will be trustworthy.
  • Auditors will act honestly and professionally.
  • Auditors will act as ambassadors of the SIM3 model and its applications.
  • Auditors will contribute to the community of SIM3 Certified Auditors, and seek to support each other.
  • Auditors will support the CSIRT Code of Practice and adhere to its basic principles.
  • Auditors will utilise and support the Traffic Light Protocol.

AUDIT & ASSESSMENT RULES

  • For the definition of the terms used here, refer to Audits and Assessments.
  • Auditors will conduct SIM3 Audits and Assessments honestly and professionally, respecting confidentiality and trust.
  • Audits must always be done by auditors in a 3rd party, independent fashion. Auditors can therefore perform a SIM3 Assessment within their own organisation, but not an Audit.
  • Auditors will never accept any offering by the team they do an Audit or Assessment for, if that offering can be construed as bribe – especially under the local laws and/or ethics.
  • Conflicts of interest in the context of Audits will be avoided or made transparent to all parties involved.

COMPLAINTS & NON-COMPLIANCE

  • Any client being audited or assessed in the SIM3 context by a Certified SIM3 Auditor, who experience a conflict with the Auditor in question, are first encouraged to discuss and solve this with the Auditor in question.
  • In cases where this resolution does not work or is not possible, the client can complain to the SIM3-Complaints instance via e-mail to sim3-ethics [at] opencsirt.org, which will be handled by two trusted professionals who are not SIM3 Auditors, and who will bring the complaint to the attention of the OCF Board of Directors (BoD).2
  • The BoD will handle the complaint responsibly and respectfully, and within reasonable time. The complainant and complainee will both be heard. If needed the BoD will consult experienced Auditors in strict confidence. The verdict of the BoD is binding and will be communicated to complainant and complainee.
  • The BoD has the right to suspend or terminate the Certification of Auditors, when these are found to have acted in violation of this Code of Ethics.

  1. A small number of SIM3 Auditors does not want to be listed on this website for reasons their own, but are nonetheless Certified and in good standing. With their permission, you can ask OCF to verify their status. ↩︎
  2. In case a BoD (or BoC) member is involved in the complaint, then this person will not be informed. ↩︎