The object of a SIM3 audit is to use the full SIM3 to audit a CSIRT’s maturity, using all SIM3 parameters. This process can be purely measurement based, certification based or membership related. For pure measurements, no baseline is needed – for certifications there will generally be some kind of baseline with minimum requirements for part or all of the SIM3 parameters. For membership use, to have a membership baseline seems an obvious choice.
In all cases, an audit only deserves the name audit according to OCF standards if:
- all SIM3 parameters are being tested
- the procedure is evidence based – this means that there needs to be substantiation for why any parameter scores at a certain level
Only Certified SIM3 Auditors can do SIM3 audits according to OCF standards. A certified SIM3 Auditor has the right (not obligatory) to:
- Perform SIM3 audits and issue reports and audit certificates using the OCF & SIM3 logos (these are valid for a maximum of 3 years)
and the following duties (obligatory):
- Perform SIM3 audits adhering to the OCF/SIM3 Code of Ethics
- Report audits to the OCF – only team name and date, no content
- If the audit is done using a baseline with minimum requirements (certification/membership related), to make clear who is responsible for what – OCF is responsible for the SIM3 audit standard, organisation ORG is responsible for baseline (current examples of ORG are the NCA and TF-CSIRT)