ISO/IEC 5230


ISO/IEC 5230 is an international standard on the key requirements for a high-quality open source license compliance program. The standard was published jointly by the International Organization for Standardization and the International Electrotechnical Commission in late 2020. The standard is based on the Linux Foundation OpenChain Specification 2.1. It focuses on software supply chains, easier procurement and license compliance. Organizations that meet the requirements of the standard can self-certify to ISO/IEC 17021, from an accredited certification body or after successfully completing an audit.

How the standard works

Most organizations and software products rely on numerous open source components made by third parties, such as frameworks, libraries and containers, coming from diverse and often unaffiliated sources. This is akin to a supply chain in a brick-and-mortar environment and making sure the supply chain is as reliable as possible is considered important from an operational, legal and security standpoint. Upon this premise, a number of players have decided to establish the ground rules for an organization to deal with open source software at whichever level of the supply chain they operate. A working group under the umbrella of the Linux Foundation, the OpenChain project. Later, when reaching the 2.0 version, the norms were presented for approval as an ISO/IEC standard.
According to the standard, in order to use open source components effectively, organization must be aware of and comply with all the components involved, the associated open source licenses, and obligations such as copyleft. ISO/IEC 5230 aims to establish a non-prescriptive common understanding of what needs to be addressed within a quality open source compliance program. This makes ISO/IEC 5230 applicable across many industries and organizations and provides benefits to procurement and software supply chains, as open source software tends to be very cumbersome in legal contracts and procurement.
The main topics covered by ISO/IEC 5230 and OpenChain-2.1 are:
  • Existence of an open source policy
  • Competencies of program participants.
  • Awareness of open source risks among all program participants
  • A clearly defined scope, e.g. only specified areas and product lines
  • Understand and collect licensing obligations for relevant use cases.
  • Access for external open source requests.
  • Compliance offices equipped with sufficient resources
  • Generate a Bill of Material
  • License compliance process
  • Archiving and provision of compliance artifacts
  • A guideline for community engagement and contributions
ISO/IEC 5230 does not define how exactly most of the tasks are to be performed, such as whether snippet scanning, revalidation of declared open source licenses is required, and what the compliance artifacts should look like. However, SPDX is now an ISO standard and is mentioned in ISO/IEC 5230 as an example of compliance artifacts.

Certification

A high-quality open source compliance program can be certified as compliant with ISO/IEC 5230 by a number of accredited registrars worldwide.
In some countries, the bodies that verify the conformity of management systems to certain standards are referred to as "certification bodies", while in others they are usually referred to as "registration bodies", "assessment and registration bodies", "certification/registration bodies" and sometimes "registrars".
ISO/IEC 5230 certification, like other ISO management system certifications, typically involves a three-step external audit process defined in ISO/IEC 17021:
  • Stage 1 is a preliminary, informal review of the open source compliance program, verifying, for example, the existence and completeness of key documents such as the organization's open source policy, clearing process, and staffing. This phase serves to familiarize the auditors with the organization and vice versa.
  • Stage 2 is a more detailed and formal compliance audit, where the open source compliance program is independently audited against the requirements set out in ISO/IEC 5230. Auditors look for evidence to confirm that the management system has been properly designed and implemented and is actually in operation. Certification audits are usually performed by ISO/IEC 5230 lead auditors. Passing this phase results in the open source quality program being certified as compliant with ISO/IEC 5230.
Continuous means that follow-up reviews or audits are conducted to confirm that the organization continues to be compliant with the standard. Maintenance of certification requires periodic re-audits to confirm that the quality open source compliance program continues to function as specified and intended. These should occur at least annually, but are often conducted more frequently, especially while the Quality Open Source Compliance Program is still under development.
Additionally, ISO/IEC 5230 is functionally identical to OpenChain 2.1, which enables free self-certification via the project's web app.

Dissemination

On October 19, 2020, the Eclipse Foundation announced that it is the first open source foundation to be certified to ISO/IEC 5230. Several companies, including SAP, Toshiba, Samsung Electronics and LG Electronics have publicly announced their conformance to OpenChain.
In April 2017 The first strategic advisors, Catharina Maracke and Matija Šuklje were announced as the first strategic advisors for the project.