What Is This?
ISO/IEC 18974 defines the key requirements of a quality open source security assurance program. It was previously known as the OpenChain Security Assurance Specification 1.1. It is a de-facto industry standard and a draft ISO/IEC international standard. It will be published as a formal ISO standard in November 2023.
What Does It Do?
ISO/IEC 18974:2023 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.
- The key places to have security processes
- How to assign roles and responsibilities
- And how to ensure sustainability of the processes
ISO/IEC 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources. Pending a successful ballot, it is expected to become a formal ISO/IEC International Standard in mid-2023.
What Should You Do?
From today, you can adopt ISO/IEC 18974 through self-certification or in collaboration with one of our official partners. Your adoption will also be valid for ISO/IEC 18974:2023. The first company to announce a program using ISO/IEC 18974 was Interneuron in the UK, and the first company to announce whole entity adoption was BlackBerry.
Learn More About ISO/IEC 18974
Adopt ISO/IEC 18974
Report Your Adoption
Share With Others
This specification is built from the source material of ISO/IEC 5230:2020, the International Standard for open source license compliance (specifically OpenChain 2.1, which became ISO/IEC 5230 via the JTC-1 PAS Transposition Process).
This specification was drafted by our community as a Security Assurance Reference Guide due to interest in applying ISO/IEC 5230 processes to the security domain. The draft specification went through a review process via our specification list and calls before a governing board vote to transform it into a published security specification on 2022-09-14.
Past Versions of the Standard
Releases as a Specification
Releases as a Guide
Improving The Standard
ISO/IEC 18974, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the OpenChain Security Assurance Specification GitHub Repository. You can add your comments in the “Issues” section.
You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous. We discuss the suggestions on our calls and via our mailing lists to decide what to refine, update or improve in future versions.
Learn More About Our Standardization Status
Joint Development Foundation (JDF), the PAS Submitter used by the OpenChain Project, has provided our Draft International Standard (DIS) number for the OpenChain Security Assurance Specification 1.1. This is the number used in the JTC-1 PAS Transposition ballot process prior to the granting of formal ISO/IEC standard status and obtaining the related ISO/IEC number. The OpenChain Security Assurance Specification 1.1 is now ISO/IEC 18974, OpenChain Security Assurance Specification.