The Linux Foundation Projects
Skip to main content
search

ISO/IEC 18974 defines the key requirements of a quality open source security assurance program

How Does ISO/IEC 18974 Work?

ISO/IEC 18974 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.

ISO/IEC 18974 identifies:

  1. The key places to have security processes
  2. How to assign roles and responsibilities
  3. And how to ensure sustainability of the processes

ISO/IEC 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources.

What Should You Do?

You can adopt ISO/IEC 18974 through self-certification or in collaboration with one of our official partners.

Read ISO/IEC 18974:

Read The Standard In English (Official)
Read The Original Version In English (Functionally Identical To ISO Version)

Note: the OpenChain version and the ISO version are functionally identical.
Conformance to one is the same as conformance to the other.

Adopt ISO/IEC 18974:

Online Self-Certification Checklist
Self-Certification Material On GitHub
Get Independent Assessment or Third-Party Certification From Official Partners

Already Conformant? Let Us Know About Your Adoption:

Add your company to our list of conformant organizations

Past Versions of the Standard:

Releases as a Specification:

OpenChain Security Assurance Specification 1.1 (2022-10)
OpenChain Security Assurance Specification 1.0 (2022-09)

Releases as a Guide:

OpenChain Security Assurance Reference Guide 2.0 (2022-03)
OpenChain Security Assurance Reference Guide 1.0 (2021-08)

History of ISO/IEC 18974

This specification is built from the source material of ISO/IEC 5230, the International Standard for open source license compliance (specifically OpenChain 2.1, which became ISO/IEC 5230 via the JTC-1 PAS Transposition Process).

This specification was drafted by our community as a Security Assurance Reference Guide due to interest in applying ISO/IEC 5230 processes to the security domain. The draft specification went through a review process via our specification list and calls before a governing board vote to transform it into a published security specification on 2022-09-14.

Improving ISO/IEC 18974

ISO/IEC 18974, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the ISO/IEC 18974 GitHub Repository. You can add your comments in the “Issues” section.

You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous. We discuss the suggestions on our calls and via our mailing lists to decide what to refine, update or improve in future versions.

Learn More About The Editing Process In Our FAQ