OpenChain ISO/IEC 5230 – Security Assurance Reference Guide

The OpenChain Project has a mission to establish trust in the Open Source from which Software Solutions are built. The International Standard OpenChain ISO/IEC 5230 addresses this matter from the perspective around open source license compliance. Many of the same processes are equally applicable to open source security and for this reason we are providing guidance regarding how they can be applied.


  • Is this a new version of OpenChain ISO/IEC 5230?
    This is a guidance document showing how to use OpenChain ISO/IEC 5230 in the context of security. It does not change or replace OpenChain ISO/IEC 5230.
  • How is this guide formatted?
    The core of the OpenChain Security Assurance Reference Guide use a similar format to OpenChain ISO/IEC 5230. It is a map enabling a user to transpose the proven processes of OpenChain ISO/IEC 5230 to the security domain.
  • What is the current status of this guide?
    The first iteration of the reference guide focuses on the core process of identifying and addressing “known vulnerabilities.” Over time we will evolve the guide to refine its effectiveness.
  • Does this replace existing security standards?
    The OpenChain Security Assurance Reference Guide should be understood as a method to complement rather than compete with security specific standards.
  • Could companies already meet all the processes outlined in the guide?
    It is quite possible that an organization is compliant with another given standard will automatically meet all the processes outlined in the OpenChain Security Assurance Reference Guide. This is by design.
  • Do we have to use this document to apply OpenChain ISO/IEC 5230 to security matters?
    No, it is an optional guide.
  • Why did you create this?
    It came to our attention that a growing number of companies were using OpenChain ISO/IEC 5230 to assist in their security activities and we wanted to help.
  • Why is this a worthwhile activity for the OpenChain Project?
    As the OpenChain Project adds additional reference guides over time (e.g., quality, export compliance, malware and functional safety) the value of OpenChain ISO/IEC 5230 will grow.
  • Can we help to improve this guide?
    Of course. This work – as with all activity inside the OpenChain Project – is undertaken by the community of user companies for the benefit of the community.

Send Feedback To The Specification Team