Open Source Software

ISO 5230 / ISO 18974 Certification / Audits

Complying with the global industry standard on Open Source Compliance Management, ISO 5230:2020 and Open Source Security, ISO 18974:2023 is a demanded selling point for your business as companies worldwide seek for security and compliance in software and product supply chains. PwC as the global third-party certifier can audit your OSS practices and issue prove of your compliance.

• Define scope of certification / audit
• Perform audit, phase 1 and phase 2
• Issuance of certification or audit report

ISO 5230 / ISO 18974 Readiness Support and Assessment

To be best prepared for an ISO 5230 / ISO 18974 certification PwC offers readiness support and assessments before certification. Learning from the expert knowledge of PwC through a dry-run assessment and qualified feedback and benchmarking on the status of your Open Source Compliance and Security Management Program increases your speed of optimisation and gives you peace of mind for an upcoming certification.

• Assessment regarding the existence of all necessary processes and documents
• Review of Design-Effectiveness and Operational-Effectiveness via Test-of-Ones
• Report on current expected certifiability, status quo and possible optimisations and certification issues

M&A Open Source Compliance Assessment

In almost every Deal and M&A, software is included in the key assets, if it is not the key asset itself. Open Source Software poses a high risk to the deal’s value, the usability and business-continuity of transferred assets, whether this be physical devices, software, or services. PwC audits and analysis deals’ assets to identify, value, and report these OSS risks.

• OSS risk identification and scoping of assessment based on deal structure, involved assets, and software prevalence 
• Tool-based code scanning, dependency resolution, and license and security evaluation of OSS components 
• Creation of state-of-the-art Software Bill of Materials (SBOM) for in-depth evaluations
• Report and opinion on aspects regarding Open Source compliance and security
• Checking the maturity level of the applied Open Source Software Management System

OSS Compliance & Security Audits of Suppliers

Knowing your suppliers’ OSS Compliance and Security Management maturity is key to reduce internal efforts and avoid double checking external code and artefacts.

• Assessment of your suppliers’ OSS Management practices
• Audit as per individually designed OSS audit program or per ISO 5230 / ISO 18974 requirements
• Spot checks of SBOM and OSS compliance and security artefacts
• Live and transparent dashboarding of progress and issues identified
• Generate trust in your Software Supply Chain through PwC supplier audits

Code Scanning & SBOM Creation

Reduce the need for internal resources, knowledge and tools for code scanning and achieve professional and compliant SBOMs for your products and solutions.

• Usage of PwC OSS compliance tooling (or operation of your toolchain) to scan your source code regarding OSS compliance and security aspects
• Clean-up and curation of identified components
• Clarification and remediation of identified issues, if any
• Provision of complete Software Bill of Materials (SBOM) for your software in defined data formats, e.g. SPDX 2.2.1 / ISO 5962

Suppliers SBOM Verification

Using your suppliers' SBOMs can drastically reduce the internal effort required to check incoming code. We check the correctness and completeness of your suppliers' SBOMs so you can trust them.

• Reviewing SBOMs that you receive from your suppliers
• Verify the correctness of information, completeness and validity per gathered background information and professional judgement
• Where possible, perform detailed review and check of SBOM in cooperation with supplier through code review on supplier side
• Report, discuss, and clarify identified issues and cases of doubt
• Rate and categorize results of review and suggest according further measures, where applicable

OSS Process & Compliance Training

Benefit from first-hand experience of industry experts through OSS Process and Compliance Trainings tailored to your employees’ specific needs.

• Design and align training program
• Perform target group-specific training from new hire up until senior staff per virtual sessions, web-based trainings, and on-site where possible
• Integration in annual compliance assessments including learning success control and its documentation

Supplier OSS Compliance Audits

Knowing your suppliers’ OSS Compliance Management maturity is key to reduce internal efforts and avoid double checking external code and compliance artefacts.

• Assessment of your suppliers’ OSS Compliance Management practices
• Audit as per individually designed OSS compliance audit program or per ISO 5230 requirements
• Spot checks of SBOM and OSS compliance artefacts 
• Live and transparent dashboarding of progress and issues identified, if any
• Generate trust in your Software Supply Chain through trusted channels

OSPO as a Service

Access to cutting-edge OSS industry knowledge on Open Source programs can be your answer to the war of talent and the lack of in-house expertise and capacity.

• First point of contact for all questions regarding OSS compliance management
• Support the whole lifecycle of products and services to stay OSS compliant
• Ad-hoc support for OSS tooling, OSS component, OSS license, OSS integration questions, OSS security
• Check of use case, risk triggers as per use case and according license compliance considerations