ISO 5230 – Building trust in the supply chain

The various advantages of Open Source Software (OSS) come out on top. Above all, large investments in Open Source Software communities, projects and platforms by reputable international corporations, which have so far acted as classic, proprietary, closed-source software manufacturers, show that Open

Source Software are on the advance. Especially in the digitalization of products and services, OSS is indispensable. Hardly any of today's products have no digital component or digital service, and most of these contain Open Source Software.

Your expert for questions

Marcel Scholze
Director at PwC Germany
Tel: +49 69 9585-1746

Reduce the OSS compliance risk in the supply chain through an ISO/IEC 5230:2020 certification

Open Source Software is freely accessible code. However, this does not mean that the code may be used without restrictions. Open Source Software is also subject to license regulations, which must be adhered to. A violation of the license terms can lead to loss of reputation, claims for damages or injunctions. For this reason, providers of products with OSS components have a great interest in working with trustworthy partners and suppliers.

The solution provides an internationally recognized and trustworthy certification of Open Source Software management based on OpenChain ISO 5230.

The background: Open Source Software is not only found in pure software products

Rather, the end product may not be a software, but contains software. In a world that is becoming more digital and smarter, software and thus also Open Source Software can be found in products ranging from children's toys, televisions, refrigerators or heating systems, to IoT devices, medical technology, motor vehicles and other means of transport, to production and industrial plants and smart factories. The areas of application cannot be listed exhaustively. An OSS component is not necessarily the most essential part of the product, may not represent the main functionality, but as one of many components, it contributes to the overall functionality of the product. Open Source Software is often hidden in the depths of programming, flows into an end product through externally procured software delivery services or through externally procured parts and component deliveries.

Who is on top of the correct use and compliance with the licensing requirements of all components and who ensures this?

You may, for example, be in the role of a purchasing company that procures products from external companies, refines them and brings them to market as an end product. Or you may be in the role of the supplying company that sells products and services. In both cases, you are responsible for ensuring compliance with the appropriate Open Source Software license terms. Due to the crucial financial and reputational risks resulting from improper use of OSS, companies are going over to demanding assurances from their suppliers via purchasing guidelines that either no OSS is built into the goods and services or compliance with the licenses is ensured and the corresponding Bill of Materials is provided.

The vendor side often faces the challenge over and over again with many clients to confirm the desired assurances of the purchasing departments and to demonstrate that they have the correct and license compliant handling of OSS under control.

If the supplier of software does not sufficiently ensure this, the buyer side will incur a high financial and time expenditure. In cases where the source code is handed over, scans of the supplied software must be carried out. In other cases, lengthy clarifications with the suppliers may be necessary. By means of a certification, the purchasing companies can already ensure during the purchasing process that their suppliers comply with the necessary quality and compliance requirements in the area of the use of Open Source. Complex testing and approval processes for OSS compliance of external supplies can be adapted in a risk-oriented manner both in terms of frequency and scope.

Benefits of the ISO 5230 certification

Creating trust in the supply chain, for example through the PwC Independent OSS-Audit, involves a lot of effort. Often, supplier audits of this type are not comparable, as individual suppliers only audit a supply chain according to their own criteria and place the results under NDAs. An internationally recognized standard, the ISO/IEC 5230:2020 can reduce these efforts in Open Source compliance audits. Through this certificate, suppliers can be audited once for several supply chains, making individual audits obsolete.

Suppliers will benefit from ISO 5230 certifications in invitations to tender, in the initiation of contracts and in negotiations with purchasing departments. At the same time, they will benefit from the outwardly presentable proof of OSS compliance when selling their products and services, as they create confidence in their products.

PwC offers Open Source Software management compliance audits as per ISO 5230 to effectively demonstrate the professional and appropriate handling of Open Source Software towards clients.

“With our PwC audit of OSS Compliance, we build trust in supply chains, which is urgently needed in today's world to minimize risks and work together efficiently.”

Marcel Scholze,Director at PwC and Head of Open Source Software Management and Compliance
Follow us

Contact us

Marcel Scholze

Marcel Scholze

Director Open Source Software Services & IT Sourcing, PwC Germany

Tel: +49 151 16157049

Thomas  Urband

Thomas Urband

Senior Manager, lawyer, PwC Legal AG, PwC Germany

Tel: +49 160 9627-3689