ISO 5230 – Building trust in the supply chain

Your expert for questions

Marcel Scholze
Director at PwC Germany
Tel: +49 69 9585-1746
Email

Reduce the OSS compliance risk in the supply chain through an ISO/IEC 5230:2020 certification

Open Source Software is freely accessible code. However, this does not mean that the code may be used without restrictions. Open Source Software is also subject to license regulations, which must be adhered to. A violation of the license terms can lead to loss of reputation, claims for damages or injunctions. For this reason, providers of products with OSS components have a great interest in working with trustworthy partners and suppliers.

The background: Open Source Software is not only found in pure software products

Rather, the end product may not be a software, but contains software. In a world that is becoming more digital and smarter, software and thus also Open Source Software can be found in products ranging from children's toys, televisions, refrigerators or heating systems, to IoT devices, medical technology, motor vehicles and other means of transport, to production and industrial plants and smart factories. The areas of application cannot be listed exhaustively. An OSS component is not necessarily the most essential part of the product, may not represent the main functionality, but as one of many components, it contributes to the overall functionality of the product. Open Source Software is often hidden in the depths of programming, flows into an end product through externally procured software delivery services or through externally procured parts and component deliveries.

Who is on top of the correct use and compliance with the licensing requirements of all components and who ensures this?

You may, for example, be in the role of a purchasing company that procures products from external companies, refines them and brings them to market as an end product. Or you may be in the role of the supplying company that sells products and services. In both cases, you are responsible for ensuring compliance with the appropriate Open Source Software license terms. Due to the crucial financial and reputational risks resulting from improper use of OSS, companies are going over to demanding assurances from their suppliers via purchasing guidelines that either no OSS is built into the goods and services or compliance with the licenses is ensured and the corresponding Bill of Materials is provided.

If the supplier of software does not sufficiently ensure this, the buyer side will incur a high financial and time expenditure. In cases where the source code is handed over, scans of the supplied software must be carried out. In other cases, lengthy clarifications with the suppliers may be necessary. By means of a certification, the purchasing companies can already ensure during the purchasing process that their suppliers comply with the necessary quality and compliance requirements in the area of the use of Open Source. Complex testing and approval processes for OSS compliance of external supplies can be adapted in a risk-oriented manner both in terms of frequency and scope.

Benefits of the ISO 5230 certification

Creating trust in the supply chain, for example through the PwC Independent OSS-Audit, involves a lot of effort. Often, supplier audits of this type are not comparable, as individual suppliers only audit a supply chain according to their own criteria and place the results under NDAs. An internationally recognized standard, the ISO/IEC 5230:2020 can reduce these efforts in Open Source compliance audits. Through this certificate, suppliers can be audited once for several supply chains, making individual audits obsolete.

Suppliers will benefit from ISO 5230 certifications in invitations to tender, in the initiation of contracts and in negotiations with purchasing departments. At the same time, they will benefit from the outwardly presentable proof of OSS compliance when selling their products and services, as they create confidence in their products.