Open Source Compliance ISO 5230

Marcel, what exactly are Open Source Software Services and what is your relationship with OpenChain?

Marcel Scholze: First of all, thank you for your interest! Our OSS team at PwC provides various services for businesses and the public sector embracing or using Open Source Software. This ranges from compliance audits, due diligence and code scanning to consulting in Open Source strategies, guidelines, processes, training and OSS compliance tooling.

OpenChain as an industry and now ISO standard solves an important problem through a well understood and accepted framework – by its adoption OSS compliance risks in the supply chain can effectively be reduced. As PwC we hold an JBR with th  OpenChain Project of the Linux Foundation and support the development of this framework and its adoption. We build trust in the OSS supply chain through our OSS compliance audits and consulting as per the OpenChain standard.

What are the immediate benefits of OpenChain becoming an ISO standard? Did the self-certification not perform as expected?

Marcel: On the contrary, the self-certification worked very well to get the word out and guide early adopters, and it will also in the future provide a good starting point for OSS compliance. But the limitation of self-certification lies within its name: self.

Especially when you incorporate software or components with embedded software in your business-critical applications, services, and products you rather want to rely on an external third-party certification. While PwC audits already provide trust in OSS compliance – either as per OpenChain v2.1 or tailored to client needs – the ISO certification now manifests the OpenChain as the predominant standard for OSS compliance management and defines the State of Technology.

This ISO standard allows generally comparable and standardized audits and will become the benchmark for every software and smart device producer to display accurate handling of Open Source intellectual property. It will be the base line, the safeguard, the minimum requirement for procurement activities and RFPs where software in some way is involved.

Who should get certified as per the OpenChain ISO 5230?

Marcel: Certifications and audits by external third parties create trust and reliability in the audited entity in relation to the audited subject. Whenever you, as a supplier, want to prove OSS conformity of yourself or when you sit on the other side and need to ensure the OSS conformity of your suppliers, ISO certification is the instrument of choice to provide this proof.

As nowadays most products and services, and generally most software build – in one way or another – on Open Source Software, its compliance is relevant for the majority, but proprietary software vendors and OEMs might have the largest interest.

• Proprietary software vendors are at constant risk of infringing on Open Source licensing or patents. There is a clear intrinsic motive to protect the intellectual property of the company. Protecting their assets by banning open source software for sure is not an option. The ISO 5230 certification can guide the way to a successful and compliant OSS management program and by this reduce such risks.
• OEMs suffer similar risks but as they depend on proprietary products with embedded software in their supply chain the problem is much more complex. Reevaluating all software from their suppliers causes tremendous cost and time. Therefore getting the most critical and important suppliers OSS compliance certified or request such a certification from the suppliers can be very handy to ensure compliance throughout the product creation process and its life cycle.
• Last but not least, businesses heavily reliant on software should consider this standard as well. As with most products, damages and issues often impact the user most. If your day-to-day business relies on a platform, framework, or solution, chances are that many certifications like ISO27001 are already expected to provide a solid foundation of operations, but can the product be sold that way at all or could it legally be taken down due to licensing issues?

Are there any major differences or unexpected changes to the ISO 5230 compared to the OpenChain Standard 2.1?

Marcel: This one is easy to answer: No.

The ISO 5230 is fully based on and in line with the latest OpenChain Standard v2.1 respectively 2.0. So if you are already 2.1 or 2.0 compliant, on your way, or self-certified, you can easily get ISO certified.

When auditing OSS compliance, what are clients most surprised about? Does their understanding differ largely from PwC requirements?

Marcel: Most companies are surprised that Open Source management is not confined to tech. Of course it is relevant how Open Source is actively used in development or the product and of course we want to see evidence and reasoning behind clearing decisions. But Open Source doesn’t just enter an organization via software development. Think of procurement – if a cloud hoster infringes on licenses in their management interface, a supplier infringes on licenses in smart devices or a SaaS provider infringes on licenses in their product. If one of them loses usage rights – so does the whole supplychain.

So, when we audit OSS compliance, the legal department,procurement, sales, as well as product development and IT are in focus – and our audit is not a tick box exercise. We enter into a dialogue to understand the details, we perform sample testing and reperformance of processes to not only scratch the surface but gain deep insights into the OSS compliance management. Clients gave us the feedback that they did not think that such a meaningful assessment would be carried out and that they can take a lot away with them.

This sounds like a good concluding statement! Thanks, Marcel for this update and the insights.