What Is ISO/IEC 18974?
ISO/IEC 18974:2023 defines the key requirements of a quality open source security assurance program. It was previously known as the OpenChain Security Assurance Specification 1.1. It is a de-facto industry standard and a draft ISO/IEC international standard. It was published as a formal ISO standard in December 2023.
Already Conformant? Let Us Know About Your Adoption:
What Does ISO/IEC 18974 Do?
ISO/IEC 18974:2023 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.
It identifies:
- The key places to have security processes
- How to assign roles and responsibilities
- And how to ensure sustainability of the processes
ISO/IEC 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources.
What Should You Do?
You can adopt ISO/IEC 18974 through self-certification or in collaboration with one of our official partners. Your adoption will also be valid for ISO/IEC 18974:2023.
Read ISO/IEC 18974:
Note: the OpenChain version and the ISO version are functionally identical.
Conformance to one is the same as conformance to the other.
Adopt ISO/IEC 18974:
Report ISO/IEC 18974 Adoption:
Past Versions of the Standard:
Releases as a Specification:
Releases as a Guide:
History of ISO/IEC 18974
This specification is built from the source material of ISO/IEC 5230:2020, the International Standard for open source license compliance (specifically OpenChain 2.1, which became ISO/IEC 5230 via the JTC-1 PAS Transposition Process).
This specification was drafted by our community as a Security Assurance Reference Guide due to interest in applying ISO/IEC 5230 processes to the security domain. The draft specification went through a review process via our specification list and calls before a governing board vote to transform it into a published security specification on 2022-09-14.
Improving ISO/IEC 18974
ISO/IEC 18974, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the OpenChain Security Assurance Specification GitHub Repository. You can add your comments in the “Issues” section.
You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous. We discuss the suggestions on our calls and via our mailing lists to decide what to refine, update or improve in future versions.