1. Clause Overview
Even participants with the right roles and competencies will only participate in a perfunctory manner if they do not understand the purpose of the open source program and the meaning of their own contribution to the overall compliance framework. §3.1.3 requires the organization to evaluate and record that Program Participants actually understand the program’s objectives, how they contribute, and the consequences of failing to follow the program’s requirements. This clause is the next step after §3.1.2 Competence (possessing knowledge and skills), forming the practical motivation by connecting the competence participants hold to the program’s purpose.
2. What to Do
- Verify that Program Participants understand the objectives of the open source program (license compliance, Security Assurance, etc.).
- Evaluate whether each participant is aware of how their role contributes to the overall program operation.
- Verify that participants are aware of the legal and business impacts that may arise from failing to comply with the program’s requirements.
- Conduct awareness assessments periodically and document and retain the results.
- For participants with insufficient awareness, provide additional training and retain re-evaluation results.
3. Requirements and Verification Materials
| Clause | Requirement | Verification Material(s) |
|---|---|---|
| §3.1.3 | The organization shall ensure that the Program Participants are aware of: the existence and location of the open source policy / relevant open source objectives / their contribution to the effectiveness of the program / the implications of not following the program’s requirements. | 3.1.3.1 Documented evidence of assessed awareness for the Program Participants — which should include the program’s objectives, contributions within the program, and implications of failing to follow the program’s requirements. |
4. How to Comply and Samples by Verification Material
3.1.3.1 Documented Evidence of Assessed Awareness
How to Comply
Program Participants must be evaluated on three key areas of awareness, and the results must be recorded. The three key areas are: (1) the program’s objectives (open source license compliance and Security Assurance), (2) how one’s role contributes to the program, and (3) the legal and business impacts of not following the program.
Evaluation methods can be combined in various ways such as online quizzes, offline surveys, training completion confirmation, and interviews. The important thing is that the evaluation results must remain as documents. These records are Verification Material 3.1.3.1. Evaluations should be conducted regularly at least once a year, and new participants should be immediately evaluated when they join the program. For participants with insufficient awareness, provide additional training and retain re-evaluation results together.
Considerations
- Evaluation scope: Design evaluation questions that cover all three key areas of awareness (objectives, contributions, implications).
- Evaluation cycle: Conduct a regular evaluation at least once a year, and new participants should be evaluated immediately upon joining.
- Evidence format: Retain in a format that can be submitted during audits, such as quiz results, signed policy acknowledgment forms, and training completion certificates.
- Measures for insufficient participants: Provide additional training for participants with insufficient evaluation results and retain re-evaluation records.
- Accessibility: Keep policy documents and training materials used for evaluation always accessible on the internal portal.
Sample
The following is a sample participant awareness assessment record form. It is written at the time of training completion and stored in the LMS or document system.
| Name | Role | Evaluation Item | Evaluation Method | Result | Evaluation Date | Notes |
|------|------|-----------------|-------------------|--------|-----------------|-------|
| Gil-dong Hong | Open Source Program Manager | Understanding of program objectives | Online quiz | Completed (90 points) | 2026-01-15 | - |
| Gil-dong Hong | Open Source Program Manager | Awareness of non-compliance implications | Online quiz | Completed (90 points) | 2026-01-15 | - |
| Chul-su Kim | Developer | Understanding of program objectives | Online quiz | Completed (85 points) | 2026-01-20 | - |
| Young-hee Lee | Security Staff | Awareness of contribution method | Interview | Completed | 2026-01-22 | Interview record retained |
The following is a sample policy acknowledgment form. Obtaining a signature after training completion can serve as Verification Material.
[Open Source Policy Acknowledgment Form]
I confirm that I have reviewed and understood the following:
1. The existence of the company's open source policy and the location of the document
2. The objectives of the open source license compliance and Security Assurance program
3. How my role contributes to the operation of the open source program
4. The legal and business risks that may arise from failing to comply with open source
policies and processes
Name: ________________ Role: ________________
Signature: ____________ Date: ________________
5. References
- Related guide: Enterprise Open Source Management Guide — 5. Training
- Related template: Open Source Policy Template — §6 Training and Awareness