This is the multi-page printable view of this section. Click here to print.
§3.6 Adherence to the Specification
1 - §3.6.1 Conformance
1. Clause Overview
To receive official recognition of ISO/IEC 5230 conformance, the program defined in §3.1.4 must be confirmed in a document as satisfying all requirements of this specification. §3.6.1 is the stage for officially affirming that all clauses from §3.1 through §3.5 have been satisfied. This clause is the final confirmation procedure that completes adherence to the specification, requiring the organization’s official confirmation that the program satisfies all requirements of ISO/IEC 5230:2020 version 2.1.
2. What to Do
- Conduct a self-assessment to verify that all verification material items (24 items) for all clauses from §3.1 to §3.5 are in place.
- Write a document confirming that the program satisfies all requirements of ISO/IEC 5230 within the scope of application defined in §3.1.4.
- Record the reviewer, approver, and confirmation date in the confirmation document.
- Choose an appropriate certification method — self-certification, independent assessment, or third-party certification — and proceed.
3. Requirements and Verification Materials
| Clause | Requirement | Verification Material(s) |
|---|---|---|
| §3.6.1 | In order for a program to be deemed conformant with this specification, the organization shall affirm that the program satisfies the requirements presented in this document (version 2.1). | 3.6.1.1 A document affirming the program specified in §3.1.4 satisfies all the requirements of this specification. |
4. How to Comply and Samples by Verification Material
3.6.1.1 Specification Conformance Confirmation Document
How to Comply
A document must be written confirming that all requirements of ISO/IEC 5230:2020 are satisfied within the scope of application defined in §3.1.4. This document is Verification Material 3.6.1.1. It can be written in the form of a checklist confirming compliance for each of the 24 verification material items, or as a general conformance statement.
Before writing, use this guide’s Full Clause Checklist to verify that all verification materials are in place. The document must include the scope of the program being confirmed, the specification version confirmed (ISO/IEC 5230:2020 version 2.1), the confirmation date, and the reviewer and approver.
Considerations
- Self-assessment first: Before writing the document, conduct a self-assessment of all 24 verification material items to confirm there are no missing items.
- Specify specification version: Specify the specification version confirmed in the document (ISO/IEC 5230:2020 version 2.1).
- Approval process: Formalize the document through the Open Source Program Manager’s review and management or OSRB approval.
- Update cycle: After a new version of the specification is published, re-confirm based on the latest version within 18 months (see §3.6.2).
Sample
The following is a sample ISO/IEC 5230 specification conformance confirmation document.
[ISO/IEC 5230 Specification Conformance Confirmation]
Program name: [Company name] Open Source Compliance Program
Scope of application: [Enter scope defined in §3.1.4]
Specification confirmed: ISO/IEC 5230:2020 (version 2.1)
Confirmation date: YYYY-MM-DD
This document confirms that the above program satisfies all requirements of
ISO/IEC 5230:2020 from §3.1 to §3.6.
Summary of conformance items:
- §3.1 Program Foundation (5 clauses, 8 verification materials): Satisfied ✓
- §3.2 Relevant Tasks (2 clauses, 7 verification materials): Satisfied ✓
- §3.3 Content Review and Approval (2 clauses, 3 verification materials): Satisfied ✓
- §3.4 Compliance Artifacts (1 clause, 2 verification materials): Satisfied ✓
- §3.5 Community Engagement (1 clause, 3 verification materials): Satisfied ✓
- §3.6 Adherence to the Specification (2 clauses, 2 verification materials): Satisfied ✓
Reviewer: [Open Source Program Manager name]
Approver: [Management or OSRB head name]
Approval date: YYYY-MM-DD
5. References
- ISO/IEC 5230 self-certification: https://certification.openchainproject.org/
- Full clause checklist: ISO/IEC 5230 Conformance Guide
2 - §3.6.2 Duration
1. Clause Overview
ISO/IEC 5230 conformance does not remain valid indefinitely once obtained. When a new version of the specification is published, a program that was conformant against the previous version retains its conformance for only 18 months after the new version is published. §3.6.2 requires organizations to maintain a document confirming that the program meets all requirements of the specification within the past 18 months of obtaining conformance. This clause serves as a mechanism to ensure that open source compliance programs remain continuously operational rather than stopping at formal certification.
2. What to Do
- Record and manage the date on which conformance was obtained.
- Within the past 18 months of obtaining conformance, re-confirm and document that the program still meets all requirements of the specification.
- If a new version of the specification is published, update the program to meet the latest version and re-confirm within 18 months.
- Conduct periodic internal audits to verify that the program maintains continuous compliance.
3. Requirements and Verification Materials
| Clause | Requirement | Verification Material(s) |
|---|---|---|
| §3.6.2 | A program that is conformant with this specification shall remain conformant even if the version of the specification it was conformant against is subsequently updated, for a period of 18 months after the new version of the specification is published. It is recommended that conformant programs be updated to be conformant with the latest version of the specification. | 3.6.2.1 A document affirming the program meets all the requirements of this version of the specification, within the past 18 months of obtaining conformance. |
View original text
§3.6.2 Duration A program that is conformant with this specification shall remain conformant even if the version of the specification it was conformant against is subsequently updated, for a period of 18 months after the new version of the specification is published. It is recommended that conformant programs be updated to be conformant with the latest version of the specification.
Verification Material(s): 3.6.2.1 A document affirming the program meets all the requirements of this version of the specification, within the past 18 months of obtaining conformance.
4. How to Comply with Each Verification Material
3.6.2.1 Document Confirming All Requirements Met Within 18 Months
How to Comply
A document confirming that the program still meets all requirements of the specification must be maintained within 18 months of obtaining conformance. This document constitutes Verification Material 3.6.2.1. The simplest approach is to periodically review and update the specification conformance document from §3.6.1.1 at least once a year. Each time it is updated, record the review date and reviewer to demonstrate that a review was conducted within the past 18 months.
When a new version of ISO/IEC 5230 is published, update the program to meet the latest version within the 18-month grace period and create a re-confirmation document. Since conformance expires if the grace period is exceeded, it is important to monitor specification revision trends and respond in a timely manner.
Considerations
- Establish a periodic re-confirmation schedule: Conduct a minimum of one annual internal audit to re-confirm and document the validity of all verification material items.
- Monitor specification revisions: Regularly check OpenChain Project announcements for specification revisions and establish a response plan within 18 months when a new version is published.
- Manage conformance expiration: Register the conformance acquisition date and validity period (18 months) in a calendar or management system to receive renewal reminders before expiration.
- Reflect changes: When organizational structure, product portfolio, or process changes occur, immediately reflect them in the program and update the re-confirmation document.
Sample
Below is a sample periodic re-confirmation record for ISO/IEC 5230 specification compliance.
[ISO/IEC 5230 Specification Conformance Periodic Re-confirmation Record]
Program Name: [Company Name] Open Source Compliance Program
Initial Conformance Date: YYYY-MM-DD
Specification Version Confirmed: ISO/IEC 5230:2020 (Version 2.1)
| Re-confirmation Date | Result | Changes | Reviewer | Notes |
|----------------------|--------|---------|----------|-------|
| 2025-01-10 | Fully Met | Reflected personnel change (§3.2.2.1 updated) | John Doe | - |
| 2026-01-08 | Fully Met | None | John Doe | Next re-confirmation: 2027-01-08 |
Next re-confirmation scheduled: YYYY-MM-DD (within 12 months of last re-confirmation)
18-month validity deadline: YYYY-MM-DD (18 months from last re-confirmation)
Below is a sample response checklist for when a new version of the specification is published.
[ISO/IEC 5230 New Version Response Checklist]
New Version Publication Date: YYYY-MM-DD
Response Deadline (18 months): YYYY-MM-DD
□ Identify changes in requirements between new version and current version
□ Establish program update plan based on changed requirements
□ Complete updates and organize verification materials under new version
□ Create and approve specification conformance document under new version
□ Proceed with self-certification or certification renewal process
5. References
- Check latest OpenChain specification version: https://www.openchainproject.org/license-compliance
- Self-certification renewal: https://certification.openchainproject.org/
- §3.6.1 Conformance: Previous Clause