1. Clause Overview
ISO/IEC 5230 conformance does not remain valid indefinitely once obtained. When a new version of the specification is published, a program that was conformant against the previous version retains its conformance for only 18 months after the new version is published. §3.6.2 requires organizations to maintain a document confirming that the program meets all requirements of the specification within the past 18 months of obtaining conformance. This clause serves as a mechanism to ensure that open source compliance programs remain continuously operational rather than stopping at formal certification.
2. What to Do
- Record and manage the date on which conformance was obtained.
- Within the past 18 months of obtaining conformance, re-confirm and document that the program still meets all requirements of the specification.
- If a new version of the specification is published, update the program to meet the latest version and re-confirm within 18 months.
- Conduct periodic internal audits to verify that the program maintains continuous compliance.
3. Requirements and Verification Materials
| Clause | Requirement | Verification Material(s) |
|---|---|---|
| §3.6.2 | A program that is conformant with this specification shall remain conformant even if the version of the specification it was conformant against is subsequently updated, for a period of 18 months after the new version of the specification is published. It is recommended that conformant programs be updated to be conformant with the latest version of the specification. | 3.6.2.1 A document affirming the program meets all the requirements of this version of the specification, within the past 18 months of obtaining conformance. |
View original text
§3.6.2 Duration A program that is conformant with this specification shall remain conformant even if the version of the specification it was conformant against is subsequently updated, for a period of 18 months after the new version of the specification is published. It is recommended that conformant programs be updated to be conformant with the latest version of the specification.
Verification Material(s): 3.6.2.1 A document affirming the program meets all the requirements of this version of the specification, within the past 18 months of obtaining conformance.
4. How to Comply with Each Verification Material
3.6.2.1 Document Confirming All Requirements Met Within 18 Months
How to Comply
A document confirming that the program still meets all requirements of the specification must be maintained within 18 months of obtaining conformance. This document constitutes Verification Material 3.6.2.1. The simplest approach is to periodically review and update the specification conformance document from §3.6.1.1 at least once a year. Each time it is updated, record the review date and reviewer to demonstrate that a review was conducted within the past 18 months.
When a new version of ISO/IEC 5230 is published, update the program to meet the latest version within the 18-month grace period and create a re-confirmation document. Since conformance expires if the grace period is exceeded, it is important to monitor specification revision trends and respond in a timely manner.
Considerations
- Establish a periodic re-confirmation schedule: Conduct a minimum of one annual internal audit to re-confirm and document the validity of all verification material items.
- Monitor specification revisions: Regularly check OpenChain Project announcements for specification revisions and establish a response plan within 18 months when a new version is published.
- Manage conformance expiration: Register the conformance acquisition date and validity period (18 months) in a calendar or management system to receive renewal reminders before expiration.
- Reflect changes: When organizational structure, product portfolio, or process changes occur, immediately reflect them in the program and update the re-confirmation document.
Sample
Below is a sample periodic re-confirmation record for ISO/IEC 5230 specification compliance.
[ISO/IEC 5230 Specification Conformance Periodic Re-confirmation Record]
Program Name: [Company Name] Open Source Compliance Program
Initial Conformance Date: YYYY-MM-DD
Specification Version Confirmed: ISO/IEC 5230:2020 (Version 2.1)
| Re-confirmation Date | Result | Changes | Reviewer | Notes |
|----------------------|--------|---------|----------|-------|
| 2025-01-10 | Fully Met | Reflected personnel change (§3.2.2.1 updated) | John Doe | - |
| 2026-01-08 | Fully Met | None | John Doe | Next re-confirmation: 2027-01-08 |
Next re-confirmation scheduled: YYYY-MM-DD (within 12 months of last re-confirmation)
18-month validity deadline: YYYY-MM-DD (18 months from last re-confirmation)
Below is a sample response checklist for when a new version of the specification is published.
[ISO/IEC 5230 New Version Response Checklist]
New Version Publication Date: YYYY-MM-DD
Response Deadline (18 months): YYYY-MM-DD
□ Identify changes in requirements between new version and current version
□ Establish program update plan based on changed requirements
□ Complete updates and organize verification materials under new version
□ Create and approve specification conformance document under new version
□ Proceed with self-certification or certification renewal process
5. References
- Check latest OpenChain specification version: https://www.openchainproject.org/license-compliance
- Self-certification renewal: https://certification.openchainproject.org/
- §3.6.1 Conformance: Previous Clause