Skip to main content

OpenChain Welcomes ISO/IEC 18974:2023, The International Standard For Open Source Security Assurance

KakaoBank is the first company to formally announce conformance to ISO/IEC 18974:2023 adjacent to the ISO publication of the specification.

Learn more about the KakaoBank announcement:

The Linux Foundation, Joint Development Foundation and the OpenChain Project are delighted to announce the publication of ISO/IEC 18974:2023 as an International Standard. Formally known as OpenChain Security Assurance 1.1 or ISO/IEC DIS 18974, this is a simple, clear and effective process management standard for open source security assurance. It allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source security assurance program.

Companies around the world can learn more about ISO/IEC 18974:2023, methods of self-certification, independent assessment or third-party certification, as well as access a large library of reference material at

ISO/IEC 18974:2023 is an open standard and all parties are welcome to engage with our community, learn from their peers, share their knowledge, and to contribute to the future of our standard. There is no charge to access and use our reference material, self-certification or to engage with our numerous calls, webinars, mailing lists and meetings.

“ISO/IEC 18974:2023 is the result of over seven years work in building simple, effective process management specifications for the open source supply chain. As a sister standard to ISO/IEC 5230:2020, the International Standard for open source license compliance, it has a direct pedigree based on decades of open source management experience distilled and applied by hundreds of contributors. It can immediately be used by companies of any sizes to reduce risk, increase efficiency and ensure sustainability around code management.”

Shane Coughlan, OpenChain General Manager

This standard was created with the input of dozens of people across a period of more than a year. The majority of this process was lead by the co-chairs of the OpenChain Specification Work Group, Chris Wood, Fellow at Lockheed Martin and Helio Chissini de Castro, Software Technologies Lead at CARIAD – a Volkswagen Group Company.

“It is a great accomplishment for the OpenChain team’s hard work to have our Software Assurance specification accepted for publication as an Internationally recognized specification by ISO/IEC.”

Chris Wood, Fellow at Lockheed Martin

“ISO/IEC 18974 fills a market gap that OpenChain could effectively address by connecting people. In a world where security and compliance are no longer seen side by side but rather crossing paths, an intelligent approach on how to manage this situation was needed by professionals. OpenChain provided the right people and the right environment to achieve a practical solution based on the approach previously proven via ISO/IEC 5230.”

Helio Chissini de Castro, Software Technologies Lead at CARIAD – a Volkswagen Group Company.

Industry reception has been equally positive, with the follow endorsement from OPPO – an OpenChain Platinum Member – underlining the global applicability of ISO/IEC 18984:2023 for open source security assurance.

“As a core member of OpenChain, OPPO is pleased to see OpenChain’s newly released ISO standard, which aims to ensure the security of the open source software’s supply chain. The development is expected to bring numerous strengths to OPPO and its partners, including enhanced security, improved product quality, and increased competitive advantages. This achievement marks yet another significant milestone in the ongoing development of OpenChain.”

Haydon, Vice President of OPPO and President of Software Engineering

Our official partners at PwC Germany have added their endorsement from the perspective of open source management, regulatory bodies and third-party certification.

“Great joint effort and achievement! As regulatory bodies increasingly recognize the significance of cybersecurity and the necessity for Software Bill of Materials (SBOMs), the introduction of ISO 18974 is a timely and important element for open source management. Its adoption will enhance the resilience and reliability of digital products and services. Furthermore, an external ISO 18974 certification will boost trust within the supply chain and facilitate efficient collaboration.”

Marcel Scholze, Head of Open Source Management Services at PwC Germany

Other companies have previously adopted ISO/IEC 18974:2023 in its OpenChain Security Assurance 1.1 or ISO/IEC DIS 18974:2023 variants, including LG Electronics and BlackBerry. These are functionally identical to ISO/IEC 18974:2023. You can learn more about the companies adopting OpenChain Project standards by visiting our “Community of Conformance” page: