|
| 1 | + |
| 2 | + |
| 3 | +# Self-Certification Questionnaire |
| 4 | +## The Simple Way To Check OpenChain ISO/IEC 5230:2020 Conformance |
| 5 | + |
| 6 | +Revision 1\ |
| 7 | +2021-11-26 |
| 8 | + |
| 9 | +# Introduction |
| 10 | + |
| 11 | +OpenChain ISO/IEC 5230:2020 is the International Standard for open source license compliance. It is simple, effective and suitable for companies of all sizes in all markets. This standard is openly developed by a vibrant user community and freely available to all. It is supported by extensive reference material and official service provider partners. |
| 12 | + |
| 13 | +You can adopt OpenChain ISO/IEC 5230:2020 by self-certification in your own time or working with a service provider for independent assessment or third-party certification. Our recommended path is self-certification and we provide this questionnaire to support this with a series of "yes" or "no" questions. |
| 14 | + |
| 15 | +We have a lot of resources to support you if you need assistance. You can join our mailing lists, our webinars, our group calls and our regional work groups to discuss challenges with your peers and in your native language. You can get started here: |
| 16 | + |
| 17 | +[[https://www.openchainproject.org/community]{.underline}](https://www.openchainproject.org/community) |
| 18 | + |
| 19 | +As part of our online support you can also self-certify using our web app for free here:\ |
| 20 | +[[https://certification.openchainproject.org/]{.underline}](https://certification.openchainproject.org/) |
| 21 | + |
| 22 | +We have a video discussing online self-certification here:\ |
| 23 | +[[https://www.youtube.com/watch?v=lVM4RH8RRl0]{.underline}](https://www.youtube.com/watch?v=lVM4RH8RRl0) |
| 24 | + |
| 25 | +Online self-certification is the same as this questionnaire. It is just another option. |
| 26 | + |
| 27 | +Finally, if you want direct support from the project you can email |
| 28 | + |
| 29 | +with questions. We provide support for free. The OpenChain Project is funded by our Platinum Members and is designed to help support the global supply chain transition to more effective and efficient open source license compliance. |
| 30 | + |
| 31 | +**Our Platinum Members** |
| 32 | + |
| 33 | + |
| 34 | + |
| 35 | +# The Self-Certification Questionnaire |
| 36 | + |
| 37 | +## Section 1: Program foundation |
| 38 | + |
| 39 | +- Do you have a documented policy governing the open source license compliance of the Supplied Software? |
| 40 | + |
| 41 | +- Do you have a documented procedure to communicate the existence of the open source policy to all Software Staff |
| 42 | + |
| 43 | +- Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program? |
| 44 | + |
| 45 | +- Have you identified and documented the competencies required for each role? |
| 46 | + |
| 47 | +- Have you documented the assessed competence for each Program |
| 48 | + participant? |
| 49 | + |
| 50 | +- Have you documented the awareness of your Program participants on the following topics? |
| 51 | + |
| 52 | + - The open source policy and where to find it; |
| 53 | + |
| 54 | + - Relevant open source objectives; |
| 55 | + |
| 56 | + - Contributions expected to ensure the effectiveness of the Program; |
| 57 | + |
| 58 | + - The implications of failing to follow the Program requirements. |
| 59 | + |
| 60 | +- Do you have a process for determining the scope of your Program? |
| 61 | + |
| 62 | +- Do you have a written statement clearly defining the scope and limits of the Program? |
| 63 | + |
| 64 | +- Do you have a documented procedure to review and document open source license obligations, restrictions and rights? |
| 65 | + |
| 66 | +## Section 2: Relevant tasks defined and supported |
| 67 | + |
| 68 | +- Have you assigned individual(s) responsibility for receiving |
| 69 | + external open source compliance inquiries? |
| 70 | + |
| 71 | +- Is the external open source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)? |
| 72 | + |
| 73 | +- Do you have a documented procedure for receiving and responding to open source compliance inquiries? |
| 74 | + |
| 75 | +- Have you documented the persons, group or function supporting the Program role(s) identified? |
| 76 | + |
| 77 | +- Have the identified Program roles been properly staffed and |
| 78 | + adequately funded? |
| 79 | + |
| 80 | +- Has legal expertise to address internal and external open source compliance been identified? |
| 81 | + |
| 82 | +- Do you have a documented procedure assigning internal |
| 83 | + responsibilities for open source compliance? |
| 84 | + |
| 85 | +- Do you have a documented procedure for handling review and |
| 86 | + remediation of non-compliant cases? |
| 87 | + |
| 88 | +## Section 3: Open source content review and approval |
| 89 | + |
| 90 | +- Do you have a documented procedure for identifying, tracking and archiving information about the open source components in a Supplied Software release? |
| 91 | + |
| 92 | +- Do you have open source component records for the Supplied Software which demonstrate the documented procedure was properly followed? |
| 93 | + |
| 94 | +- Do you have a documented procedure that covers these common open source license use cases for open source components in the Supplied Software? |
| 95 | + |
| 96 | + - Distribution in binary form; |
| 97 | + |
| 98 | + - Distribution in source form; |
| 99 | + |
| 100 | + - Integration with other open source that may trigger additional obligations; |
| 101 | + |
| 102 | + - Containing modified open source; |
| 103 | + |
| 104 | + - Containing open source or other software under incompatible licenses for interaction with other components in the Supplied Software; |
| 105 | + |
| 106 | + - Containing open source with attribution requirements. |
| 107 | + |
| 108 | +## Section 4: Compliance artifact creation and delivery |
| 109 | + |
| 110 | +- Do you have a documented procedure describing the process for ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses? |
| 111 | + |
| 112 | +- Do you have a documented procedure for archiving copies of |
| 113 | + Compliance Artifacts for the Supplied Software? |
| 114 | + |
| 115 | +- Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses? |
| 116 | + |
| 117 | +## Section 5: Understanding open source community engagements |
| 118 | + |
| 119 | +- Do you have a policy for contribution to open source projects on behalf of the organization? |
| 120 | + |
| 121 | +- Do you have a documented procedure governing open source |
| 122 | + contributions? |
| 123 | + |
| 124 | +- Do you have a documented procedure for making all Software Staff aware of the open source contribution policy? |
| 125 | + |
| 126 | +## Section 6: Adherence to the specification requirements |
| 127 | + |
| 128 | +- Do you have documentation confirming that your Program meets all the requirements of this specification? |
| 129 | + |
| 130 | +- Do you have documentation confirming that your Program conformance was reviewed within the last 18 months? |
0 commit comments