toggle quoted messageShow quoted text
Just a small point on that FAQ answer, where it says, "Although currently an audit by a third party is not a requirement of the OpenChain specification, a partner or customer may ask for evidence of the Verification Materials as a condition for doing business (e.g., under an Non-Disclosure agreement). . . .”
I would remove the first part where it says, "Although currently an audit by a third party is not a requirement of the OpenChain specification,” - this sort of implies that may be a requirement in the future. I don’t think that should ever be a requirement - there should always be the option to self-certify (conferment) or hire a third party - which I think is what the ISO example Shane provided explains.
On Oct 5, 2018, at 8:30 AM, Gisi, Mark <Mark.Gisi@...> wrote:
The specification today makes a distinction between conformance (self-certification) and certification (third party audited certification). All the specification wording (including emails) intentionally makes reference to conformance (or conforming) because ONLY a self-certify process exists today. It has been discussed that once we have a third party audit program an organization could declare their program to be "certified" ( = conformance verified by third party). Until such a program is in place conformance is the only option and term to use. This is briefly discussed in the following spec FAQ.
I wanted to suggest that conformance+specification work teams may want to look at this and consider how
we adjust our material to reflect this wording.
Q: Is a third party audit required to declare an Open Source Compliance program to be OpenChain Conforming?
A: No. At least not yet. The OpenChain 1.2 specification is simply structured to provide a list of requirements where each requirement maintains a set of acceptance criteria (Verification Materials). Each requirement is a description of an important quality a Open Source Compliance program must satisfy. The Verification Materials for a requirement represent a list of tangible artifacts that must exist in order for one to determine the specific requirement has been met. Although artifacts must exist, one is not required to make them public. The key goal of the specification is to foster trust around Open Source compliance between two parties exchanging software. Although currently an audit by a third party is not a requirement of the OpenChain specification, a partner or customer may ask for evidence of the Verification Materials as a condition for doing business (e.g., under an Non-Disclosure agreement). That is, the obligation to provide evidence of the existence of the artifacts, and the willingness to do so, is determined by the relationship entered into by two parties. It has been discussed that a future version of the specification may provide more specific guidelines on how to obtain third party certification but that is not available today.
From: Shane Coughlan [mailto:coughlan@...]
Sent: Friday, October 05, 2018 1:22 AM
To: Miriam Ballhausen; Gisi, Mark
Cc: Openchain-conformance@...; Openchain-specification@...; openchain@...
Subject: Flagged for OpenChain Conformance+Specification Work Team - Review Needed
Hi Miriam, Mark, everyone on the conformance and specification work teams!
Some questions have popped up about whether it is possible to self-certify to an ISO standard (our target for formal standardization 2019/2020). The answer is yes, with ISO using the terminology of “certified” for third party certification and “conformance” for self-driven efforts.
"An option often overlooked is the fact that a business can be “ISO 9001:2015 compliant” and not have to go through the rigor of a certification audit. The same goes for ISO 14001, 27001, and 45001. This compliance option may meet your customers’ expectations for the implementation of a formal quality management system (QMS) based on the ISO standard. This option can be considered a type of “self-assessment.” With this option, you will still implement a complete QMS but, not take the final step of hiring a Registrar to conduct the certification audit, saving you time, money and the stress of “passing” a certification audit."
I wanted to suggest that conformance+specification work teams may want to look at this and consider how we adjust our material to reflect this wording.
Pages that might need review are:
General Manager, OpenChain
p: +81 (0) 80 4035 8083
Professional profile: http://www.linkedin.com/in/shanecoughlan
Get my free book on open source compliance here:
OpenChain mailing list