[Improvement] Change review period to 12 months to align with ISO 17021 for certification of management systems
Closed this issue · 4 comments
This is a proposal by Marcel from PwC to adjust change the review period required by the Security and License Compliance Specs to 12 months to align with ISO 17021 for certification of management systems
Full text below:
"I recommend changing the review period to 12 months in the security and the compliance spec, as this is the time frame in a third party certification for a surveillance audit as per ISO 17021 for certification of management systems. So if companies go with third party certifications and run into a surveillance audit after 12 months, they could not show a reviewed process and program if they purely follow our spec. However a third party certifier might/could/should expect updated/reviewed processes/program. So streamlining these requirements would be good for a next version of the specs."
You will also find this on the security assurance issue tracker here:
OpenChain-Project/Security-Assurance-Specification#35
I would suggest that we might make the following change for both the Licensing and Security Specifications in Section 2.3 OpenChain compliant description by adding the following text (or similar)
"... as evidenced by documentation produced at the conclusion of a required annual, 12 month, review of the Program."
We discussed this during the Monthly Community call on 20 November 2023 hosted by Mary and myself.
hi @Dr-wood and all, I think rather than change the definition of "OpenChain conformant", it might be better to change the parts of section 3, for example:
A program that is OpenChain conformant with this version of the specification shall last [18] months from the date conformance validation was obtained.
Verification material(s):
3.6.2.1 - A document affirming the program meets all the requirements of this specification, within the past [18] months of obtaining conformance validation.
To address this issue, we are adjusting the draft spec, matching ISO 17021 for certification of management systems. This is the same as the text adopted by Security Spec at this issue: OpenChain-Project/Security-Assurance-Specification#35 This was decided on the Monthly Call 2024-01-16.
===== Original Text =====
3.6.2 - Duration
A program that is OpenChain conformant with this version of the specification shall last 18 months from the date conformance validation was obtained. The conformance validation registration procedure can be found on the OpenChain project's website.
Verification material(s):
- 3.6.2.1 - A document affirming the program meets all the requirements of this document, within the past 18 months of obtaining conformance validation.
===== CHANGE TO =====
3.6.2 - Duration
A Program that is conformant with this version of the specification will have a review period every 12 months.
Verification material(s):
- 3.6.2.1 - A document affirming the Program meets all the requirements of this specification, within the past 12 months of obtaining conformance validation.