OpenChain (ISO/IEC 5230:2020) Compliance

OpenChain is the first software supply chain standard in the world to take into account modern software development: the assembly of complex software using a wide range of free and open source software components. Orcro has partnered with the Linux Foundation to become the first organisation in the UK authorised to promote its OpenChain compliance programme.




Leading companies like Toyota, Facebook, Google, Intel, Qualcomm, Uber, ARM, LG, Panasonic and Siemens have embraced OpenChain.

OpenChain brings established governance principles to the software supply chain. It adopts best-practice from other compliance areas and maps them to software procurement, giving businesses a clear path to minimising infringement risk in procuring, developing and deploying software, with particular emphasis on use and re-use of free and open source software (“FOSS”) components.

Crucially, for smaller organisations, the compliance programme does not have to be complex, but simply mirrors or adapts existing best practice.

The OpenChain project is backed by the Linux Foundation. It is the only software compliance project designed with the following factors in mind:

  • It adopts the familiar structure of established standards (such as ISO 27001)
  • It’s flexible and versatile and scales with size and type of business
  • It’s backed by organisations from Global 100 companies through to startups
  • It’s developed with input from developers, legal, compliance, management and procurement
  • It  manages the legal and associated reputational risks of software licence non-compliance, providing comfort to customers, and easing engagement with suppliers.

The OpenChain project has evolved to version 2.1, which is, in many ways, easier to comply with (especially for larger organisations). The next exciting chapter in the OpenChain story is that on the 14th December 2020, OpenChain was released as full ISO standard for open source software compliance: ISO/IEC 5230:2020.


Self-certification provides an inexpensive and rapid path to compliance, but for additional security, Orcro, as one of the first five worldwide pilot partners appointed by the Linux Foundation, can guide organisations through the process, culminating in an external certification of compliance, as a step beyond self-certification.

Orcro can provide a unique combination of legal, process and technical skills.

Led by Andrew Katz, who has a background as both a software developer and one of the country’s leading Free and Open Source Software lawyers, Orcro can guide you smoothly towards the world’s only recognised compliance programme for managing intellectual property risk in the software supply chain.

Technology Neutral

Although we work with products like Black Duck (Synopsys), Palamida (Flexera), FOSSID and (formerly WhiteSource), we retain our neutrality and obtain no commissions from our relationship. This means that we can assess your technology needs independently. Our sole criterion is whether the product provides, in our professional opinion, the best solution to your issues. We frequently find ourselves recommending open source solutions like FOSSology, as well as proprietary solutions like Black Duck. Each product has different strengths, weaknesses and costs, and all of these are relevant when we make any recommendation tailored to a particular client.

For our briefing note, click here.

For more information, please contact Andrew Katz on