Certification Output Best Practice
conformance-preparer This is a completed example of the three outputs generated by the agent.
This agent automatically generates gap analysis and declarations by reading existing output in the output/ folder without asking any questions.
Go to reference: Self-certified chapter guide
Gap Analysis Report
generating agent:
07-conformance-preparer| Save Path:output/conformance/gap-analysis.md
Report Type: Gap Analysis (ISO/IEC 5230 + ISO/IEC 18974) Created Date: 2026-03-23 Target project: Tech Unicorn open source program Tools used: trustedoss agents/07-conformance-preparer
1. Summary
- Analysis target: ISO/IEC 5230:2020 (25 items) + ISO/IEC 18974:2023 (25 items) = A total of 50 supporting materials
- ISO/IEC 5230: Satisfied ✅ 22 / Partially satisfied 🔶 3 / Not satisfied ❌ 0
- ISO/IEC 18974: Satisfied ✅ 17 / Partially satisfied 🔶 8 / Not satisfied ❌ 0
- ❌ No items not met (certification blocked) → Self-certification declaration possible
- Immediate action recommendation: Enter the real name of the person in charge (raci-matrix.md), begin training (completion-tracker.md)
- Time-based 🔶 3 items normal upon initial certification (met upon 18-month renewal)
2. ISO/IEC 5230:2020 Satisfaction status by item
| Item ID | Summary of contents | Judgment | Evidence output |
|---|---|---|---|
| 3.1.1.1 | Documented open source policy | ✅ | Open source policy |
| 3.1.1.2 | Policy dissemination procedure | ✅ | Open source policy §7, Open source education curriculum |
| 3.1.2.1 | List of Roles and Responsibilities | ✅ | Open source role and responsibility definition §1 |
| 3.1.2.2 | Competency technical documentation for each role | ✅ | Open source role and responsibility definition §2 |
| 3.1.2.3 | Competency Assessment Evidence | 🔶 | Education completion tracking sheet (form complete, actual completion not yet started) |
| 3.1.3.1 | Participant Perception Assessment Evidence | 🔶 | Open source training curriculum + Training completion tracking sheet (Training has not started) |
| 3.1.4.1 | Program coverage | ✅ | Open Source Policy §1 |
| 3.1.5.1 | License Obligations Review Process | ✅ | Open source use approval procedure §4, Permitted license list |
| 3.2.1.1 | External inquiry public channel | ✅ | Open source role and responsibility definition §3 (opensource@sktelecom.com) |
| 3.2.1.2 | Internal response procedures for external inquiries | ✅ | Definition of open source roles and responsibilities §3, Open source use approval process |
| 3.2.2.1 | Role Assignee Name Document | 🔶 | Open source RACI matrix (complete role structure, real name not entered) |
| 3.2.2.2 | Place roles and check budget | ✅ | Open source RACI matrix §Budget allocation status |
| 3.2.2.3 | How to approach legal advice | ✅ | Open source role and responsibility definition §4 |
| 3.2.2.4 | Internal Responsibility Assignment Process | ✅ | Open Source RACI Matrix §Internal Responsibility Assignment Procedure |
| 3.2.2.5 | Non-compliance case review and correction procedures | ✅ | Open Source RACI Matrix §Non-Compliance Case Review Procedure, Open Source Policy §8 |
| 3.3.1.1 | SBOM Management Procedures | ✅ | SBOM Management Plan, Open Source Use Approval Procedure §6 |
| 3.3.1.2 | Component history (SBOM file) | ✅ | output/sbom/java-vulnerable.cdx.json |
| 3.3.2.1 | Licensing Use Case Processing Procedure | ✅ | SBOM License Analysis Report, Copyleft Risk Report, Open Source Use Approval Procedure |
| 3.4.1.1 | Compliance deliverable preparation and distribution procedures | ✅ | Pre-deployment license compliance checklist |
| 3.4.1.2 | Compliance deliverable storage procedures | ✅ | Pre-deployment license compliance checklist §5 |
| 3.5.1.1 | Open source contribution policy | ✅ | Open Source Policy §5 |
| 3.5.1.2 | Open source contribution management process | ✅ | Open Source Policy §5 |
| 3.5.1.3 | Contribution Policy Recognition Procedure | ✅ | Open Source Policy §7 |
| 3.6.1.1 | Confirmation document that all requirements are met | ✅ | Gap Analysis Report (this document) |
| 3.6.2.1 | Document confirming that requirements are met within 18 months | ✅ | Open Source Compliance Self-Certification Statement |
ISO/IEC 5230 Subtotal: ✅ 22 / 🔶 3 / ❌ 0
3. ISO/IEC 18974:2023 Satisfaction status by item
| Item ID | Summary of contents | Judgment | Evidence output |
|---|---|---|---|
| 4.1.1.1 | Security Assurance Policy | ✅ | Open Source Policy §4 |
| 4.1.1.2 | Policy dissemination procedure | ✅ | Open source policy §7, Open source education curriculum |
| 4.1.2.1 | List of Roles and Responsibilities | ✅ | Open source role and responsibility definition §1 |
| 4.1.2.2 | Competency technical documentation for each role | ✅ | Open source role and responsibility definition §2 |
| 4.1.2.3 | Participant list and roles | 🔶 | Open source RACI matrix § Person in charge by role (real name not entered) |
| 4.1.2.4 | Competency Assessment Evidence | 🔶 | Education completion tracking sheet (form complete, actual completion not yet started) |
| 4.1.2.5 | Periodic review and evidence of change | 🔶 | Open source policy §9 (Establishment of review plan, no history accumulation) ※Time-based |
| 4.1.2.6 | Internal Best Practice Conformance Verification Representative | 🔶 | Definition of open source roles and responsibilities §6 (designation of person in charge, scheduled for review 2026-12-31) ※Time-based |
| 4.1.3.1 | Participant Perception Assessment Evidence | 🔶 | Open source training curriculum + Training completion tracking sheet (Training has not started) |
| 4.1.4.1 | Program Scope Document | ✅ | Open Source Policy §1 |
| 4.1.4.2 | Performance Metrics | ✅ | Open source policy §3 (5 KPI items) |
| 4.1.4.3 | Evidence of continuous improvement (audit history) | 🔶 | Gap analysis report (this document, 1st audit history) ※Time-based |
| 4.1.5.1 | vulnerability response standard procedures | ✅ | vulnerability Response Procedure (Includes all 8 methods) |
| 4.2.1.1 | External vulnerability inquiry public channel | ✅ | Open source role and responsibility definition §3 (security@sktelecom.com) |
| 4.2.1.2 | Internal response procedures for external inquiries | ✅ | vulnerability response procedures §7 |
| 4.2.2.1 | Role Assignee Name Document | 🔶 | Open source RACI matrix (complete role structure, real name not entered) |
| 4.2.2.2 | Place roles and check budget | ✅ | Open source RACI matrix §Budget allocation status |
| 4.2.2.3 | Demonstrate expertise in resolving vulnerabilities | ✅ | Open source role and responsibility definition §5 (Security team, KrCERT) |
| 4.2.2.4 | Internal Responsibility Assignment Process | ✅ | Open Source RACI Matrix §Internal Responsibility Assignment Procedure |
| 4.3.1.1 | SBOM Life Cycle Continuous Recording Procedures | ✅ | SBOM Management Plan |
| 4.3.1.2 | Component history (SBOM file) | ✅ | output/sbom/java-vulnerable.cdx.json |
| 4.3.2.1 | vulnerability detection and resolution procedures | ✅ | vulnerability response procedure + vulnerability response plan |
| 4.3.2.2 | vulnerability and Action Log | ✅ | vulnerability Analysis Report (5 CVE records) + vulnerability Response Plan |
| 4.4.1.1 | Confirmation document that all requirements are met | ✅ | Gap Analysis Report (this document) |
| 4.4.2.1 | Document confirming that requirements are met within 18 months | ✅ | Open Source Compliance Self-Certification Statement |
ISO/IEC 18974 Subtotal: ✅ 17 items / 🔶 8 items / ❌ 0 items
4. Measures
🟡 Medium — Enter the real name of the person in charge (recommended within 1 month)
- Target:
output/organization/raci-matrix.md§Person in charge by role - Problem: The "(Enter Contact Person Name)" placeholder is not replaced with the real name.
- Affected Items: 3.2.2.1, 4.1.2.3, 4.2.2.1
- Action: Enter real names in raci-matrix.md assignee by role table.
- Estimated travel time: 10 minutes
🟡 Medium — Training completion begins (2026-Q2 implementation plan established)
- Target:
output/training/completion-tracker.md - Problem: Training plan and form were completed, but 0 people actually completed it (0%)
- Affected Items: 3.1.2.3, 3.1.3.1, 4.1.2.4, 4.1.3.1
- Measures: curriculum.md §Training will be implemented from 2026-Q2 according to the training schedule plan
- 100 employees: Online training begins in May 2026
- 10 managers: 2026-06 offline group training
- 1000 developers: sequential online launch in 2026-Q2~Q3
- Estimated time required: Plan completion, execution stage
🟢 Low — Check and supplement budget information
- Target:
output/organization/raci-matrix.md§Budget allocation status - Problem: Open source tool budget and external training budget item “(fill in after confirmation)” incomplete
- Impacted Item: 3.2.2.2 (Currently judged to be ✅, but supplementation of the relevant item is recommended)
- Action: Enter actual budget allocation status
- Estimated travel time: 30 minutes
5. Time-based entry processing (initial authentication normal)
The three items below are items for which evidence cannot be created upon initial authentication. 🔶 It is treated as partially satisfied and converted to satisfied upon renewal for 18 months.
| Item ID | Current Action | Satisfied transition conditions |
|---|---|---|
| 18974 §4.1.2.5 Periodic Review Evidence | oss-policy.md §9 records "Next review date: 2027-03-23" | Accumulating at least one actual review history |
| 18974 §4.1.2.6 Best Practice Conformance Verification | In role-definition.md §6, assign a person in charge and record the date of initial review (2026-12-31) | At least 1 review result record |
| 18974 §4.1.4.3 Evidence of continuous improvement | This gap analysis (2026-03-23) is recorded as the first audit history | 2 or more audit records |
6. Renewal Schedule
| Schedule | work |
|---|---|
| 2026-06-30 | Update completion-tracker.md after completing administrator training |
| 2026-09-30 | 1st group of developers (250 people) completed offline training |
| 2026-12-31 | 18974 §4.1.2.6 Perform best practice consensus review → update gap-analysis.md |
| 2027-03-23 | Annual policy review (oss-policy.md §9) → gap-analysis.md update |
| 2027-09-23 | Expiration of self-certification validity period (date of declaration + 18 months) → Redeclaration |
Open Source Compliance Self-Certification Statement
generating agent:
07-conformance-preparer| Save Path:output/conformance/declaration-draft.md
Declaration information
| Item | Content |
|---|---|
| Declared Company Name | Tech Unicorn |
| Declaration Officer | DevOps Team Open Source Manager |
| Contact Email | opensource@sktelecom.com |
| Date of declaration | 2026-03-23 |
| Validity Period | 2026-03-23 ~ 2027-09-23 (18 months) |
| Re-declaration date | 2027-09-23 |
Applicable standards
- ISO/IEC 5230:2020 — OpenChain License Compliance Specification
- ISO/IEC 18974:2023 — OpenChain Security Assurance Specification
applied area
All software developed, distributed and operated by Tech Unicorn:
- Distribution method: SaaS, App Store (iOS/Android), embedded (device mounted), internal system
- Applies to: All members involved in using open source, including developers, administrators, and operations teams.
- Program Name: Tech Unicorn Open Source Compliance Program v1.0
ISO/IEC 5230:2020 Checklist
We declare that all 25 supporting documents below are met.
| Item ID | Content | Satisfied or not | output |
|---|---|---|---|
| 3.1.1.1 | Documented open source policy | ✅ | Open source policy |
| 3.1.1.2 | Policy dissemination procedure | ✅ | Open source policy §7, Open source education curriculum |
| 3.1.2.1 | List of Roles and Responsibilities | ✅ | Definition of open source roles and responsibilities |
| 3.1.2.2 | Competency technical documentation for each role | ✅ | Open source role and responsibility definition §2 |
| 3.1.2.3 | Competency Assessment Evidence | 🔶 | Training Completion Tracking Sheet (Completion scheduled to begin) |
| 3.1.3.1 | Participant Perception Assessment Evidence | 🔶 | Open source training curriculum + Training completion tracking sheet |
| 3.1.4.1 | Program Coverage Document | ✅ | Open Source Policy §1 |
| 3.1.5.1 | License Obligations Review Process | ✅ | Open source use approval procedure §4, Permitted license list |
| 3.2.1.1 | External inquiry public channel | ✅ | Open source role and responsibility definition §3 |
| 3.2.1.2 | Internal response procedures for external inquiries | ✅ | Open source role and responsibility definition §3 |
| 3.2.2.1 | Role Assignee Name Document | 🔶 | Open source RACI matrix (real name entry in progress) |
| 3.2.2.2 | Place roles and check budget | ✅ | Open source RACI matrix §Budget allocation status |
| 3.2.2.3 | How to approach legal advice | ✅ | Open source role and responsibility definition §4 |
| 3.2.2.4 | Internal Responsibility Assignment Process | ✅ | Open Source RACI Matrix §Internal Responsibility Assignment Procedure |
| 3.2.2.5 | Non-compliance case review and correction procedures | ✅ | Open Source RACI Matrix §Non-compliance case review procedure |
| 3.3.1.1 | SBOM Management Procedures | ✅ | SBOM Management Plan |
| 3.3.1.2 | Component history (SBOM file) | ✅ | output/sbom/java-vulnerable.cdx.json |
| 3.3.2.1 | Licensing Use Case Processing Procedure | ✅ | SBOM License Analysis Report, Open Source Use Approval Procedure |
| 3.4.1.1 | Compliance deliverable preparation and distribution procedures | ✅ | Pre-deployment license compliance checklist |
| 3.4.1.2 | Compliance deliverable storage procedures | ✅ | Pre-deployment license compliance checklist §5 |
| 3.5.1.1 | Open source contribution policy | ✅ | Open Source Policy §5 |
| 3.5.1.2 | Open source contribution management process | ✅ | Open Source Policy §5 |
| 3.5.1.3 | Contribution Policy Recognition Procedure | ✅ | Open Source Policy §7 |
| 3.6.1.1 | Confirmation document that all requirements are met | ✅ | Gap Analysis Report |
| 3.6.2.1 | Confirmation of meeting requirements within 18 months | ✅ | Open Source Compliance Self-Certification Statement (this document) |
ISO/IEC 18974:2023 Checklist
We declare that all 25 supporting documents below are met.
| Item ID | Content | Satisfied or not | output |
|---|---|---|---|
| 4.1.1.1 | Documented Security Assurance Policy | ✅ | Open Source Policy §4 |
| 4.1.1.2 | Policy dissemination procedure | ✅ | Open source policy §7, Open source education curriculum |
| 4.1.2.1 | List of Roles and Responsibilities | ✅ | Open source role and responsibility definition §1 |
| 4.1.2.2 | Competency technical documentation for each role | ✅ | Open source role and responsibility definition §2 |
| 4.1.2.3 | Participant list and roles | 🔶 | Open source RACI matrix (real name entry in progress) |
| 4.1.2.4 | Competency Assessment Evidence | 🔶 | Training Completion Tracking Sheet (Completion scheduled to begin) |
| 4.1.2.5 | Periodic review and evidence of change | 🔶 | Open source policy §9 (Establish review plan, plan to accumulate history) |
| 4.1.2.6 | Internal Best Practice Conformance Verification Representative | 🔶 | Definition of open source roles and responsibilities §6 (designation of person in charge, scheduled for review 2026-12-31) |
| 4.1.3.1 | Participant Perception Assessment Evidence | 🔶 | Open source training curriculum + Training completion tracking sheet |
| 4.1.4.1 | Program Scope Document | ✅ | Open Source Policy §1 |
| 4.1.4.2 | Performance Metrics | ✅ | Open source policy §3 (5 KPI items) |
| 4.1.4.3 | Evidence of continuous improvement (audit history) | 🔶 | Gap Analysis Report (1st audit history) |
| 4.1.5.1 | vulnerability response standard procedures | ✅ | vulnerability response procedures |
| 4.2.1.1 | External vulnerability inquiry public channel | ✅ | Open source role and responsibility definition §3 (security@sktelecom.com) |
| 4.2.1.2 | Internal response procedures for external inquiries | ✅ | vulnerability response procedures §7 |
| 4.2.2.1 | Role Assignee Name Document | 🔶 | Open source RACI matrix (real name entry in progress) |
| 4.2.2.2 | Place roles and check budget | ✅ | Open source RACI matrix §Budget allocation status |
| 4.2.2.3 | Demonstrate expertise in resolving vulnerabilities | ✅ | Open source role and responsibility definition §5 |
| 4.2.2.4 | Internal Responsibility Assignment Process | ✅ | Open Source RACI Matrix §Internal Responsibility Assignment Procedure |
| 4.3.1.1 | SBOM Life Cycle Continuous Recording Procedures | ✅ | SBOM Management Plan |
| 4.3.1.2 | Component history (SBOM file) | ✅ | output/sbom/java-vulnerable.cdx.json |
| 4.3.2.1 | vulnerability detection and resolution procedures | ✅ | vulnerability response procedure + vulnerability response plan |
| 4.3.2.2 | vulnerability and Action Log | ✅ | vulnerability Analysis Report (5 CVE records) + vulnerability Response Plan |
| 4.4.1.1 | Confirmation document that all requirements are met | ✅ | Gap Analysis Report |
| 4.4.2.1 | Confirmation of meeting requirements within 18 months | ✅ | Open Source Compliance Self-Certification Statement (this document) |
###Signature
This declaration confirms that Tech Unicorn meets all requirements of ISO/IEC 5230:2020 and ISO/IEC 18974:2023. We self-certify that we are operating an open source compliance and security assurance program.
| Category | Content |
|---|---|
| Declarator | DevOps Team Open Source Manager |
| Approved by | DevOps Team Leader |
| Date of declaration | 2026-03-23 |
| Next redeclaration date | 2027-09-23 |
🔶 Information on partially satisfied items: Enter the real name of the person in charge (3.2.2.1, 4.1.2.3, 4.2.2.1) and complete training (3.1.2.3, 4.1.2.4). Measures are in progress and implementation will be completed after declaration of certification. Time-based items (4.1.2.5, 4.1.2.6, 4.1.4.3) are Satisfied upon renewal for 18 months.
OpenChain Guide to self-certification registration process
generating agent:
07-conformance-preparer| Save Path:output/conformance/submission-guide.md
outline
Tech Unicorn has self-certified ISO/IEC 5230:2020 (license compliance) and ISO/IEC 18974:2023 (security assurance). OpenChain Register on the project’s official site and declare it publicly.
| Item | Content |
|---|---|
| Registration site | https://www.openchainproject.org/conformance |
| declaration type | Self-Certification |
| Applicable standards | ISO/IEC 5230:2020 + ISO/IEC 18974:2023 |
| Validity Period | 18 months (2026-03-23 ~ 2027-09-23) |
Preparation before registration
After completing the items below, proceed with the registration process.
Required actions (recommended to be completed before registration)
-
output/organization/raci-matrix.md§Person in charge by role — Fill in real name -
output/organization/appointment-template.md— Order letter signed - Start completing training — Minimum start of Administrator Course (2026-06)
Final confirmation of output
- Check the existence of
output/conformance/gap-analysis.md - Check the existence of
output/conformance/declaration-draft.md - Check the latest status of all deliverables
Registration process (step by step)
Step 1 — Access OpenChain site
- Access https://www.openchainproject.org/conformance
- Click "Submit Conformance" in the menu at the bottom or top of the page
Step 2 — Select Standard
- Select ISO/IEC 5230 (License Compliance)
- Select ISO/IEC 18974 (Security Assurance)
- Both standards can be submitted simultaneously
Step 3 — Enter company information
| Entry | Input Content |
|---|---|
| Company name | Tech Unicorn |
| Contact name | Real name of DevOps team open source person in charge |
| opensource@sktelecom.com | |
| country | Korea (South) |
| website | https://www.sktelecom.com |
Step 4 — Check checklist items
Refer to output/conformance/declaration-draft.md and check each item.
ISO/IEC 5230 Checklist (25 items):
- Check all items from 3.1.1.1 to 3.6.2.1
- 🔶 Recognize and check that items (3.1.2.3, 3.1.3.1, 3.2.2.1) are in progress.
ISO/IEC 18974 Checklist (25 items):
- Check all items from 4.1.1.1 to 4.4.2.1
- 🔶 Recognize and check that the items are within the allowable range during initial authentication.
Step 5 — Submit and Confirm
- Check all items and click "Submit"
- Confirm receipt of confirmation email to the entered email address
- OpenChain Tech Unicorn is listed on the official registration list.
Actions after registration is completed
Public Announcement
After completing registration, we recommend posting on the following channels:
- Post registration and certification status on company wiki/intranet
- Add OpenChain authentication banner to company security/compliance page
- Notification of certification acquisition to major suppliers/customers (increasing reliability)
Archive of deliverables
OpenChain After registration, keep the following evidence:
- Copy of registration confirmation email
- Screenshot at time of registration (kept in
output/conformance/folder) declaration-draft.mdsignature (signature of person in charge and team leader)
Maintenance Schedule
18 month redeclaration cycle
| viewpoint | work |
|---|---|
| 2026-09-23 (6 months after declaration) | Interim inspection – Check the implementation of partially satisfied items |
| 2027-03-23 (12 months after declaration) | Re-run annual gap analysis, update gap-analysis.md |
| 2027-09-23 (18 months after declaration) | Redeclaration — OpenChain site re-registration |
Frequent update trigger
If the following situations occur, immediately update the output and rerun the gap analysis:
| trigger | Deliverables subject to renewal |
|---|---|
| Open source policy changes | oss-policy.md, gap-analysis.md |
| Change of person in charge | role-definition.md, raci-matrix.md |
| A new Critical CVE occurs | cve-report.md, remediation-plan.md |
| New product/service launch | sbom/*, distribution-checklist.md |
| Add distribution channel | license-allowlist.md, oss-policy.md |
Contact us
| Type | Contact Us |
|---|---|
| License compliance inquiry | opensource@sktelecom.com |
| Report security vulnerability | security@sktelecom.com |
| OpenChain Project Official | https://www.openchainproject.org |
This document has been written to fulfill requirements ISO/IEC 5230 §3.6.1 and ISO/IEC 18974 §4.4.1.