shanecoughlan
commented
1 year ago You will also find this on the license compliance issue tracker here: https://github.com/OpenChain-Project/License-Compliance-Specification/issues/69
Closed shanecoughlan closed 9 months ago
shanecoughlan
commented
1 year ago You will also find this on the license compliance issue tracker here: https://github.com/OpenChain-Project/License-Compliance-Specification/issues/69
Dr-wood
commented
11 months ago I would suggest that we might make the following change for both the Licensing and Security Specifications in Section 2.3 OpenChain compliant description by adding the following text (or similar)
"... as evidenced by documentation produced at the conclusion of a required annual, 12 month, review of the Program."
We discussed this during the Monthly Community call on 20 November 2023 hosted by Mary and myself.
copernicat
commented
11 months ago hi @Dr-wood and all, I think rather than add a definition to section 2, for this purpose it might be better to change the parts of section 3, for example: 3.4.2 - Duration A program that is OpenChain conformant with this version of the specification shall last [18] months from the date conformance validation was obtained.
Verification Material(s): 3.4.2.1: A document affirming the program meets all the requirements of this specification, within the past [18] months of obtaining conformance validation.
Dr-wood
commented
11 months ago Hi MaryThank you for the response. I was just in the documents looking at the section and agree with you on the section 3 paragraphs would be more appropriate. I will go back and establish that these paragraphs in both draft specifications are numbered and worded similarly before I do another code pull and edit, probably Friday. I’ll let you know what I find and edit if you like?ChrisOn Nov 21, 2023, at 10:37 AM, Mary Hardy @.***> wrote: hi @Dr-wood and all, I think rather than change the definition of "OpenChain conformant", it might be better to change the parts of section 3, for example: 3.4.2 - Duration A program that is OpenChain conformant with this version of the specification shall last [18] months from the date conformance validation was obtained. Verification Material(s): 3.4.2.1: A document affirming the program meets all the requirements of this specification, within the past [18] months of obtaining conformance validation.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>
shanecoughlan
commented
9 months ago To address this issue, we are adjusting the draft spec, matching ISO 17021 for certification of management systems. This was decided on the Monthly Call 2024-01-16.
===== Original Text =====
A Program that is conformant with this version of the specification will have a review period as follows: 18 months from the first certification, 24 months from the second certification and 36 months from the third certification. It will require review every 36 months after this.
===== CHANGE TO =====
A Program that is conformant with this version of the specification will have a review period every 12 months.
===== End Changes =====
shanecoughlan
commented
9 months ago Also synced with Licensing Spec at this issue: https://github.com/OpenChain-Project/License-Compliance-Specification/issues/69
This is a proposal by Marcel from PwC to adjust change the review period required by the Security and License Compliance Specs to 12 months to align with ISO 17021 for certification of management systems
Full text below: "I recommend changing the review period to 12 months in the security and the compliance spec, as this is the time frame in a third party certification for a surveillance audit as per ISO 17021 for certification of management systems. So if companies go with third party certifications and run into a surveillance audit after 12 months, they could not show a reviewed process and program if they purely follow our spec. However a third party certifier might/could/should expect updated/reviewed processes/program. So streamlining these requirements would be good for a next version of the specs."