ISO/IEC 18974 — The Standard for Open Source Security

ISO/IEC 18974:2023 defines minimum requirements for an open source security assurance programme. It is not a law but a voluntary international standard. Nevertheless, it is effectively indispensable — because it defines what counts as "state of the art".

Why is a voluntary standard relevant? #

All major EU cyber laws refer to international standards:

• DORA Art. 6(2) requires an ICT risk management framework "in accordance with relevant international standards"
• NIS2 Art. 21(1) requires measures "taking into account the state of the art and, where applicable, relevant international standards"
• CRA Recital 34 refers to due diligence measures when integrating open source components

ISO/IEC 18974 is the most relevant standard for open source security. Whoever fulfils it has robust evidence of appropriateness. Whoever does not must justify why their own measures are nevertheless sufficient.

What does ISO/IEC 18974 require? #

The standard comprises 16 core requirements in four areas:

Governance and organisation:

• Written security assurance policy (4.1.1)
• Defined competencies and roles (4.1.2)

Detection and assessment:

• Threat identification in the OSS supply chain (4.1.5 No. 1)
• Method for detecting known vulnerabilities (4.1.5 No. 2)
• Follow-up of identified vulnerabilities (4.1.5 No. 3)
• Communication to customers (4.1.5 No. 4)
• Post-release monitoring for new vulnerabilities (4.1.5 No. 5)
• Continuous security testing before release (4.1.5 No. 6)
• Risk verification before release (4.1.5 No. 7)
• Risk export to third parties (4.1.5 No. 8)

Vulnerability management:

• Public vulnerability channel (4.2.1)
• SBOM creation and maintenance as a continuous process (4.3.1)
• Vulnerability detection per component (4.3.2 No. 1)
• Risk scoring per vulnerability (4.3.2 No. 2)
• Documented remediation per vulnerability (4.3.2 No. 3)
• Post-release monitoring for distributed software (4.3.2 No. 7)

SBOM requirements:

• NTIA minimum elements: Supplier, Name, Version, Dependencies, Timestamp (3.1 normative reference)

Certification #

Certification under ISO 18974 is carried out through the OpenChain programme in an 18-month cycle. It is concrete, auditable evidence that you can present to examiners and supervisory authorities.

How does OTTRIA cover ISO 18974? #

OTTRIA directly fulfils 14 of 16 requirements — including all technical and operational areas: vulnerability detection, SBOM maintenance, risk scoring, remediation, post-release monitoring, and communication. For the detection of known vulnerabilities (4.1.5 No. 2), OTTRIA exceeds the standard by also detecting Silent Fixes in addition to registered CVEs — fixes that do not appear in any public database.

The remaining two requirements — written policy creation and organisational HR awareness — are the client's responsibility. OTTRIA provides templates and advisory support for these.

What does this mean for you? #

Regardless of whether DORA, NIS2, or the CRA applies to you: ISO 18974 provides the benchmark against which your open source security measures are measured. An auditor will ask whether you meet the state of the art. With an ISO-18974-compliant implementation, you have a clear answer.

Further reading #

• What is an SBOM and why is it not enough?
• Practical audit preparation
• OTTRIA compared to other approaches

Want to know how close you are to ISO 18974? Request an initial assessment.