ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During a due-diligence review, you must confirm that a software supplier's open-source governance aligns with ISO/IEC 5230:2020 (the OpenChain specification). Which practice would most clearly demonstrate compliance with this standard and thereby strengthen your organization's software supply chain risk management posture?

ISO/IEC 27001 certification for the supplier's data-center infrastructure
A documented open-source policy accompanied by mandatory license-compliance training for all developers
Encryption of every software bill of materials (SBOM) file using AES-256 before distribution
Monthly dynamic application security testing of the supplier's production environment

Report Issue

Answer Description

ISO/IEC 5230 (OpenChain) defines the minimum requirements for a quality open-source license compliance program. Two of its core clauses mandate that an organization maintain a documented open-source policy and ensure all relevant personnel receive appropriate training or can prove equivalent competence. This combination shows that the supplier has formally defined how open-source software may be introduced and managed and that staff understand and follow those rules-directly evidencing conformity with the standard. The other options, while potentially good security measures, are not requirements of ISO/IEC 5230 and do not in themselves prove license-compliance governance as specified by the standard.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.