ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During a due-diligence review, you must confirm that a software supplier's open-source governance aligns with ISO/IEC 5230:2020 (the OpenChain specification). Which practice would most clearly demonstrate compliance with this standard and thereby strengthen your organization's software supply chain risk management posture?

Encryption of every software bill of materials (SBOM) file using AES-256 before distribution
A documented open-source policy accompanied by mandatory license-compliance training for all developers
ISO/IEC 27001 certification for the supplier's data-center infrastructure
Monthly dynamic application security testing of the supplier's production environment

Report Issue

Answer Description

ISO/IEC 5230 (OpenChain) defines the minimum requirements for a quality open-source license compliance program. Two of its core clauses mandate that an organization maintain a documented open-source policy and ensure all relevant personnel receive appropriate training or can prove equivalent competence. This combination shows that the supplier has formally defined how open-source software may be introduced and managed and that staff understand and follow those rules-directly evidencing conformity with the standard. The other options, while potentially good security measures, are not requirements of ISO/IEC 5230 and do not in themselves prove license-compliance governance as specified by the standard.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.