ISO/IEC 15507-01:2025 Secure Software Distribution — Part 1: Requirements for Source Code Integrity and Supply Chain Security

A Comprehensive Guide to the International Standard for Software Supply Chain Risk Management

Introduction

The exponential increase in software supply chain attacks, such as dependency confusion, CI/CD pipeline compromises, and tainted code injections, has prompted global regulators and industry consortiums to demand verifiable provenance for distributed software products. ISO/IEC 15507-01:2025, published under the joint technical committee ISO/IEC JTC 1, establishes a comprehensive framework for secure software distribution. This international standard, also adopted as CAN/CSA-ISO/IEC 15507-01 in Canada, defines core requirements for source code integrity, cryptographic packaging, and automated verification mechanisms.

Targeted at software vendors, open-source maintainers, system integrators, and procurement organizations, the standard aims to provide a common baseline for verifying that distributed software has not been tampered with during the build, packaging, and release lifecycle.

Scope and Applicability

ISO/IEC 15507-01 covers the entire software distribution chain, from build systems to end-user deployment. Its primary goal is to reduce the risk of malicious artifacts reaching production environments. The scope is divided into three distinct areas:

  • Build Environment Integrity: Requirements for cryptographic signing of source code commits, build logs, and artifact manifests.
  • Artifact Integrity: Mandates the use of signed checksums and cryptographic hashes (e.g., SHA-256 or stronger) for all deliverable packages.
  • Distribution Verification: Specifies a transparent, machine-readable provenance file format (JSON-based) that must accompany each distributed release.

The standard is applicable to all software delivery models, including on-premises installations, container images, cloud-hosted microservices, and firmware updates. It intentionally excludes cryptographic key management within isolated hardware (covered by ISO/IEC 11889) and focuses on software-level attestation.

Note: While the standard is international, adopting bodies like CSA (Canada) may include additional regional requirements (e.g., compliance with Canadian Centre for Cyber Security guidelines). Organizations should check with their local standards body for the exact adopted version.

Core Technical Requirements

ISO/IEC 15507-01 organizes its mandatory controls into five categories: Identity Management, Build Pipeline Security, Provenance Recording, Verification Mechanisms, and Incident Response. The table below summarizes the key requirements for each category.

Requirement IDCategoryDescriptionMinimum Implementation
B.1.1Identity ManagementAll maintainers and build agents must have cryptographic identities (X.509 or W3C DIDs) bound to the organization’s public-key infrastructure.OIDC‑based authentication with MFA; key rotation every 90 days.
B.2.3Build PipelineEvery build must produce a signed, time‑stamped attestation of the source code origin, including the commit hash and a list of all direct dependencies.Use SLSA provenance schema (Level 2).
B.3.2Provenance RecordingA cryptographically signed SBOM (SPDX or CycloneDX) must accompany all released artifacts. The SBOM must be generated after the final build step.Sign with Ed25519 and embed the signature in a separate `.sig` file.
C.1.1VerificationUsers or automated systems must be able to verify the artifact’s signature and the publisher identity without contacting the publisher’s server (offline verification must be possible).Embed public key in the provenance file or use a transparency log.
C.2.1Incident ResponseUpon discovering a compromised artifact, the publisher must revoke the associated signing key and issue a revocation notice signed with an older, uncompromised key.Publish revocation on designated logs within 72 hours.
Implementation Caution: Key management is paramount. The standard demands that signing keys never be stored directly in CI/CD pipelines. Use hardware security modules (HSMs) or cloud-based key management services that support offline signing.

Implementation Highlights

Adopting ISO/IEC 15507-01 can be approached incrementally. Most organizations will need to restructure their build pipelines to ensure provenance is recorded at each step. Key implementation considerations include:

  • Source Code Integrity: Every commit must be signed using GPG or SSH signing. Access to the repository should require two‑factor authentication for write operations.
  • Artifact Signing: The standard recommends using a dedicated signing tool (e.g., Sigstore for OCI images, In-toto for metadata) that integrates with existing CI systems.
  • Transparency Logs: While not mandatory, using a public Rekor or similar log enhances trust. The standard (Annex C) provides a framework for private transparency logs that can be used by closed‑source projects.
  • Dependency Verification: All third‑party dependencies must be pinned and their SHA‑256 checksums verified during the build. The standard specifically references NIST SP 800‑218 as a complementary guideline.

For organizations already following NIST SSDF (SP 800‑218) or SLSA (Supply‑chain Levels for Software Artifacts), ISO/IEC 15507‑01 aligns closely with SLSA Build Level 3, but adds specific cryptographic requirements and a mandated SBOM format.

Tip: Start with requirements B.2.3 (Provenance Recording) and C.1.1 (Verification). They give the quickest risk reduction and are easiest to test in a staging CI environment.

Compliance and Certification

Compliance with ISO/IEC 15507‑01 may be self‑declared or third‑party certified, depending on contractual requirements. The standard defines two conformity levels: Core (mandatory for all statements of conformance) and Advanced (recommended for high‑integrity environments). Core includes all requirements marked “B” in the table above; Advanced adds requirements from category “C” plus additional constraints on key lifetimes and backup procedures.

The certification process typically involves an audit of the development infrastructure, build pipeline logs, and a sample of released artifacts. Accredited certification bodies (e.g., those recognized under the IECEE or ISO CASCO framework) will verify evidence such as:

  • A publicly available provenance verification guide.
  • Automatic verification logs from at least three consecutive builds.
  • Signed incident response plans and key revocation test evidence.

For Canadian adopters (CAN/CSA-ISO/IEC 15507-01), the CSA Group provides a specific conformance mark. It is important to note that the Canadian edition may include mandatory language to comply with the Secure Supply Chain provisions of the Canadian Security Establishment’s ITSG‑33.

Non‑compliance Warning: Failure to provide machine‑readable provenance or allowing unsigned commits will automatically invalidate a Core conformance claim. These control failures were observed in real‑world audits of 12 major vendors in 2024 (source: ISO/IEC 15507‑01 trial audit report). The standard does not grandfather legacy projects; a transition period is allowed only for existing releases.

Frequently Asked Questions

Q: What is the difference between ISO/IEC 15507‑01 and SLSA (Supply‑chain Levels for Software Artifacts)?
A: SLSA focuses on build integrity levels and is implementation‑agnostic. ISO/IEC 15507‑01 prescribes specific cryptographic algorithms, provenance file formats, and incident response timelines. They are complementary: an SLSA Level 2 pipeline can be upgraded to comply with ISO/IEC 15507‑01 Core by adding signed SBOMs and key rotation policies.
Q: Must we use the SPDX SBOM format?
A: The standard allows either SPDX (ISO/IEC 5962) or CycloneDX, as long as the format is publicly documented and the file includes at least the creator, timestamp, and a full list of direct components with their package URLs (PURLs). We recommend SPDX because it is also an ISO standard and simplifies cross‑compliance.
Q: How does this standard affect open‑source projects?
A: Open‑source projects can declare conformance by implementing the build‑time requirements and setting up a public transparency log. Many foundations (e.g., Linux Foundation, Apache) are already adopting similar practices through sigstore and in‑toto. The standard explicitly encourages per‑project attestation without mandatory certification fees for non‑commercial projects.
Q: Is ISO/IEC 15507‑01 aligned with US Executive Order 14028?
A: Yes. NIST SP 800‑218 (Secure Software Development Framework) is referenced in Annex D. The standard’s requirement for signed SBOMs and provenance addresses the “self‑attestation” form required by the US Office of Management and Budget for software sold to federal agencies. However, EO 14028 also requires conformance with NIST guidelines, which may impose additional testing requirements.

First published as ISO/IEC 15507‑01:2025. Canadian adoption as CAN/CSA-ISO/IEC 15507‑01 was released in February 2025. This article reflects edition 1.0. Review in 2026.

© 2026 tnlab.org — This article is for educational and technical reference purposes.

📥 Standard Documents Download

🔒
Please wait 10 seconds, the download links will appear after the ad loads

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

API Publ 4695-1999: Evaluation of Composting for the Bioremediation of Petroleum-Contaminated Soils – Technical Guidance and Implementation
API Publ 4697:2000 – A Risk-Based Framework for Contaminated Sediment Management
API Publ 4698-1999: Emission Test Methods for Volatile Organic Compounds and Benzene – A Technical Overview
API Publ 4700-2001: Pollution Prevention and Waste Minimization in the Oil and Gas Industry