 Hi, Andras here with The Open Group. So your organization wants to become a trustworthy technology provider, especially after the latest supply chain security attacks. Good news? We got you covered. This is a first in a series of videos on understanding the OTTPS certification process. And don't forget to check out the other videos from my colleagues in the Trusted Technology Forum. So first things first, there is actually two Trusted Technology Provider Certification Programs. One for organizations, the other for people. And in this video series, we will focus on the organizational certification against ISO 20243, conformance criteria. So your organization can become certified by following proven Trusted Technology Provider Practices. Keep a watch out here for more videos on both these topics. The Open Trusted Technology Provider Standard defines industry best practices for mitigating supply chain risk across the technology product lifecycle from inception through development into sustainment and finally disposal or deprecation. OTTPS is also known as ISO IEC 20243 or just ISO 20243, an international standard. The certification program is an organizational assessment against the controls to mitigate supply chain risk across the manufacturing, development, and distribution lifecycle. This is a certification that is applicable for information and communication technology vendors, integrators, and their channel suppliers. Like all certifications against any standard, terminology reigns supreme. So it's important you learn the standard and certification terminology. Here are some terms and definitions that are essential for successful certification and you can find more in each of the document glossaries. You might want to pause the video here to become familiar with these terms. Here's a diagram that depicts the standards and certification process. The standards authority is responsible for developing and maintaining the standard. The certification authority manages, maintains, and awards certifications. Any references to organization refers to the technology provider seeking certification. Now recognize third party assessors must go through training to become certified themselves and are responsible for evaluating an organization's claim of conformance during the certification process. Once certified an organization, well they become a trust in technology provider and is placed into the certification registry for customer validation. You can determine how much information you want to externalize there. The certification authority provides certification and testing services and in this case it will be the open group. So your organization has recognized the need to become a certified trusted technology provider. Well let's talk about that journey that you're about to embark on. Our journey has three primary phases. The guidance here is based on observed best practices for successful certification. First your organization must learn about the standard, the underlying practices and controls and determine if they meet those requirements. If not remediation must be implemented before continuing. Many organizations use the certification process and guidance as a way to enforce and implement supply chain risk management practices across their organization. In other words the certification becomes the forcing function. Once the internal organization assessment has determined you're ready it's time to prepare for certification. Preparation is essential for a successful assessment. Your company will need to empower individuals who are able to gather and manage the certification documentation and support the assessor as they complete their evaluation. As importantly your organization will define a certification scope and document how controls and practices are applied to mitigate risks to your technology supply chain. Once you work with and support the recognized assessor as they review the evidence and potentially request additional supporting documentation that meets the claims of your scope. The certification assessment policy defines three formal phases an organization must complete to obtain certification. In the first phase the organization must formally define their certification scope in a document called the ISCA or implementation selection criteria application. It's the certification authority's responsibility to validate the submission of the ISCA. The scope of assessment refers to the description of the organizational structure being assessed. For example a vendor's operating system product line would be an example of what would be documented in the scope. In phase two after the ISCA and application have been accepted the organization must provide documented evidence that supports their claim made in the ISCA in a certification package. In phase three a recognized assessor is assigned by the certification authority to evaluate the organization's certification package against the certification conformance criteria. This is done using the evidence provided to support the claims in the ISCA or certification scope. The scope defines a set of selective representative products that serves as samples for the assessor to validate the implemented controls and practices as described by the organization's implementation evidence. Implementation evidence is supported by artifacts that show how the required process has been applied to the selected representative products. Should assessor determine that the claims are not supported by the evidence then the organization must remediate the unsubstantiated claims and implement the missing necessary controls and practices. This of course can be avoided if your organization follows the best practice journey previously discussed. Alright your organization is ready to join the ranks of those certified as trusted technology providers. Here's a list of all the documentation and the link to the certification site where it's found and there are three really very important documents to get started with. They are the standard, the ISCA and the assessment requirements and procedures. It's important to note that not all the requirements defined in the standard are required for certification. Those best practices controls that are required by the standard are identified as must versus should implement requirements. In addition the development of the ISCA scoping document will further refine which requirements are applicable to a particular provider. For example those requirements not applicable for a channel provider may exclude some product lifecycle manufacturing controls. It depends on where in the product lifecycle your organization does business. And don't forget there are consultants ready to help understand these nuances. Just reach out to the certification authority to get a list. Well thanks for listening and in subsequent videos I'll dive down into the conformance criteria and the specifics of creating a certification scope. And hey, don't forget to subscribe to our blog, download the publications, get engaged in the OTTF and become a trusted technology provider. Thank you.