ISO 27001 A.5.32: Intellectual property rights
What This Control Requires
The organization shall implement appropriate procedures to protect intellectual property rights.
In Plain Language
Using unlicensed software or ignoring open-source licence obligations can land your organisation in serious legal trouble - and auditors know exactly where to look. This control covers both respecting other people's IP and protecting your own.
Software licensing is the biggest area here. You need valid licences for everything in use, compliance with licence terms, and no unauthorised copying or distribution. The financial penalties for non-compliance can be substantial, and an audit finding here is entirely avoidable.
Beyond software, think about your own proprietary assets: trade secrets, research data, unique processes, and business methodologies. Protecting these requires confidentiality agreements, proper access controls, information classification, and staff awareness of their responsibilities around IP.
How to Implement
Write an IP protection policy covering both compliance with third-party IP rights and protection of your own. Define what counts as IP in your context and set out the rules clearly.
For software licence compliance, set up a software asset management (SAM) programme. Build an inventory of all software in use - desktop applications, server software, cloud subscriptions, and open-source components. Track licences purchased versus deployed. Reconcile regularly.
Put technical controls in place to manage licensing. Use deployment tools that track installations, prevent unauthorised software via application whitelisting, and monitor compliance. SAM tools that automate tracking and provide dashboards are worth the investment. Run periodic software audits to catch unlicensed or over-deployed software.
For your own IP, classify it at the right sensitivity level and restrict access on a need-to-know basis. Require confidentiality and IP assignment agreements from all employees and contractors. Implement DLP controls to prevent unauthorised exfiltration. Monitor for leakage through email, cloud storage, and other channels.
Do not overlook open-source compliance. Track every open-source component in your products and services. Understand the licence obligations for each one - GPL, MIT, Apache, and others all have different requirements. Use software composition analysis (SCA) tools to automate identification. Establish a review and approval process for open-source usage.
Include IP protection in your security awareness training. Cover software licensing rules, proper use of third-party content, and how to handle the organisation's own proprietary information.
Evidence Your Auditor Will Request
- Intellectual property protection policy
- Software asset inventory and license compliance records
- Software audit results showing license compliance status
- Confidentiality and IP assignment agreements for personnel
- Open-source software usage register and license compliance records
Common Mistakes
- No software asset management program resulting in unknown license compliance status
- Software is used beyond the terms of its license without awareness
- Open-source license obligations are not tracked or complied with
- Employee IP assignment agreements are not in place for all personnel
- No DLP or monitoring controls to detect unauthorized IP exfiltration
Related Controls Across Frameworks
Frequently Asked Questions
How do we manage software license compliance effectively?
What about open-source software licenses?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment