ISO 27001 Annex A 5.32

Intellectual property cuts both ways - protect yours, respect others'.

ISO 27001 Annex A 5.32 - Intellectual Property Rights

The control covers two angles. The first is protecting the organisation's own intellectual property - source code, designs, trademarks, customer data, trade secrets and any creative material the organisation has developed or holds rights to. The second is respecting the intellectual property of others, particularly through licensing of third-party software and proper handling of third-party material.

For the organisation's own IP, the protection comes through the wider information security framework - classification, access control, contractual obligations on staff and contractors, and the supplier security clauses that protect IP shared with third parties. Specific arrangements may add to this for higher-value IP - non-disclosure agreements, additional access restrictions, watermarking or specific contractual protections.

For third-party IP, the typical concerns are software licensing, image and content rights, and the use of open source components. The control expects clear rules - what software is approved for use, how licences are tracked, what staff can and cannot install, how third-party material is sourced and credited where required.

The licensing question is the one that most often generates audit findings. I will ask to see the software licence inventory and reconcile it with what is actually installed. If there are discrepancies - paid-for licences not being used, unlicensed installations of paid software, expired licences still in production - that comes back as a finding because the rights position is unclear.

Practical Compliance Guidance

Intellectual property arrangements are described in the IMS1 manual at section 8.5 alongside the topic-specific Software Policy and the broader licensing arrangements. The legal register tracks the relevant intellectual property legislation.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Software Policy section, which sets out the rules for software acquisition, use and licensing including the prohibition on unauthorised software installation.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need a software inventory?

Yes. The control expects software in use to be tracked alongside the licences held. The inventory should let the organisation answer the question of whether installed software is appropriately licensed and identify any gaps. Many organisations use software asset management tools to automate this.

What about open source software?

Open source comes with licence terms that need to be respected. Some licences are permissive, others impose obligations such as source code disclosure for derivatives. Where the organisation uses or distributes open source as part of its own products, the licence implications need to be understood and documented.

How do we protect our own intellectual property?

Through classification under A.5.12, access controls under A.5.15 to A.5.18, contractual obligations on staff and contractors, supplier security clauses where IP is shared, and where appropriate specific protections such as patents, trademarks, copyright registration and non-disclosure agreements with parties handling sensitive IP.

Further Resources