Skip to content
AuditFront
A.5.32 ISO 27001

ISO 27001 A.5.32: Intellectual property rights

What This Control Requires

The organization shall implement appropriate procedures to protect intellectual property rights.

In Plain Language

Using unlicensed software or ignoring open-source licence obligations can land your organisation in serious legal trouble - and auditors know exactly where to look. This control covers both respecting other people's IP and protecting your own. Software licensing is the biggest area here. You need valid licences for everything in use, compliance with licence terms, and no unauthorised copying or distribution. The financial penalties for non-compliance can be substantial, and an audit finding here is entirely avoidable. Beyond software, think about your own proprietary assets: trade secrets, research data, unique processes, and business methodologies. Protecting these requires confidentiality agreements, proper access controls, information classification, and staff awareness of their responsibilities around IP.

How to Implement

Write an IP protection policy covering both compliance with third-party IP rights and protection of your own. Define what counts as IP in your context and set out the rules clearly. For software licence compliance, set up a software asset management (SAM) programme. Build an inventory of all software in use - desktop applications, server software, cloud subscriptions, and open-source components. Track licences purchased versus deployed. Reconcile regularly. Put technical controls in place to manage licensing. Use deployment tools that track installations, prevent unauthorised software via application whitelisting, and monitor compliance. SAM tools that automate tracking and provide dashboards are worth the investment. Run periodic software audits to catch unlicensed or over-deployed software. For your own IP, classify it at the right sensitivity level and restrict access on a need-to-know basis. Require confidentiality and IP assignment agreements from all employees and contractors. Implement DLP controls to prevent unauthorised exfiltration. Monitor for leakage through email, cloud storage, and other channels. Do not overlook open-source compliance. Track every open-source component in your products and services. Understand the licence obligations for each one - GPL, MIT, Apache, and others all have different requirements. Use software composition analysis (SCA) tools to automate identification. Establish a review and approval process for open-source usage. Include IP protection in your security awareness training. Cover software licensing rules, proper use of third-party content, and how to handle the organisation's own proprietary information.

Evidence Your Auditor Will Request

  • Intellectual property protection policy
  • Software asset inventory and license compliance records
  • Software audit results showing license compliance status
  • Confidentiality and IP assignment agreements for personnel
  • Open-source software usage register and license compliance records

Common Mistakes

  • No software asset management program resulting in unknown license compliance status
  • Software is used beyond the terms of its license without awareness
  • Open-source license obligations are not tracked or complied with
  • Employee IP assignment agreements are not in place for all personnel
  • No DLP or monitoring controls to detect unauthorized IP exfiltration

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.1 Partial overlap
GDPR Art.32 Partial overlap

Frequently Asked Questions

How do we manage software license compliance effectively?
Get a SAM programme running with automated discovery and tracking. Maintain a centralised inventory of all software and licences, and reconcile at least annually. Use deployment tools that enforce licence limits so people cannot accidentally over-deploy. Set up a proper process for purchasing and deploying new software that includes licence verification. And make sure your IT team understands why this matters - a surprise vendor audit is never a good day.
What about open-source software licenses?
Open-source licences vary widely in what they require. Permissive ones like MIT are straightforward, but copyleft licences like GPL require that derivative works also be open-sourced - which can be a problem if you are shipping proprietary software. Use SCA tools to identify all open-source components and their licences automatically. Create a policy defining which licence types are approved for which use cases. And always check attribution requirements and copyleft obligations before distributing anything containing open-source components.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment