ISO 27001 Annex A Control 5.32

ISO 27001 control 5.32 Intellectual property rights

The basics

ISO 27001 control A.5.32 Intellectual property rights require companies to ensure that any material considered intellectual property is properly protected and used, in order to minimize risks of abuse of this material and legal processes.

Documentation

ISO 27001 control A.5.32 Intellectual property rights can be documented:

  • for smaller and mid-sized companies by including rules on intellectual property rights in an IT Security Policy
  • for larger companies by writing an Intellectual Property Rights Policy

These policies are not mandatory but are recommended.

Implementation

In order to comply with control A.5.32 Intellectual property rights you might implement the following:

  • Technology — the technology to enable the protection of intellectual property rights (owned by the company itself or by third-parties) may include spreadsheets that list all the itellectual property, monitoring software, and inventory systems.
  • Organization/processes — you should set up a process for defining how to maintain and review information about assets that require protection due to intellectual property rights, how to control the maximum number of allowed users, and what users can and cannot do regarding protected material. You can document those processes through an IT Security Policy or an Intellectual Property Rights Policy.
  • People — make employees aware of the risk of violating intellectual property rights, and train them on what they can and cannot do related to material that is protected by intellectual property rights.

Audit evidence

During a certification or internal audit control covering A.5.32 Intellectual property rights, the auditor would typically examine evidence such as:

  • A policy on IPR covering aspects such as compliance with legal obligations defined in copyright, patent, trademark and similar laws;
  • Procedures for achieving, maintaining and monitoring compliance with licenses, contracts and agreements e.g. a license database with checks/follow-up on possible anomalies such as commercial software in use that does not have a license record;
  • Evidence of awareness and enforcement activities, demonstrating that the processes are operating as specified.