All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Intellectual property rights

Annex A control 5.32 of the 2022 version of the ISO 27001 standard can be mapped to ISO27001:2013 Annex A 18.1.2

Control 5.32 covers the necessity for, and steps towards, achieving compliance with intellectual property (IP) rights. This includes covering the use of proprietary software, whether it’s purchased, subscribed to or leased from a third party.

ISO defines intellectual property rights as falling into one or more of the following categories: patents, trademark rights, design rights, source code licenses, software copyright and document copyright.

Understanding intellectual property rights

Agreements – whether they be legal, statutory, regulatory, or contractual – commonly place restrictions on the use of proprietary software. This can include restrictions on copying, extracting and reverse-engineering source codes.

Control 5.32 focuses on an organisation’s obligation towards third parties whose intellectual property they seek, with IP rights covered by data sharing agreements, licence agreements and more.

The risks of copyright infringement and IP infringement are severe, with financial and legal consequences. It’s vital that businesses study control 5.32 carefully to avoid unnecessary information security incidents and interruptions.

Guidelines for IP in control 5.32

As a preventative control, control 5.32 looks to mitigate risks by encouraging proactive procedures to ensure IP compliance. This includes helping employees adhere to business obligations on an individual level.

When safeguarding data, assets or software that might be listed as IP, organisations need to consider 12 key guidelines. These are:

  1. Implementing a topic specific policy to protect IP rights on a case-by-case basis, taking unique operational requirements into account.
  2. Publishing and sharing procedures that define how software and products should be operated to remain compliant with IP standards.
  3. Acquiring software from trusted sources to avoid inadvertent copyright breaches.
  4. Using an organisational asset register to identify ICT assets with IP requirements.
  5. Providing proof of ownership whenever necessary, whether it be physical or electronic licensing documents, communications, or files.
  6. Ensuring compliance with software usage limits such as virtual resources and concurrent users.
  7. Making sure no unlicensed or unauthorised software is used by conducting periodic reviews.
  8. Operational and financial procedures to make sure licenses are kept up to date.
  9. Ensuring the transfer and disposal of software assets is secure and compliant by providing responsible and safe practices.
  10. Complying with the terms and conditions and fair use guidelines when acquiring software from the public domain.
  11. Extracting, copying, converting or manipulating commercial recordings must be done in a way that falls in line with the software’s terms and conditions, or by prevailing copyright laws.
  12. Respecting copyright laws and licensing terms attached to textual data, including articles, reports, books, and standards.

What has changed since ISO 27001:2013?

Replacing Annex A control 18.1.2 from ISO 27001:2013, control 5.32 contains much of the same guidelines, but with two significant changes. The first is that the more updated version now contains advice on how to manage IP-related issues under a data sharing agreement.

Secondly, the 2013 version contained no mention of the potential benefits of managing employee behaviours towards IP agreements.