Implementing ISO 27001 Annex A 5.32 is the systematic enforcement of intellectual property rights and software licensing compliance. The primary implementation requirement mandates automated asset discovery and license reconciliation, delivering the business benefit of eliminating legal liability from piracy and preventing the accidental forfeiture of proprietary code through open-source contamination.
ISO 27001 Annex A Intellectual property rights Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.32. Compliance requires more than a policy stating “we do not pirate software”; it demands rigorous technical enforcement of licensing limits and automated scanning of your codebase for open-source violations.
1. Automate Software Asset Discovery
Control Requirement: The organisation must maintain a complete inventory of software assets to ensure licensing compliance.
Required Implementation Step: Deploy an agent-based discovery tool (e.g., PDQ Inventory or a script-based RMM solution) to scan every endpoint and server. You must generate a real-time CSV export of every installed application and version number; do not rely on manual user surveys or static spreadsheets.
Minimum Requirement: A comprehensive “Installed Software Report” generated automatically within the last 30 days.
2. Perform a License Reconciliation Audit
Control Requirement: The number of software installations must not exceed the number of purchased licences.
Required Implementation Step: Manually compare your automated software inventory against your procurement invoices and volume licensing portals (e.g., Microsoft 365 Admin Center). Calculate the “Effective License Position” (ELP) for critical vendors to identify under-licensing liabilities immediately.
Minimum Requirement: A reconciliation spreadsheet showing “Entitlements vs. Deployments” with zero negative balances.
3. Enforce Software Restriction Policies
Control Requirement: Unauthorised or unlicensed software must be prevented from running.
Required Implementation Step: Configure Windows Defender Application Control (WDAC) or AppLocker via Group Policy to block the execution of unsigned or unapproved binaries. This technically prevents staff from installing “cracked” software or shareware that exposes the company to legal action.
Minimum Requirement: Evidence of a Group Policy Object (GPO) enforcing “Allow-list only” execution rules.
4. Implement Software Composition Analysis (SCA)
Control Requirement: Proprietary software development must respect third-party intellectual property, specifically open-source licences.
Required Implementation Step: Integrate an SCA tool (e.g., SonarQube, Snyk, or OWASP Dependency-Check) directly into your CI/CD pipeline. You must configure the build to fail automatically if a developer imports a library with a restrictive license (e.g., GPLv3) into a proprietary commercial project.
Minimum Requirement: A build log showing the blocking of a dependency due to non-compliant licensing.
5. Centralise Software Procurement
Control Requirement: Software acquisition must be controlled to prevent “Shadow IT” and unmanaged licensing.
Required Implementation Step: Block access to consumer software purchase sites at the web gateway level and remove local administrator rights from users. Ensure that the only route to obtain software is through a formal IT Service Management (ITSM) request where the license can be logged before installation.
Minimum Requirement: A documented procurement process where IT is the sole purchaser of software assets.
6. Sanitise Assets Before Disposal
Control Requirement: Intellectual property and licensed software must be removed from hardware before it leaves the organisation.
Required Implementation Step: Use a DBAN or NIST 800-88 compliant erasure tool to wipe hard drives before selling or scrapping old laptops. Simply formatting the drive is insufficient; you must ensure that licensed software keys and proprietary data cannot be recovered by the next owner.
Minimum Requirement: Certificates of Destruction linking serial numbers to verified wipe logs.
7. Protect Outbound Intellectual Property
Control Requirement: The organisation must prevent the theft or unauthorised transfer of its own intellectual property.
Required Implementation Step: Configure Data Loss Prevention (DLP) rules on your email and endpoints to flag or block the transfer of source code, CAD drawings, or customer databases. Map these rules to file extensions and specific keyword patterns unique to your IP.
Minimum Requirement: DLP logs showing the interception of a “high-value” file transfer attempt.
8. Review Cloud Licensing Models
Control Requirement: Usage of cloud-based software must adhere to subscription terms (e.g., User vs. Device CALs).
Required Implementation Step: Audit your SaaS user accounts to identify inactive users who are still consuming a paid license. Implementing Single Sign-On (SSO) allows you to centralise access control and instantly revoke licenses for leavers, preventing “zombie” costs and compliance breaches.
Minimum Requirement: A monthly “Inactive User Report” used to reclaim or terminate unused SaaS licenses.
9. Formalise Copyright Notices
Control Requirement: Proprietary materials must clearly state ownership to assert legal rights.
Required Implementation Step: Update your document templates and code headers to include a standard copyright notice and classification label. Use a script to sweep your code repositories and ensure every source file contains the correct proprietary header comments.
Minimum Requirement: Verified presence of copyright headers in all production source code files.
10. Prepare for Vendor Audits
Control Requirement: The organisation must be prepared to prove compliance to external licensors.
Required Implementation Step: Create a “Vendor Audit Defence” folder containing your proof of purchase (Entitlements) and your installation reports (Deployments). Conduct a mock audit for your largest vendor (e.g., Microsoft or Oracle) to ensure you can produce the required evidence within 48 hours.
Minimum Requirement: A completed “Mock Audit” report for a major software vendor.
ISO 27001 Annex A 5.32 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Software Inventory | Manually typing “Microsoft Office” into a GRC list. | Compliance requires automated network scanning (WMI/SNMP) to find what is actually installed. |
| Open Source Compliance | A policy document saying “We respect copyright”. | You need SCA tools in the build pipeline to catch viral GPL code before it compiles. |
| Preventing Piracy | Asking employees to sign an Acceptable Use Policy. | Users ignore policies. You need AppLocker to physically stop the installation of cracked software. |
| License Reconciliation | Storing PDFs of contracts in a folder. | You need a spreadsheet comparing “Bought” vs “Installed” counts to find the financial gap. |
| Shadow IT | A survey asking staff what apps they use. | You must inspect firewall logs and credit card expenses to find the SaaS tools IT doesn’t know about. |
| Disposal | Marking an asset as “Disposed” in the dashboard. | You need the physical drive-wipe log to prove the Windows License Key was removed. |
| DLP / IP Protection | Tagging a document as “Confidential”. | Tags don’t stop email. You need technical DLP rules to block the file leaving the network. |
| Vendor Audits | Assuming the GRC tool’s “Compliance %” matters. | Microsoft auditors don’t care about your GRC score; they want raw CSV export data from your servers. |
About the author
