Auditing ISO 27001 Annex A 5.32 is a systematic review to ensure an organization legally protects its proprietary assets and adheres to software licensing agreements. The Primary Implementation Requirement centers on maintaining an accurate software asset register, delivering the Business Benefit of litigation avoidance and robust data governance.
This technical verification tool is designed for lead auditors to confirm the integrity of the organisation’s intellectual property and data governance. Use this checklist to validate compliance with ISO 27001 Annex A 5.32 (Intellectual property rights) by ensuring all software and proprietary assets are legally protected and correctly licenced.
1. Intellectual Property Rights (IPR) Policy Formalisation Verified
Verification Criteria: A documented policy exists that defines the organisation’s approach to protecting its own IPR and respecting the IPR of third parties, including software licencing.
Required Evidence: Approved IPR Policy or integrated Legal Compliance Policy with specific sections on copyright, trademarks, and patents.
Pass/Fail Test: If the organisation lacks a formal policy statement regarding the legal use of third-party software or proprietary data, mark as Non-Compliant.
2. Software Asset Register Completeness Confirmed
Verification Criteria: An up-to-date inventory exists listing all software assets, including version numbers, install counts, and physical/logical locations.
Required Evidence: Software Asset Management (SAM) database or a verified spreadsheet showing the current software estate.
Pass/Fail Test: If the inventory fails to account for SaaS-based applications or ‘Shadow IT’ identified during technical discovery, mark as Non-Compliant.
3. Proof of Entitlement for Commercial Software Validated
Verification Criteria: The organisation possesses valid proof of ownership (licences, invoices, or digital entitlements) for all commercial software currently in use.
Required Evidence: Original licence certificates, EULAs (End User Licence Agreements), or procurement invoices matched to the software inventory.
Pass/Fail Test: If the number of active software installations exceeds the number of legally purchased licences, mark as Non-Compliant.
4. Open Source Software (OSS) Compliance Verified
Verification Criteria: Use of open-source software is monitored to ensure compliance with specific licence types (e.g. GNU, MIT, Apache) and to avoid legal ‘copyleft’ risks.
Required Evidence: OSS Inventory or Software Composition Analysis (SCA) report identifying all open-source libraries and their respective licences.
Pass/Fail Test: If the organisation uses OSS in commercial products without verifying that the specific licence allows for such redistribution, mark as Non-Compliant.
5. Software Media and Licence Key Security Confirmed
Verification Criteria: Physical and digital software media, including master copies and licence keys, are stored in a secure environment with restricted access.
Required Evidence: Access control logs for the digital ‘vault’ or physical secure cabinet where original software media and keys are maintained.
Pass/Fail Test: If software licence keys are found stored in clear-text on a shared drive accessible to all staff, mark as Non-Compliant.
6. Prohibition of Unauthorised Software Installation Verified
Verification Criteria: Technical controls or strictly enforced policies prevent personnel from installing unlicensed or unauthorised software on organisational assets.
Required Evidence: Configuration settings for ‘Standard User’ profiles (removing Local Admin rights) or ‘Application Whitelisting’ logs from an MDM/EDR tool.
Pass/Fail Test: If a sampled endpoint allows the installation of unapproved software from the internet without an administrative bypass, mark as Non-Compliant.
7. Intellectual Property Ownership Clauses in Contracts Confirmed
Verification Criteria: Employment and contractor agreements explicitly define the ownership of intellectual property created during the term of engagement.
Required Evidence: Sampled employment contracts or contractor Master Service Agreements (MSAs) containing IP assignment clauses.
Pass/Fail Test: If a contractor is producing proprietary code or designs without a signed agreement transferring IP rights to the organisation, mark as Non-Compliant.
8. Digital Rights Management (DRM) and Watermarking Validated
Verification Criteria: Technical measures are implemented to protect the organisation’s proprietary information from unauthorised copying or redistribution where applicable.
Required Evidence: Configuration of DRM tools, document watermarking settings, or Data Loss Prevention (DLP) rules targeting proprietary ‘fingerprinted’ files.
Pass/Fail Test: If proprietary ‘Confidential’ documents can be exported to personal cloud storage without a watermark or technical restriction, mark as Non-Compliant.
9. Periodic Software Licence Audit Evidence Identified
Verification Criteria: The organisation performs periodic reconciliations of its software inventory against its licences to ensure ongoing legal compliance.
Required Evidence: Internal audit reports or ‘True-up’ records from the last 12 months showing licence reconciliation activity.
Pass/Fail Test: If the organisation has not conducted a software licence audit or reconciliation in over a year, mark as Non-Compliant.
10. Disposal of Licenced Assets Procedure Verified
Verification Criteria: Procedures exist to ensure that licences are retired or transferred, and software is wiped, when assets are decommissioned or disposed of.
Required Evidence: IT Asset Disposal (ITAD) certificates and decommissioning logs showing software removal prior to physical hardware destruction.
Pass/Fail Test: If hardware assets are disposed of with software and data intact without a record of licence deactivation/transfer, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Licence Tracking | GRC tool identifies that a “Licence Policy” is uploaded. | Auditor must verify the Install vs. Purchase delta. A policy doesn’t stop over-deployment; only a technical scan does. |
| IP Ownership | SaaS tool verifies that “Contracts” are on file. | Verify the content. Generic NDAs often lack specific IP assignment language required to legally own contractor-produced work. |
| Shadow IT | Tool identifies apps integrated via SSO. | Verify financial records. Business units often buy SaaS tools via credit card that bypass SSO, creating massive IPR risks. |
| OSS Compliance | Tool assumes Open Source is “Free” and therefore compliant. | Examine the SCA report. Usage of ‘GPL’ code in a closed-source product can lead to catastrophic legal forced-disclosure. |
| Asset Disposal | Tool logs an asset as “Retired” in the DB. | Verify the disposal certificate. Licenced software on a discarded hard drive is an IPR breach and a data risk. |
| Software Keys | GRC tool marks keys as “Managed” if stored in a password manager. | Check the Access Control. If 50 people have access to a single ‘Global’ licence key vault, the control is fundamentally broken. |
| Installation Control | Tool confirms antivirus is active. | Antivirus is not IPR protection. Verify Application Control settings that specifically block .exe or .msi execution by standard users. |
About the author
