4. Open Source Software (OSS) Compliance Verified

Verification Criteria: Use of open-source software is monitored to ensure compliance with specific licence types (e.g. GNU, MIT, Apache) and to avoid legal 'copyleft' risks. Required Evidence: OSS Inventory or Software Composition Analysis (SCA) report identifying all open-source libraries and their respective licences.

5. Software Media and Licence Key Security Confirmed

Verification Criteria: Physical and digital software media, including master copies and licence keys, are stored in a secure environment with restricted access. Required Evidence: Access control logs for the digital 'vault' or physical secure cabinet where original software media and keys are maintained.

6. Prohibition of Unauthorised Software Installation Verified

Verification Criteria: Technical controls or strictly enforced policies prevent personnel from installing unlicensed or unauthorised software on organisational assets. Required Evidence: Configuration settings for 'Standard User' profiles (removing Local Admin rights) or 'Application Whitelisting' logs from an MDM/EDR tool.

7. Intellectual Property Ownership Clauses in Contracts Confirmed

Verification Criteria: Employment and contractor agreements explicitly define the ownership of intellectual property created during the term of engagement. Required Evidence: Sampled employment contracts or contractor Master Service Agreements (MSAs) containing IP assignment clauses.

8. Digital Rights Management (DRM) and Watermarking Validated

Verification Criteria: Technical measures are implemented to protect the organisation's proprietary information from unauthorised copying or redistribution where applicable. Required Evidence: Configuration of DRM tools, document watermarking settings, or Data Loss Prevention (DLP) rules targeting proprietary 'fingerprinted' files.

9. Periodic Software Licence Audit Evidence Identified

Verification Criteria: The organisation performs periodic reconciliations of its software inventory against its licences to ensure ongoing legal compliance. Required Evidence: Internal audit reports or 'True-up' records from the last 12 months showing licence reconciliation activity.

10. Disposal of Licenced Assets Procedure Verified

Verification Criteria: Procedures exist to ensure that licences are retired or transferred, and software is wiped, when assets are decommissioned or disposed of. Required Evidence: IT Asset Disposal (ITAD) certificates and decommissioning logs showing software removal prior to physical hardware destruction.

ISO 27001 Annex A 5.32 Audit Checklist [+ Templates]

Q: 1. Intellectual Property Rights (IPR) Policy Formalisation Verified

Verification Criteria: A documented policy exists that defines the organisation's approach to protecting its own IPR and respecting the IPR of third parties, including software licencing. Required Evidence: Approved IPR Policy or integrated Legal Compliance Policy with specific sections on copyright, trademarks, and patents.

Q: 2. Software Asset Register Completeness Confirmed

Verification Criteria: An up-to-date inventory exists listing all software assets, including version numbers, install counts, and physical/logical locations. Required Evidence: Software Asset Management (SAM) database or a verified spreadsheet showing the current software estate.

Q: 3. Proof of Entitlement for Commercial Software Validated

Verification Criteria: The organisation possesses valid proof of ownership (licences, invoices, or digital entitlements) for all commercial software currently in use. Required Evidence: Original licence certificates, EULAs (End User Licence Agreements), or procurement invoices matched to the software inventory.

In this ultimate how to audit guide to ISO 27001 Annex A 5.32 Intellectual Property Rights, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

1. Intellectual Property Rights (IPR) Policy Formalisation Verified
2. Software Asset Register Completeness Confirmed
3. Proof of Entitlement for Commercial Software Validated
4. Open Source Software (OSS) Compliance Verified
5. Software Media and Licence Key Security Confirmed
6. Prohibition of Unauthorised Software Installation Verified
7. Intellectual Property Ownership Clauses in Contracts Confirmed
8. Digital Rights Management (DRM) and Watermarking Validated
9. Periodic Software Licence Audit Evidence Identified
10. Disposal of Licenced Assets Procedure Verified

Auditing ISO 27001 Annex A 5.32 is a systematic review to ensure an organization legally protects its proprietary assets and adheres to software licensing agreements. The Primary Implementation Requirement centers on maintaining an accurate software asset register, delivering the Business Benefit of litigation avoidance and robust data governance.

1. Intellectual Property Rights (IPR) Policy Formalisation Verified

Verification Criteria: A documented policy exists that defines the organisation’s approach to protecting its own IPR and respecting the IPR of third parties, including software licencing.

Required Evidence: Approved IPR Policy or integrated Legal Compliance Policy with specific sections on copyright, trademarks, and patents.

Pass/Fail Test: If the organisation lacks a formal policy statement regarding the legal use of third-party software or proprietary data, mark as Non-Compliant.

2. Software Asset Register Completeness Confirmed

Verification Criteria: An up-to-date inventory exists listing all software assets, including version numbers, install counts, and physical/logical locations.

Required Evidence: Software Asset Management (SAM) database or a verified spreadsheet showing the current software estate.

Pass/Fail Test: If the inventory fails to account for SaaS-based applications or ‘Shadow IT’ identified during technical discovery, mark as Non-Compliant.

3. Proof of Entitlement for Commercial Software Validated

Verification Criteria: The organisation possesses valid proof of ownership (licences, invoices, or digital entitlements) for all commercial software currently in use.

Required Evidence: Original licence certificates, EULAs (End User Licence Agreements), or procurement invoices matched to the software inventory.

Pass/Fail Test: If the number of active software installations exceeds the number of legally purchased licences, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

1. Intellectual Property Rights (IPR) Policy Formalisation Verified

2. Software Asset Register Completeness Confirmed

3. Proof of Entitlement for Commercial Software Validated