ISO 27001 Annex A 5.32 Intellectual Property Rights is a security control that mandates the strict management of software licenses and proprietary assets to ensure legal compliance and avoid litigation, ultimately providing a significant protection of organizational valuation and legal standing across all business operations.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.32 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.32 Intellectual Property Rights
ISO 27001 Annex A 5.32 is the “anti-piracy” and legal compliance control. It requires organizations to implement procedures ensuring they do not violate intellectual property laws (such as copyright or software licensing) and, conversely, that their own proprietary assets are legally protected.
Core requirements for compliance include:
- Software Asset Management (SAM): You must maintain a strict inventory of software installed on your network and match it against the licenses you own. If you have 50 users on Adobe Photoshop but only pay for 10 seats, you are non-compliant.
- Legal Source: All software must come from reputable sources. The use of “cracked,” pirated, or unauthorized key-generated software is a major non-conformity.
- Copyright Respect: This extends beyond software to content. Ensure staff understand they cannot simply take images, text, or audio from the internet for commercial use without permission.
- Open Source Governance: If you develop software, you must track open-source libraries to ensure you aren’t violating license terms (e.g., using GPL code in a proprietary product).
Audit Focus: This is often a “gotcha” control during audits. Auditors frequently perform a Spot Check: they will pick a random software application visible on an employee’s screen (e.g., WinZip, Visio, or a PDF editor) and ask: “Can you show me the invoice or license entitlement for this specific installation?”
Common Licensing Pitfalls:
| Licensing Pitfall Scenario | Compliance Failure Rationale | Recommended Corrective Action | ISO 27001:2022 Mapping |
|---|---|---|---|
| “Personal Use” Tools | Utilising free versions (e.g., TeamViewer, Malwarebytes) licensed exclusively for home or non-commercial use. | Formalise the procurement of “Commercial/Enterprise” licences for all organisational assets. | 5.32 (Intellectual property rights) |
| Expired Trials | Permitting 30-day trials to expire while retaining the software on production systems, violating end-user terms. | Establish an automated discovery and de-provisioning workflow for expired evaluation software. | 5.32 & 8.32 (Change management) |
| Font Licensing | Deploying commercial fonts on public-facing digital assets without the requisite server or web-use licensing. | Audit font libraries and ensure alignment between the licence tier (Desktop vs. Web) and the deployment environment. | 5.32 (Intellectual property rights) |
Table of contents
- What is ISO 27001 Annex A 5.32?
- What does intellectual property include?
- Watch the ISO 27001 Annex A 5.32 Tutorial
- ISO 27001 Annex A 5.32 Podcast
- ISO 27001 Annex 5.32 Implementation Guidance
- How to implement ISO 27001 Annex 5.32
- Licensing Checklist
- Applicability of ISO 27001 Annex A 5.32 across different business models.
- How to Audit ISO 27001 Annex A 5.32
- Fast Track ISO 27001 Annex A 5.32 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.32 Applicable Laws and Related Standards
- ISO 27001 Annex A 5.32 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute values
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
What is ISO 27001 Annex A 5.32?
ISO 27001 Annex A 5.32 Intellectual Property Rights is an ISO 27001 control that wants you to understand external requirements on you from intellectual property and implement them. Specifically it is concerned with legal, regulatory, statutory and contractual requirements for intellectual property.
The standard includes copyright for software and documents as well as all legal terms such as trademarks, patents, licenses.
What is the purpose of ISO 27001 Annex 5.32?
The purpose of ISO 27001 Annex A 5.32 Intellectual Property Rights is to ensure you comply with legal, statutory, regulatory and contractual requirements related to intellectual property.
Organisations should have a clear understanding of their obligations when it comes to intellectual property in its many forms and make sure that they adhere to those requirements.
What is the definition of ISO 27001 Annex 5.32?
The ISO 27001 standard defines ISO 27001 Annex A 5.32 as:
The organisation should implement appropriate procedures to protect intellectual property rights.
ISO 27001:2022 Annex A 5.32 Intellectual Property Rights
What does intellectual property include?
The standard includes copyright for software and documents as well as all legal terms such as trademarks, patents, licenses.
Watch the ISO 27001 Annex A 5.32 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.32 and how to pass the audit.
ISO 27001 Annex A 5.32 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.32 Intellectual Property Rights. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex 5.32 Implementation Guidance
Annex A 5.32 requirements are to understand and record the requirements on intellectual property from any legal, statutory, regulatory or contractual requirements. We need to protect anything that might be considered intellectual property.
Intellectual property topic specific policy
Having an ISO 27001 topic specific policy that is agreed and communicated on the protection of intellectual property rights. A prewritten topic specific policy on intellectual property is part of the ISO 27001 Policy Pack.
Procedures for intellectual property
You will develop and implement procedures and processes that deal with the compliance of intellectual property and that includes the use of software. Your policy and procedures will ensure that only licensed software and products are used and they are used in line with the intellectual property agreements.
Software license register
It is best practice to hold a register of all the software that you have and use and to record information related to it. You will consider recording the type of license, the license expiry, holding a copy of the license, any limitations of the license, how many copies you have purchased, how many are actually used and by whom.
Software use reviews
You will have the register but you should also perform periodic reviews of what you are actually using. You want to be sure you are using licensed products and that not exceeding any license units purchased.
Software transfer and disposal
You will have in place processes and procedures for when you no longer use or need software or when it is transferred between users and entities.
Software Terms and Conditions
It goes without saying that you will comply with the terms and conditions of the software and products that you are using.
Copyright
You will respect the law and the copyright of others.
How to implement ISO 27001 Annex 5.32
Implementing ISO 27001 Annex A 5.32 ensures your organisation protects its most valuable assets: its ideas, code, and proprietary data. As an ISO 27001 Lead Auditor, I expect to see more than just a policy: I look for evidence that you have identified your intellectual property, managed your software licences, and legally protected your work. Follow these ten steps to formalise your Intellectual Property Rights (IPR) framework and satisfy rigorous audit requirements.
1. Formalise a Topic-Specific Policy on IPR
Formalise a mandatory IPR policy that defines the organisation’s approach to protecting its own assets and respecting third-party rights: this ensures a clear legal baseline is established across the workforce.
- Identify the specific legal and regulatory requirements for your jurisdiction.
- Define clear rules regarding the use of open-source software (OSS) and proprietary code.
- Document the consequences for policy violations to ensure staff accountability.
2. Provision IPR Details into the Asset Register
Provision the Asset Register to include specific classifications for intellectual property such as source code, patents, and trademarks: this provides the visibility needed to apply appropriate technical controls.
- Identify the “Owner” for every piece of intellectual property documented.
- Record the location of the assets, whether they reside in cloud repositories or on-premise servers.
- Link the IPR assets to your broader ISMS risk assessment process.
3. Provision Software Asset Management (SAM) Tools
Provision technical tools to monitor and manage software installations across the estate: this prevents the legal risk of running unlicensed or unauthorised software.
- Deploy agents to track software versioning and installation counts.
- Centralise the storage of licence keys and proof-of-purchase documentation.
- Identify and block the installation of “Shadow IT” or peer-to-peer software.
4. Audit Software Licences for Compliance
Audit your current software usage against active licence entitlements: this result prevents litigation and financial penalties from software vendors.
- Compare tool-based installation reports with the master contract list.
- Ensure that subscription-based services (SaaS) are properly allocated to active users.
- Identify any surplus licences to reduce technical debt and operational costs.
5. Review and Formalise Employment Agreements
Review all employment and contractor agreements to ensure they contain enforceable IPR ownership clauses: this ensures that any work created for the business remains the property of the organisation.
- Ensure the “Work for Hire” principle is explicitly documented in all contracts.
- Include non-disclosure agreements (NDAs) as a standard requirement for all staff.
- Review the Rules of Engagement (ROE) documents for third-party consultants.
6. Provision Role-Based Access Control (RBAC) via IAM
Provision strict Identity and Access Management (IAM) roles to limit access to sensitive IPR: this result ensures that only authorised personnel can view or modify proprietary information.
- Apply the principle of least privilege to source code repositories and design documents.
- Mandate Multi-Factor Authentication (MFA) for all administrative or developer-level access.
- Review access logs monthly to identify any anomalous behaviour surrounding IPR assets.
7. Implement Technical Labelling and Digital Watermarking
Implement a labelling scheme that identifies proprietary information through metadata or visible watermarks: this ensures that users are aware of the sensitivity and legal status of the data they handle.
- Use automated Data Loss Prevention (DLP) tools to scan for and label sensitive content.
- Apply digital signatures to proprietary software releases to ensure integrity and origin.
- Document the labelling standard within your Information Classification Policy.
8. Audit Third-Party Supplier and Client Contracts
Audit the security and IPR clauses within third-party contracts: this result ensures that your suppliers respect your intellectual property and that you are not infringing on theirs.
- Verify that vendors are contractually obligated to protect your sensitive data.
- Check for “Right to Audit” clauses to verify vendor compliance with IPR protections.
- Identify any specific contractual requirements for the return or destruction of data upon contract termination.
9. Revoke Access and Manage Secure Disposal
Revoke access rights immediately upon a member of staff or contractor leaving the organisation: this result prevents the unauthorised exfiltration of proprietary data post-employment.
- Automate the “Leaver” process within your IAM system.
- Verify that physical assets, such as laptops containing IPR, are returned and securely wiped.
- Collect signed exit statements reminding leavers of their ongoing legal obligations regarding IPR.
10. Audit the Effectiveness of IPR Controls Regularly
Audit your IPR controls through the internal audit programme to verify ongoing compliance: this result provides the final assurance needed for a successful ISO 27001 certification audit.
- Test a sample of software installations to verify they match the licence register.
- Review a sample of recent employee contracts to ensure compliance clauses are present.
- Document all findings in the Corrective Action Log to drive continuous ISMS improvement.
I’ve sat in the Auditor’s chair for 30 years. Use the exact system and tools I use to guarantee a pass.
Licensing Checklist
| Item to Check | Why? | Evidence Required |
| Paid Software | Prevent Piracy fines. | Invoice + License Key. |
| Open Source | License Compliance (GPL/MIT). | Library Inventory (SBOM). |
| Fonts / Images | Copyright Infringement. | Stock Photo Receipt. |
| Freeware | “Free for Personal Use” trap. | EULA Review (Commercial Use check). |
Applicability of ISO 27001 Annex A 5.32 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on protecting basic commercial assets and ensuring legal use of third-party tools. The goal is to prevent legal liability from unlicensed software and ensure the business owns the work produced by its staff. |
|
| Tech Startups | Critical for securing the company’s valuation, which is often tied directly to its proprietary code and trade secrets. Focus is on preventing IP leakage and managing Open Source Software (OSS) risks. |
|
| AI Companies | Vital for protecting unique competitive advantages like model weights, specialized training datasets, and novel algorithms. Focus is on high-value IP that is easily portable and high-risk. |
|
How to Audit ISO 27001 Annex A 5.32
Auditing ISO 27001 Annex A 5.32 requires a technical deep dive into how your organisation identifies, protects, and respects intellectual property rights. As a Lead Auditor, I am looking for evidence that goes beyond a simple policy: I want to see technical asset mapping, software licensing reconciliations, and airtight contractual clauses. Use this 10-step technical roadmap to ensure your IPR controls are robust enough to withstand a certification audit.
1. Audit the Intellectual Property Rights (IPR) Policy
Audit the topic-specific policy for IPR to confirm it defines the organisation’s approach to protecting internal assets and respecting third-party rights: result: establishes the legal and procedural baseline for the entire ISMS.
- Verify that the policy explicitly covers copyright, patents, trade secrets, and proprietary software.
- Check for clear definitions of “Work for Hire” to ensure the organisation owns staff-generated code.
- Confirm the policy is reviewed annually and signed off by senior management.
2. Inspect the Asset Register for IPR Mapping
Inspect the Asset Register to ensure that all proprietary information and software assets are identified and classified: result: provides the visibility required to apply granular security controls to high-value assets.
- Review the register for entries including source code, design documents, and unique datasets.
- Verify that an “Asset Owner” is assigned to every piece of intellectual property.
- Check that the classification levels (e.g., Highly Confidential) align with the sensitivity of the IP.
3. Review Software Licence Reconciliations
Review the organisation’s software asset management records to verify that all installed software is legally licensed: result: prevents significant legal risks and financial penalties associated with software piracy.
- Compare technical scan reports of installed software against the master licence inventory.
- Audit proof-of-purchase documentation for critical business applications.
- Verify that subscription-based SaaS licences are active and properly allocated.
4. Audit IAM Roles for Code Repositories
Audit Identity and Access Management (IAM) roles for all source code repositories and design platforms: result: ensures that access to the organisation’s core IP follows the principle of least privilege.
- Inspect access control lists (ACLs) for platforms such as GitHub, GitLab, or Azure DevOps.
- Verify that developers only have access to the specific repositories required for their current sprints.
- Audit the process for revoking access to repositories within 24 hours of staff departure.
5. Provision MFA for IPR Access Points
Verify that Multi-Factor Authentication (MFA) is mandated for every technical interface that hosts or manages intellectual property: result: provides a critical defensive layer against credential theft and unauthorised data exfiltration.
- Check configuration settings on cloud storage, code repos, and knowledge bases.
- Ensure MFA is enforced for all administrative accounts and privileged users.
- Review logs for any instances where MFA was bypassed or disabled.
6. Examine Employment and Contractor Agreements
Examine a sample of employment and third-party contractor contracts for enforceable IPR and non-disclosure clauses: result: confirms that the legal ownership of work is correctly assigned to the organisation.
- Verify the presence of signed Non-Disclosure Agreements (NDAs) for all technical staff.
- Check for “Assignment of Rights” clauses that transfer IP ownership from contractors to the business.
- Review the Rules of Engagement (ROE) documents for third-party security testers and consultants.
7. Audit Open Source Software (OSS) Management
Audit the procedures for using and managing open-source software libraries within internal development projects: result: prevents legal breaches related to “copyleft” licences and attribution requirements.
- Review the list of approved OSS libraries used in production code.
- Check for automated tools (e.g., SCA tools) that scan for licence compatibility and vulnerabilities.
- Verify that the organisation maintains a Software Bill of Materials (SBOM) for its products.
8. Inspect Digital Labelling and Watermarking
Inspect the implementation of technical labelling and watermarking on sensitive documents and software builds: result: ensures that proprietary information is clearly identifiable and discourages unauthorised sharing.
- Verify that metadata in design files includes the organisation’s copyright notice.
- Check for automated Data Loss Prevention (DLP) rules that trigger based on IPR labels.
- Confirm that external-facing documents contain clear “Proprietary and Confidential” footers.
9. Audit Asset Disposal and Data Purging Logs
Audit the disposal logs for decommissioned hardware and storage media to ensure IP is securely destroyed: result: prevents the accidental disclosure of proprietary information via legacy equipment.
- Verify certificates of destruction for all physical disks and servers.
- Check that cloud-based volumes were securely wiped before being released back to the provider’s pool.
- Inspect the Asset Register to ensure disposed assets are formally decommissioned.
10. Audit Records of IPR Non-Compliance
Audit the records of any identified licensing breaches or IPR violations and the resulting corrective actions: result: provides evidence that the organisation actively monitors compliance and drives continuous improvement.
- Review the incident log for any reports of unauthorised software use.
- Verify that corrective actions were taken to remediate the root cause of the breach.
- Check for evidence of “lessons learned” being fed back into the security awareness training programme.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
Fast Track ISO 27001 Annex A 5.32 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.32 (Intellectual property rights), the requirement is to implement appropriate procedures to protect intellectual property (IP) and ensure compliance with legal, statutory, regulatory, and contractual obligations regarding IP. This involves protecting your own IP (like proprietary code or designs) and ensuring you don’t infringe on others’ IP (like software licenses).
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Legal Ownership | Rents access to your legal standards; if you cancel the subscription, your documented IP rules and license history vanish. | Permanent Assets: Fully editable Word/Excel IP Policies and License Registers that you own forever. | A localized “Intellectual Property Rights Policy” defining proprietary code ownership and open-source rules. |
| Operational Utility | Attempts to “automation” license tracking via dashboards that cannot stop developers from misuse of licensed code. | Governance-First: Formalizes your existing legal workflows and asset management into an auditor-ready framework. | A completed “Software License Register” proving that all installed software is legally acquired and maintained. |
| Cost Efficiency | Charges an “Asset Tax” based on the number of legal documents or licensed items, creating perpetual overhead. | One-Off Fee: A single payment covers your IP governance for 10 licenses or 1,000. | Allocating budget to patents or trademarks rather than paying monthly “platform” fees to track them. |
| Strategic Freedom | Mandates rigid reporting formats that may not align with your specific development lifecycle or niche IP requirements. | 100% Agnostic: Procedures adapt to any environment—from software houses to service firms—without technical limits. | The ability to evolve your IP protection methods and license management without reconfiguring a rigid SaaS module. |
Summary: For Annex A 5.32, the auditor wants to see that you have a formal process for protecting intellectual property and ensuring license compliance. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.32 Applicable Laws and Related Standards
| Standard / Law | Relevant Control / Article | Mapping and Requirements |
|---|---|---|
| NIST CSF v2.0 | PR.DS-01, GV.OC-03 | Requires that intellectual property is identified as a high-value asset and protected through data-at-rest encryption and legal/regulatory lifecycle management. |
| EU GDPR / UK GDPR | Article 32, Recital 47 | Mandates technical measures to protect proprietary databases. The “Accountability” principle requires organisations to prove legal software usage and license compliance. |
| UK Data (Use and Access) Act 2025 | Smart Data & Portability Clauses | Requires high security thresholds for “Smart Data” schemes, ensuring proprietary business logic and IPR are protected during mandatory data-sharing events. |
| EU AI Act | Article 53, Article 10 | Mandates that high-risk AI providers document the use of copyrighted training data and implement controls to protect model “weights” from unauthorised extraction. |
| ISO/IEC 42001 (AI) | Annex A.10.2 | Directly addresses the management of IPR within AI Management Systems, specifically regarding model output ownership and training dataset licensing. |
| NIS2 Directive (EU) | Article 21 (2)(f) | Mandates supply chain security, requiring entities to ensure software assets in their infrastructure are legally licensed, authentic, and secure. |
| DORA (EU) | Articles 8 and 9 | Financial entities must protect the integrity of ICT assets, including proprietary trading software, ensuring license compliance to mitigate operational risks. |
| Cyber Security & Resilience Bill (UK) | Article 11 (MSP Obligations) | Requires Managed Service Providers to validate licensing for all tools used to manage client environments to prevent cascading legal and security risks. |
| SOC 2 (Trust Services Criteria) | CC 5.1, CC 6.1 | Under the Common Criteria, organisations must demonstrate that access to proprietary software, source code, and design data (IPR) is restricted to authorised users. |
| EU Product Liability Directive (PLD) | Article 4 (Defectiveness) | Classifies software as a product; the use of pirated code or failure to manage IPR/software versions can be used as evidence of a “product defect” in litigation. |
| CIRCIA (USA) | Section 2242 | Theft of high-value IPR (such as critical source code or proprietary algorithms) triggers mandatory 72-hour incident reporting for critical infrastructure sectors. |
| ECCF (EU Cybersecurity Cert) | High Assurance Labels | To achieve “Substantial” or “High” labels, providers must prove IPR ownership and maintain a Software Bill of Materials (SBOM) showing legal licensing. |
| HIPAA (USA) | 164.308(a)(1) | Administrative Safeguards: requires protection of healthcare software. The use of unlicensed or “cracked” medical software is defined as a violation of security rules. |
| CCPA / CPRA (California) | 1798.150 | Allows for statutory damages if a breach occurs due to “unreasonable security.” Protecting proprietary IPR from exfiltration is a core component of reasonable care. |
| WIPO Treaties | Copyright & Patent Clauses | Annex A 5.32 serves as the technical implementation of international WIPO requirements for protecting copyright and proprietary information within an ISMS. |
The AI Copyright Minefield: Training Data and Code Generation
The introduction of AI has completely rewritten the rulebook on Intellectual Property. In 2026, the biggest audit failures under Annex A 5.32 are coming from software development teams and marketing departments using AI tools without legal guardrails. As an auditor, I want to see that you have documented policies covering the ingest of copyrighted data and the ownership of AI outputs.
| AI Use Case | The IP Security Risk | The Auditor’s Requirement (Annex A 5.32) |
|---|---|---|
| AI Code Assistants (e.g., Copilot) | The AI suggests code snippet that is protected by a restrictive “Copyleft” (GPL) licence, infecting your proprietary codebase. | Mandatory automated Software Composition Analysis (SCA) to scan all AI-generated code for licence violations before deployment. |
| Training Proprietary Models | Scraping the internet for training data without respecting “robots.txt” or copyright notices, leading to massive litigation. | A documented “Data Provenance Log” proving that all training data was legally acquired or licensed for commercial use. |
| AI Content Generation | Marketing teams using AI image generators that infringe on the trademarked styles of specific artists or brands. | A formally updated Acceptable Use Policy (Annex A 5.10) detailing which AI tools are cleared for commercial content creation. |
| Claiming IP on AI Outputs | The business attempts to patent or copyright an algorithm or document that was 100 percent generated by an AI. | Legal review guidelines determining the threshold of “human authorship” required to claim IP ownership. |
Shadow AI: The Silent IP Killer
If your developers are pasting your proprietary, highly classified source code into public LLMs to “find a bug,” they are literally handing your intellectual property to a third party. Public AI models often use user inputs as training data. This is a catastrophic breach of Annex A 5.32 and Annex A 5.33 (Protection of Records).
- Technical Blocking: I expect to see Data Loss Prevention (DLP) tools or web proxies actively blocking the upload of proprietary code or financial data to unsanctioned AI platforms.
- Sanctioned Alternatives: You must provide your staff with secure, enterprise-licensed AI tools where the vendor contract explicitly guarantees “Zero Data Retention for Training.”
- Contractual Enforcement: Your employee contracts must explicitly classify the uploading of company data to public AI tools as gross misconduct.
The Software Bill of Materials (SBOM) for 2026
You cannot protect what you cannot see. If your company builds software, relying on a manual spreadsheet of open-source libraries will fail my audit. In 2026, compliance with Annex A 5.32 requires a dynamic Software Bill of Materials (SBOM).
- Automated Generation: Your CI/CD pipeline must automatically generate an SBOM for every software build.
- Licence Compatibility Checks: The SBOM must explicitly list the licence type (MIT, Apache, GPL) for every dependency.
- Legal Review Triggers: Any introduction of a new “Copyleft” licence must automatically halt the build until the Legal or Compliance team provides a documented sign-off.
The Auditor’s Secret “Trick” Questions for 5.32
When I am looking to test the true maturity of your Intellectual Property controls, I will ask these three questions. Prepare your answers now.
- “Show me the commercial licence for your web fonts.” Most companies buy a “Desktop” licence for a font and then illegally embed it into their website code. This is an instant non-conformity.
- “If I quit tomorrow and start a competitor, what technical control stops me taking the source code?” Having an NDA is a legal control. I want to see the technical control: such as disabling USB ports, restricting GitHub clone rights, or using DRM on sensitive documents.
- “Show me the proof of purchase for the software running on the CEO’s laptop.” Senior management often bypasses the IT procurement desk. If the CEO is running an unlicensed copy of Microsoft Project, the entire organisation fails the control.
People Also Asked: ISO 27001 Annex A 5.32 Advanced
Can we copyright code that was generated by AI?
Under current 2026 legal frameworks in the UK and EU, purely AI-generated code cannot be copyrighted. You can only claim Intellectual Property on code where there is a significant, provable element of human authorship. Your IPR policy must reflect this legal reality.
What is a “Copyleft” licence and why does ISO 27001 care?
A “Copyleft” licence (like the GPL) states that if you use the open-source code in your product, you must release your entire product’s source code for free under the same licence. If your developers accidentally include a GPL library in your commercial software, you could lose the rights to your proprietary IP. Annex A 5.32 requires strict controls to prevent this.
How do we prove IP ownership to an ISO 27001 auditor?
Auditors look for the “Work for Hire” clause in your standard employment contracts, signed IP assignment agreements for all external contractors, and a formally maintained Asset Register that clearly names the organisation as the legal owner of the code, designs, and datasets.
The Lead Auditor Final Verdict
Annex A 5.32 is not just an IT problem: it is a severe legal and financial risk. The days of sharing a single software licence key across the office are over. In the age of AI and open-source complexities, you must have automated tracking and absolute contractual clarity. If you use the High Table ISO 27001 Toolkit, you get the exact Asset Registers, IPR Policies, and Acceptable Use guidelines that I approve every single week in live audits.
Trade Secrets vs Patents: The ISO 27001 Defence
There are two ways to protect your intellectual property: Patents (which make your invention public but legally protected) and Trade Secrets (which keep your invention hidden). In 2026, many AI and tech companies are opting for Trade Secrets because algorithms change too fast to patent. However, under international law, a Trade Secret is only legally enforceable if you can prove you took “reasonable steps” to keep it secret. ISO 27001 Annex A 5.32 is your legal proof.
| Trade Secret Defence Layer | The Legal Requirement | Annex A 5.32 Technical Evidence |
|---|---|---|
| Identification | The secret must be clearly defined and known to the business. | The Asset Register explicitly tags the algorithm or dataset as “Trade Secret / Highly Confidential”. |
| Access Restriction | The secret cannot be accessible to the general workforce. | Role-Based Access Control (RBAC) logs proving only three developers had access to the source code repository. |
| Contractual Binding | Anyone seeing the secret must be legally bound to silence. | Signed NDAs and specific IP Assignment clauses in employment contracts. |
| Technical Enforcement | Active measures must prevent accidental or malicious sharing. | Data Loss Prevention (DLP) rules preventing the code from being emailed or uploaded to personal cloud drives. |
The M&A Nightmare: IP Due Diligence
If your startup is looking for an exit, acquisition, or Series B funding, the acquiring company will perform brutal technical due diligence. If they find that your core product was built using improperly licensed open-source code (like a GPL violation), the valuation of your company drops to zero overnight. Annex A 5.32 is not just a compliance exercise: it is asset protection.
- The Clean Room Audit: I expect to see that you have a process for ensuring developers do not copy-paste code from previous employers. If you are reverse-engineering a competitor’s product, you must have a documented “Clean Room Design” policy to prove no copyright infringement occurred.
- The SBOM Verification: Investors will demand your Software Bill of Materials. If your Annex A 5.32 process automatically generates and legally clears your SBOM, you pass due diligence in days instead of months.
- Freelancer IP Waivers: Startups often use offshore freelancers to build early code. If you do not have a signed IP handover document from that freelancer (dated before the code was merged), you do not legally own your product.
The Insider Threat: The 30-Day Leaver Window
The single biggest threat to your Intellectual Property Rights is not a Russian hacker: it is your lead developer leaving to join a competitor. Industry statistics show that 70 percent of IP theft occurs in the 30 days before an employee hands in their notice. Your Annex A 5.32 controls must intersect tightly with your HR processes.
- Behavioural Analytics: Your monitoring tools should flag massive code downloads, unusual USB activity, or bulk printing by staff who have recently accessed restricted IP.
- The Exit Interview Legal Lock: When an employee leaves, the exit interview must include a formal, signed declaration that they have returned all proprietary data and deleted all local copies of company IP.
- Immediate Revocation: Access to source code and proprietary AI models must be revoked the second the resignation is accepted, transitioning the employee to non-sensitive tasks for their notice period.
Digital Rights Management (DRM) and Watermarking
If you are sharing highly sensitive IP (like unreleased product designs or financial algorithms) with a third party, a paper NDA is not enough. You must apply technical controls to enforce your Intellectual Property Rights once the data leaves your perimeter.
- Document DRM: Implement tools (like Azure Information Protection) that restrict the ability to print, forward, or copy text from sensitive PDFs and Word documents.
- Time-Bombing: Ensure shared IP documents automatically expire and become unreadable after the vendor contract or tender process ends.
- Digital Watermarking: Embed invisible, traceable metadata into your images, videos, and datasets. If your IP leaks online, the watermark provides the forensic proof required to issue a successful DMCA takedown notice.
ISO 27001 Annex A 5.32 FAQ
What is ISO 27001 Annex A 5.32?
ISO 27001 Annex A 5.32 (previously A.18.1.2) is an organisational control that mandates the protection of intellectual property rights (IPR) to ensure compliance with legal, regulatory, and contractual obligations. It requires organisations to identify all proprietary assets and verify that all software in use is legally acquired to prevent litigation and operational disruption.
- It covers the protection of software licences, patents, trademarks, and copyrights.
- It requires organisations to prevent the use of unlicensed software and unauthorised copying of materials.
- It ensures the organisation retains ownership of intellectual property created by employees or contractors.
- It is a key component of the legal and regulatory compliance requirement of the ISMS.
Is a software licence register mandatory for ISO 27001?
Yes, maintaining an accurate and up-to-date register of all software licences is a mandatory requirement to demonstrate compliance with Annex A 5.32. This register is the primary evidence used during Stage 1 and Stage 2 audits to prove that the organisation is not using “shadow IT” or pirated software.
- The register must track the number of licences purchased versus the number of installations.
- Auditors will look for proof that the organisation is not using “shadow IT” or pirated software.
- It helps manage expiry dates to avoid operational disruption or legal penalties.
- Proof of purchase (invoices or digital certificates) must be readily available as audit evidence.
How do organisations manage software licence compliance?
Organisations manage software licence compliance by implementing technical Software Asset Management (SAM) tools to reconcile installed instances against active entitlements. With approximately 37% of software globally being unlicensed, auditors require evidence of regular reconciliations and technical blocks on unauthorised software installations to mitigate legal risks.
Does ISO 27001 cover copyright protection for internal data?
Yes, ISO 27001 requires that all proprietary information and creative works produced by the organisation are protected under relevant copyright laws. This ensures that the Information Security Management System (ISMS) safeguards the organisation’s competitive advantage and proprietary research from unauthorised exfiltration.
- Employment contracts must explicitly state that IP created during work hours belongs to the employer.
- Access controls should be implemented to prevent unauthorised copying of source code or research.
- Watermarking or digital rights management (DRM) can be used as technical evidence of protection.
- Third-party NDAs should include clauses that define IP ownership and usage rights.
How does ISO 27001 address open-source software (OSS)?
ISO 27001 mandates that organisations using open-source software (OSS) must comply with the specific licence terms (e.g., GPL, MIT) associated with those libraries. Failure to manage OSS properly can lead to “licence contamination,” where proprietary code is legally forced into the public domain.
- You must maintain a Software Bill of Materials (SBOM) to track open-source dependencies.
- Risk assessments should evaluate the security and legal impact of specific OSS licences.
- Usage must align with the organisation’s “Acceptable Use Policy” and legal standards.
What are the consequences of non-compliance with Annex A 5.32?
Non-compliance with intellectual property rights can result in major audit non-conformities, significant legal fines often exceeding £500,000, and the potential revocation of software service agreements. Furthermore, using unlicensed software increases the risk of malware infection by 30%, directly compromising the integrity of the ISMS.
- Unlicensed software often leads to security vulnerabilities due to a lack of official patches.
- Copyright infringement claims can cause severe reputational damage to the brand.
- Contractual breaches with clients regarding IP ownership can lead to litigation.
Can employees use personal software for business purposes under ISO 27001?
No, the use of personal software for business purposes is generally prohibited unless it is formally authorised, risk-assessed, and properly licensed for commercial use. Personal licences rarely cover “Commercial Use,” and allowing unmanaged software creates significant technical debt and security blind spots.
- Personal licences rarely cover “Commercial Use,” leading to a breach of Annex A 5.32.
- Authorisation must be documented in the software register or Acceptable Use Policy.
- Technical controls (e.g., application whitelisting) should be used to prevent unauthorised installations.
How does the EU AI Act impact Intellectual Property Rights?
The EU AI Act impacts IPR by requiring providers of high-risk AI models to document and publish summaries of the copyrighted data used for model training. In 2026, Annex A 5.32 implementation must account for these transparency obligations to ensure that AI model outputs do not inadvertently infringe upon third-party intellectual property.
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Identify | Lega and compliance | Governance and EcoSystem |
| Confidentiality | ||||
| Integrity |
About the author
