ISO 27001:2022 Annex A 5.32 Intellectual property rights

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.32 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.32 Intellectual Property Rights

ISO 27001 Annex A 5.32 is the “anti-piracy” and legal compliance control. It requires organizations to implement procedures ensuring they do not violate intellectual property laws (such as copyright or software licensing) and, conversely, that their own proprietary assets are legally protected.

Core requirements for compliance include:

Software Asset Management (SAM): You must maintain a strict inventory of software installed on your network and match it against the licenses you own. If you have 50 users on Adobe Photoshop but only pay for 10 seats, you are non-compliant.
Legal Source: All software must come from reputable sources. The use of “cracked,” pirated, or unauthorized key-generated software is a major non-conformity.
Copyright Respect: This extends beyond software to content. Ensure staff understand they cannot simply take images, text, or audio from the internet for commercial use without permission.
Open Source Governance: If you develop software, you must track open-source libraries to ensure you aren’t violating license terms (e.g., using GPL code in a proprietary product).

Audit Focus: This is often a “gotcha” control during audits. Auditors frequently perform a Spot Check: they will pick a random software application visible on an employee’s screen (e.g., WinZip, Visio, or a PDF editor) and ask: “Can you show me the invoice or license entitlement for this specific installation?”

Common Licensing Pitfalls:

Licensing Pitfall Scenario	Compliance Failure Rationale	Recommended Corrective Action	ISO 27001:2022 Mapping
“Personal Use” Tools	Utilising free versions (e.g., TeamViewer, Malwarebytes) licensed exclusively for home or non-commercial use.	Formalise the procurement of “Commercial/Enterprise” licences for all organisational assets.	5.32 (Intellectual property rights)
Expired Trials	Permitting 30-day trials to expire while retaining the software on production systems, violating end-user terms.	Establish an automated discovery and de-provisioning workflow for expired evaluation software.	5.32 & 8.32 (Change management)
Font Licensing	Deploying commercial fonts on public-facing digital assets without the requisite server or web-use licensing.	Audit font libraries and ensure alignment between the licence tier (Desktop vs. Web) and the deployment environment.	5.32 (Intellectual property rights)

What is ISO 27001 Annex A 5.32?
What does intellectual property include?
Watch the ISO 27001 Annex A 5.32 Tutorial
ISO 27001 Annex A 5.32 Podcast
ISO 27001 Annex 5.32 Implementation Guidance
How to implement ISO 27001 Annex 5.32
Licensing Checklist
Applicability of ISO 27001 Annex A 5.32 across different business models.
Fast Track ISO 27001 Annex A 5.32 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.32 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute values

What is ISO 27001 Annex A 5.32?

ISO 27001 Annex A 5.32 Intellectual Property Rights is an ISO 27001 control that wants you to understand external requirements on you from intellectual property and implement them. Specifically it is concerned with legal, regulatory, statutory and contractual requirements for intellectual property.

The standard includes copyright for software and documents as well as all legal terms such as trademarks, patents, licenses.

What is the purpose of ISO 27001 Annex 5.32?

The purpose of ISO 27001 Annex A 5.32 Intellectual Property Rights is to ensure you comply with legal, statutory, regulatory and contractual requirements related to intellectual property.

Organisations should have a clear understanding of their obligations when it comes to intellectual property in its many forms and make sure that they adhere to those requirements.

What is the definition of ISO 27001 Annex 5.32?

The ISO 27001 standard defines ISO 27001 Annex A 5.32 as:

The organisation should implement appropriate procedures to protect intellectual property rights.
ISO 27001:2022 Annex A 5.32 Intellectual Property Rights

What does intellectual property include?

The standard includes copyright for software and documents as well as all legal terms such as trademarks, patents, licenses.

Watch the ISO 27001 Annex A 5.32 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.32 and how to pass the audit.

ISO 27001 Annex A 5.32 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.32 Intellectual Property Rights. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex 5.32 Implementation Guidance

Annex A 5.32 requirements are to understand and record the requirements on intellectual property from any legal, statutory, regulatory or contractual requirements. We need to protect anything that might be considered intellectual property.

Intellectual property topic specific policy

Having an ISO 27001 topic specific policy that is agreed and communicated on the protection of intellectual property rights. A prewritten topic specific policy on intellectual property is part of the ISO 27001 Policy Pack.

Procedures for intellectual property

You will develop and implement procedures and processes that deal with the compliance of intellectual property and that includes the use of software. Your policy and procedures will ensure that only licensed software and products are used and they are used in line with the intellectual property agreements.

Software license register

It is best practice to hold a register of all the software that you have and use and to record information related to it. You will consider recording the type of license, the license expiry, holding a copy of the license, any limitations of the license, how many copies you have purchased, how many are actually used and by whom.

Software use reviews

You will have the register but you should also perform periodic reviews of what you are actually using. You want to be sure you are using licensed products and that not exceeding any license units purchased.

Software transfer and disposal

You will have in place processes and procedures for when you no longer use or need software or when it is transferred between users and entities.

Software Terms and Conditions

It goes without saying that you will comply with the terms and conditions of the software and products that you are using.

Copyright

You will respect the law and the copyright of others.

How to implement ISO 27001 Annex 5.32

Implementation of ISO 27001 Annex A 5.32 ensures that an organisation protects its proprietary assets while respecting third party intellectual property rights. By establishing clear legal boundaries and technical safeguards, you mitigate the risk of licensing litigation and the loss of critical trade secrets. This action-oriented guide provides the technical workflow required to satisfy auditors and protect your organisational value.

1. Identify and Categorise Intellectual Property Assets

Perform a comprehensive audit of all proprietary and third party assets to establish a baseline for your intellectual property (IP) management.

Audit internal repositories for proprietary source code, patents, trademarks, and sensitive design documentation.
Maintain an Intellectual Property Register that distinguishes between company owned assets and licensed third party software.
Classify IP assets within your Information Asset Register based on their sensitivity and impact on the business.

2. Formalise a Software License Inventory and Monitoring Process

Establish a systematic approach to tracking software entitlements to prevent the legal and security risks associated with unlicensed software.

Provision a central register to track all commercial, proprietary, and open source software licenses used across the organisation.
Implement automated software asset management (SAM) tools to monitor installations against license entitlements in real time.
Establish a formal policy for the use of open source software to ensure compliance with specific Copyleft or permissive license requirements.

3. Integrate IP Ownership Clauses into Contracts

Ensure that legal protections are embedded within all personnel and supplier agreements to secure the organisation’s ownership of created works.

Update employment contracts to include explicit clauses that assign ownership of all work created during the course of employment to the organisation.
Review third party supplier agreements to define ownership and usage rights for any deliverables produced during the contract term.
Execute Non Disclosure Agreements (NDAs) to protect proprietary information shared during collaborative projects or partnerships.

4. Provision Technical Controls for IP Protection

Deploy layered technical security measures to prevent the unauthorised access or exfiltration of proprietary data.

Apply Role Based Access Control (RBAC) within your Identity and Access Management (IAM) system to restrict access to source code and design files.
Enable Multi Factor Authentication (MFA) for all users accessing proprietary intellectual property stored in cloud environments or VPNs.
Utilise Data Loss Prevention (DLP) tools to monitor and block the unauthorised transfer of proprietary information via email or removable media.

5. Conduct Periodic Compliance Audits of License Usage

Regularise the review of software usage to detect “Shadow IT” and ensure the organisation remains within contractual limits.

Schedule bi-annual reviews of installed software to detect and remove unlicensed or unauthorised applications from the corporate network.
Verify that the number of active users for SaaS and on-premise platforms does not exceed the agreed contractual license limits.
Document audit findings in your Register of Entrants (ROE) or compliance logs to provide evidence for external ISO 27001 auditors.

6. Enforce Post Termination IP Protection Measures

Secure organisational assets during the offboarding process to ensure that proprietary information does not leave the company with departing personnel.

Update the leaver checklist to include a formal reminder of ongoing intellectual property and confidentiality obligations.
Revoke access to all proprietary systems, code repositories, and document management systems immediately upon personnel termination.
Verify the return of all physical hardware and digital assets that contain proprietary information as part of the formal exit interview.

Licensing Checklist

Item to Check	Why?	Evidence Required
Paid Software	Prevent Piracy fines.	Invoice + License Key.
Open Source	License Compliance (GPL/MIT).	Library Inventory (SBOM).
Fonts / Images	Copyright Infringement.	Stock Photo Receipt.
Freeware	“Free for Personal Use” trap.	EULA Review (Commercial Use check).

Applicability of ISO 27001 Annex A 5.32 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Focuses on protecting basic commercial assets and ensuring legal use of third-party tools. The goal is to prevent legal liability from unlicensed software and ensure the business owns the work produced by its staff.	Maintaining a Software Asset Register to track licenses for tools like Microsoft 365 or Adobe, ensuring no “cracked” or unauthorized software is used. Including explicit “Work for Hire” clauses in employment contracts to ensure the business owns all marketing materials and customer lists created by staff. Performing an annual audit of installed software on all company laptops to remove unapproved or unlicensed applications.
Tech Startups	Critical for securing the company’s valuation, which is often tied directly to its proprietary code and trade secrets. Focus is on preventing IP leakage and managing Open Source Software (OSS) risks.	Implementing Software Composition Analysis (SCA) tools in the CI/CD pipeline to identify and manage restrictive open-source licenses (e.g., GPL) that could “infect” proprietary code. Restricting access to the primary GitHub/GitLab repositories to verified developers only, using the “Principle of Least Privilege.” Requiring all third-party contractors to sign an “IP Assignment Agreement” before being granted access to the source code.
AI Companies	Vital for protecting unique competitive advantages like model weights, specialized training datasets, and novel algorithms. Focus is on high-value IP that is easily portable and high-risk.	Using Data Loss Prevention (DLP) rules to prevent the unauthorized export of proprietary model weights or large training datasets to personal cloud storage. Clearly defining “Model Architecture” and “Hyperparameters” as protected Intellectual Property within internal classification and handling policies. Implementing specialized “Model Watermarking” techniques to prove ownership if an AI model is illegally exfiltrated and used by a third party.

Fast Track ISO 27001 Annex A 5.32 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.32 (Intellectual property rights), the requirement is to implement appropriate procedures to protect intellectual property (IP) and ensure compliance with legal, statutory, regulatory, and contractual obligations regarding IP. This involves protecting your own IP (like proprietary code or designs) and ensuring you don’t infringe on others’ IP (like software licenses).

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Legal Ownership	Rents access to your legal standards; if you cancel the subscription, your documented IP rules and license history vanish.	Permanent Assets: Fully editable Word/Excel IP Policies and License Registers that you own forever.	A localized “Intellectual Property Rights Policy” defining proprietary code ownership and open-source rules.
Operational Utility	Attempts to “automate” license tracking via dashboards that cannot stop developers from misuse of licensed code.	Governance-First: Formalizes your existing legal workflows and asset management into an auditor-ready framework.	A completed “Software License Register” proving that all installed software is legally acquired and maintained.
Cost Efficiency	Charges an “Asset Tax” based on the number of legal documents or licensed items, creating perpetual overhead.	One-Off Fee: A single payment covers your IP governance for 10 licenses or 1,000.	Allocating budget to patents or trademarks rather than paying monthly “platform” fees to track them.
Strategic Freedom	Mandates rigid reporting formats that may not align with your specific development lifecycle or niche IP requirements.	100% Agnostic: Procedures adapt to any environment—from software houses to service firms—without technical limits.	The ability to evolve your IP protection methods and license management without reconfiguring a rigid SaaS module.

Summary: For Annex A 5.32, the auditor wants to see that you have a formal process for protecting intellectual property and ensuring license compliance. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.32 FAQ

What is ISO 27001 Annex A 5.32?

ISO 27001 Annex A 5.32 (previously A.18.1.2) is an organisational control that mandates the protection of intellectual property rights (IPR) to ensure compliance with legal, regulatory, and contractual obligations.

It covers the protection of software licences, patents, trademarks, and copyrights.
It requires organisations to prevent the use of unlicensed software and unauthorised copying of materials.
It ensures the organisation retains ownership of intellectual property created by employees or contractors.
It is a key component of the legal and regulatory compliance requirement of the ISMS.

Is a software licence register mandatory for ISO 27001?

Yes, maintaining an accurate and up-to-date register of all software licences is a mandatory requirement to demonstrate compliance with Annex A 5.32.

The register must track the number of licences purchased versus the number of installations.
Auditors will look for proof that the organisation is not using “shadow IT” or pirated software.
It helps manage expiry dates to avoid operational disruption or legal penalties.
Proof of purchase (invoices or digital certificates) must be readily available as audit evidence.

Does ISO 27001 cover copyright protection for internal data?

Yes, ISO 27001 requires that all proprietary information and creative works produced by the organisation are protected under relevant copyright laws.

Employment contracts must explicitly state that IP created during work hours belongs to the employer.
Access controls should be implemented to prevent unauthorised copying of source code or research.
Watermarking or digital rights management (DRM) can be used as technical evidence of protection.
Third-party NDAs should include clauses that define IP ownership and usage rights.

How does ISO 27001 address open-source software (OSS)?

ISO 27001 mandates that organisations using open-source software must comply with the specific licence terms (e.g., GPL, MIT) associated with those libraries.

You must maintain a Software Bill of Materials (SBOM) to track open-source dependencies.
Risk assessments should evaluate the security and legal impact of specific OSS licences.
Usage must align with the organisation’s “Acceptable Use Policy” and legal standards.

What are the consequences of non-compliance with Annex A 5.32?

Non-compliance with intellectual property rights can result in major audit non-conformities, significant legal fines, and the potential revocation of software service agreements.

Unlicensed software often leads to security vulnerabilities due to a lack of official patches.
Copyright infringement claims can cause severe reputational damage to the brand.
Contractual breaches with clients regarding IP ownership can lead to litigation.

Can employees use personal software for business purposes under ISO 27001?

No, the use of personal software for business purposes is generally prohibited unless it is formally authorised, risk-assessed, and properly licensed for commercial use.

Personal licences rarely cover “Commercial Use,” leading to a breach of Annex A 5.32.
Authorisation must be documented in the software register or Acceptable Use Policy.
Technical controls (e.g., application whitelisting) should be used to prevent unauthorised installations.

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Annex A 6.2 Terms and Conditions of Employment

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Identify	Lega and compliance	Governance and EcoSystem
	Confidentiality
	Integrity

Availability, Confidentiality, Governance and Ecosystem, Identify, Integrity, Legal and Compliance, Preventive

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 5.32?

What is the purpose of ISO 27001 Annex 5.32?

What is the definition of ISO 27001 Annex 5.32?

What does intellectual property include?

Watch the ISO 27001 Annex A 5.32 Tutorial

ISO 27001 Annex A 5.32 Podcast

ISO 27001 Annex 5.32 Implementation Guidance

Intellectual property topic specific policy

Procedures for intellectual property

Software license register

Software use reviews

Software transfer and disposal

Software Terms and Conditions

Copyright

How to implement ISO 27001 Annex 5.32

1. Identify and Categorise Intellectual Property Assets

2. Formalise a Software License Inventory and Monitoring Process

3. Integrate IP Ownership Clauses into Contracts

4. Provision Technical Controls for IP Protection

5. Conduct Periodic Compliance Audits of License Usage

6. Enforce Post Termination IP Protection Measures

Licensing Checklist

Applicability of ISO 27001 Annex A 5.32 across different business models.

Fast Track ISO 27001 Annex A 5.32 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 5.32 FAQ

What is ISO 27001 Annex A 5.32?

Is a software licence register mandatory for ISO 27001?

Does ISO 27001 cover copyright protection for internal data?

How does ISO 27001 address open-source software (OSS)?

What are the consequences of non-compliance with Annex A 5.32?

Can employees use personal software for business purposes under ISO 27001?

Related ISO 27001 Controls

Further Reading

ISO 27001 Controls and Attribute values

Stuart Barker