ISO 27001 Intellectual Property Rights
ISO 27001 Annex A 5.32 covers Intellectual Property Rights. This means you must know and follow all the rules about patents, brands, and ideas that come from outside your company. You should make sure you put these rules into action. These outside rules include laws, government rules, and any agreements you have made. The standard looks at things like the right to copy programs and papers, as well as official terms like brand names, invention rights, and permits.
Table of contents
What is ISO 27001 Annex A 5.32 ?
ISO 27001 Annex A 5.32 Intellectual Property Rights is an ISO 27001 control that wants you to understand external requirements on you from intellectual property and implement them. Specifically it is concerned with legal, regulatory, statutory and contractual requirements for intellectual property.
The standard includes copyright for software and documents as well as all legal terms such as trademarks, patents, licenses.
What is the purpose of ISO 27001 Annex 5.32?
The purpose of ISO 27001 Annex A 5.32 Intellectual Property Rights is to ensure you comply with legal, statutory, regulatory and contractual requirements related to intellectual property.
Organisations should have a clear understanding of their obligations when it comes to intellectual property in its many forms and make sure that they adhere to those requirements.
What is the definition of ISO 27001 Annex 5.32?
The ISO 27001 standard defines ISO 27001 Annex A 5.32 as:
The organisation should implement appropriate procedures to protect intellectual property rights.
ISO 27001:2022 Annex A 5.32 Intellectual Property Rights
What does intellectual property include?
The standard includes copyright for software and documents as well as all legal terms such as trademarks, patents, licenses.
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
How to implement ISO 27001 Annex 5.32
Annex A 5.32 requirements are to understand and record the requirements on intellectual property from any legal, statutory, regulatory or contractual requirements. We need to protect anything that might be considered intellectual property.
Intellectual property topic specific policy
Having an ISO 27001 topic specific policy that is agreed and communicated on the protection of intellectual property rights. A prewritten topic specific policy on intellectual property is part of the ISO 27001 Policy Pack.
Procedures for intellectual property
You will develop and implement procedures and processes that deal with the compliance of intellectual property and that includes the use of software. Your policy and procedures will ensure that only licensed software and products are used and they are used in line with the intellectual property agreements.
Software license register
It is best practice to hold a register of all the software that you have and use and to record information related to it. You will consider recording the type of license, the license expiry, holding a copy of the license, any limitations of the license, how many copies you have purchased, how many are actually used and by whom.
Software use reviews
You will have the register but you should also perform periodic reviews of what you are actually using. You want to be sure you are using licensed products and that not exceeding any license units purchased.
Software transfer and disposal
You will have in place processes and procedures for when you no longer use or need software or when it is transferred between users and entities.
Software Terms and Conditions
It goes without saying that you will comply with the terms and conditions of the software and products that you are using.
Copyright
You will respect the law and the copyright of others.
Watch the ISO 27001 Annex A 5.32 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.32 and how to pass the audit.
ISO 27001 Annex A 5.32 FAQ
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.32 Intellectual Property Rights:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that meets your external requirements for law, regulation, statute and contracts
Reduced risk: You will reduce the information security risks of not meeting external requirements and obligations
Improved compliance: Standards and regulations require you to meet your external requirements
Reputation Protection: In the event of a breach having an effective legal, regulatory, statutory and contract process in place will reduce the potential for fines and reduce the PR impact of an event
By putting in procedures and addressing intellectual property requirements we seek to ensure that the business remains compliant with any intellectual property or copyright requirement. This includes mitigating the risk that employees may breach the requirements.
Related ISO 27001 Controls
ISO 27001 Clause 8.1 Operational Planning and Control
ISO 27001 Annex A 6.2 Terms and Conditions of Employment
Further Reading
The complete guide to ISO/IEC 27002:2022
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Identify | Lega and compliance | Governance and EcoSystem |
| Confidentiality | ||||
| Integrity |
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.