Intellectual property rights is the strategic governance framework protecting proprietary innovations like source code and patents under ISO 27001. The primary implementation requirement involves formalising ownership policies and licensing controls, delivering the business benefit of legal compliance and safeguarded competitive market advantage through technical asset protection.
What is Intellectual property rights?
ISO 27001 Intellectual property rights is a set of guidelines that helps organisations protect their intellectual property (IP). This includes things like patents, trademarks, copyrights, and trade secrets. The main idea is to make sure your company has clear rules about how to keep its valuable ideas and creations safe. This control is about following the law and having good practices to prevent your special information from being used without permission. It’s a key part of making sure a company’s unique work stays its own.
Examples
- Copyrights: A software company has code that it wrote itself. The company must make sure its employees know that this code is protected by copyright law and should not be shared or copied without permission. They might use a policy that states this clearly.
- Trademarks: A business uses a special logo on its products. To protect this trademark, the business makes sure all its marketing materials and product packaging use the logo correctly. The company also tells staff not to use the logo in ways that are not approved.
- Trade Secrets: A food company has a secret recipe for its famous sauce. The company limits who knows the recipe and requires employees who do know it to sign agreements saying they will not share it.
Context
Information transfer is a key part of how businesses operate. It’s how we share ideas, complete projects, and communicate with customers. Because of its importance, it’s crucial to make sure the information is transferred safely and securely. This means protecting the information from being lost or seen by the wrong people.
How to implement Intellectual property rights
Implementing a robust framework for Intellectual Property Rights (IPR) is a fundamental requirement of ISO 27001 Annex A 5.32. This process ensures that your organisation protects its own proprietary assets while remaining compliant with third-party licences and legal obligations. As a Lead Auditor, I recommend following this 10-step technical roadmap to formalise your IPR controls, mitigate the risk of legal infringement, and satisfy rigorous audit criteria.1. Identify and Classify IPR Assets
Provision an updated Asset Register to specifically identify all intellectual property assets owned by the organisation. By categorising these assets based on their commercial value and legal sensitivity, you ensure that high-value proprietary information receives the highest level of protection. Key requirements include:
- Mapping source code, patents, trademarks, and proprietary methodologies to specific owners.
- Assigning classification labels such as “Proprietary” or “Strictly Confidential” to IP assets.
- Documenting the legal jurisdiction and expiry dates for registered trademarks and patents.
2. Formalise the Intellectual Property Policy
Formalise a comprehensive IPR policy that defines the organisation’s stance on the creation, use, and protection of intellectual property. This document acts as the legal baseline for staff and third-party contractors. Essential components include:
- Defining the ownership of work created during the course of employment.
- Establishing clear guidelines for the use of open-source software within production environments.
- Prohibiting the unauthorised duplication or distribution of copyrighted materials.
3. Update Employment and Contractor Agreements
Implement specific IPR clauses in all employment contracts and third-party service level agreements. This ensures that legal ownership of any IP generated using company resources is clearly assigned to the organisation. Requirements include:
- Including non-disclosure and non-compete clauses to prevent the exfiltration of trade secrets.
- Defining the “Rules of Engagement” (ROE) for contractors regarding the use of pre-existing IP.
- Ensuring legal review of contracts to satisfy local UK intellectual property laws.
4. Provision Secure Storage for Proprietary Assets
Provision isolated storage environments, such as encrypted Git repositories or secure cloud vaults, for all digital proprietary assets. Securing the physical and logical storage of IP prevents unauthorised tampering or theft. Technical actions include:
- Implementing hardware-level encryption for servers housing sensitive source code.
- Enforcing strict segregation of duties between development and production environments.
- Utilising tamper-evident logging for all access requests to IP-sensitive folders.
5. Enforce Access Controls and Multi-Factor Authentication
Enforce the Principle of Least Privilege (PoLP) by restricting access to IP assets to only those individuals who require it for their specific job role. Identity verification is critical for preventing unauthorised internal access. Implementation steps involve:
- Mandating Multi-Factor Authentication (MFA) for all administrative and developer accounts.
- Implementing Identity and Access Management (IAM) roles that expire after a project concludes.
- Regularly reviewing access permissions to ensure no “privilege creep” has occurred.
6. Implement Software Asset Management (SAM)
Implement a Software Asset Management (SAM) programme to track and manage third-party software licences. This ensures that the organisation does not violate copyright laws through over-deployment or unauthorised use. Technical requirements include:
- Automating the discovery of software installed across all company endpoints.
- Maintaining a central repository for all licence keys and purchase proofs.
- Setting automated alerts for licence expiry dates to prevent service interruptions.
7. Execute Third-Party IPR Due Diligence
Execute a formal risk assessment for all third-party vendors that handle or provide intellectual property. This mitigates the risk of the organisation inadvertently using infringing technology. Requirements include:
- Requesting IPR indemnity clauses in all software vendor contracts.
- Verifying the provenance of critical third-party libraries used in software development.
- Reviewing vendor security reports to ensure they protect your shared IP assets.
8. Automate Data Loss Prevention for IP
Automate Data Loss Prevention (DLP) rules to detect and block the unauthorised transmission of intellectual property. This provides a proactive barrier against accidental or malicious data exfiltration. Technical actions include:
- Configuring DLP sensors to recognise source code patterns or patent-related keywords.
- Blocking the use of unauthorised USB storage devices on workstations containing IP.
- Monitoring outgoing email traffic for large attachments containing proprietary file types.
9. Conduct Regular IPR Compliance Audits
Conduct internal audits to verify that all IPR controls are operating effectively and that licence compliance is maintained. Regular checking identifies gaps before they become legal liabilities. Audit tasks include:
- Performing a reconciliation between software licences owned and software deployed.
- Testing the effectiveness of access controls and encryption for proprietary data.
- Reporting all IPR security incidents to senior management for review.
10. Revoke Access and Retrieve Assets Post-Termination
Revoke all logical access to IP assets immediately upon the termination of an employee or contractor contract. Prompt removal of access is essential to prevent post-employment data theft. Necessary steps are:
- Implementing automated offboarding workflows within the IAM platform.
- Retrieving all physical assets, such as laptops and encrypted drives, that contain IP.
- Reminding the departing individual of their ongoing legal obligations under the IPR policy.
Intellectual property rights FAQ
What are Intellectual Property Rights (IPR) in ISO 27001?
Intellectual Property Rights (IPR) in ISO 27001 refer to the legal protections for organisational creations, such as source code, patents, and trademarks. Annex A 5.32 requires 100% compliance with legislative and contractual requirements to prevent legal liabilities that can cost organisations upwards of £500,000 in infringement penalties.
How does ISO 27001 ensure the protection of Intellectual Property?
ISO 27001 protects IPR by mandating a formalised policy, secure storage for proprietary assets, and strict licence management. Organisations must implement the following controls to maintain 100% audit readiness:
- Access Control: Restricting proprietary source code access to authorised developers only via MFA.
- Licence Tracking: Maintaining a Software Asset Management (SAM) programme to avoid over-deployment.
- Contractual Safeguards: Including IPR ownership clauses in 100% of employment and contractor agreements.
- Technical Measures: Using Data Loss Prevention (DLP) to block unauthorised exfiltration of trade secrets.
Why is IPR compliance critical for an ISO 27001 audit?
IPR compliance is critical because it mitigates legal risks and protects the commercial value of organisational innovation. Failure to manage IPR often results in major non-conformities during a Stage 2 audit, as 85% of modern business value is now tied to intangible intellectual assets rather than physical property.
What are the consequences of an Intellectual Property Rights breach?
The consequences of an IPR breach include severe financial penalties, permanent loss of competitive advantage, and potential criminal prosecution. Beyond legal fees, which average £150,000 for copyright disputes, a breach can result in the revocation of a company’s “Right to Practice” or “Right to Sell” in specific jurisdictions.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to intellectual property rights:
| Related ISO 27001 Control / Concept | Relationship Description |
|---|---|
| ISO 27001 Annex A 5.32: Intellectual Property Rights | Core Requirement: The primary control that mandates organizations to implement procedures to protect intellectual property in accordance with legal, statutory, regulatory, and contractual requirements. |
| ISO 27001 Annex A 5.31: Legal and Regulatory Requirements | Legal Framework: IPR protection is a specific legal obligation. This control ensures the organization identifies the specific laws (Copyright, Patent, Trademark) it must comply with. |
| ISO 27001 Annex A 5.12: Classification of Information | Asset Identification: Trade secrets and proprietary code must be classified (e.g., as “Highly Confidential”) to ensure they receive the high level of protection required for IP. |
| ISO 27001 Annex A 5.10: Acceptable Use | Operational Rule: Policies must explicitly define how employees can use company IP and prohibit the unauthorized copying or distribution of proprietary software or documents. |
| ISO 27001 Annex A 6.6: Confidentiality or Non-disclosure Agreements (NDAs) | Contractual Protection: NDAs are a primary tool used to protect trade secrets and IP when sharing information with employees, contractors, or third parties. |
| Glossary: Confidentiality | Security Objective: Protecting the “Confidentiality” of trade secrets is essential to maintaining a company’s competitive advantage and the value of its intellectual property. |
| Glossary: Compliance | Regulatory Goal: Ensuring the organization does not infringe on the IPR of others (e.g., through unlicensed software) is a key part of the overall compliance framework. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Intellectual Property Rights is categorized as a vital legal and asset protection term. |
About the author
