The ISO 27001 Intellectual Property Rights Policy sets out how you manage intellectual property rights to protect the confidentiality, integrity and availability of data.
Table of contents
- What is it
- Applicability to small business, tech startups and AI companies
- Why you need it
- When you need it
- Who needs it
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small business
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Intellectual Property Rights Policy FAQ
What is it
An ISO 27001 Intellectual Property (IP) Rights Policy is a rulebook that tells everyone in your company how to handle and protect your valuable ideas. It’s part of a bigger system called ISO 27001, which is all about keeping your information secure. This policy makes sure your secret sauce—things like code, designs, and business plans—stays safe and sound.
Applicability to small business, tech startups and AI companies
This policy is a lifesaver for all kinds of businesses, no matter their size.
- Small Businesses: You’ve worked hard to create something unique. This policy helps you protect your brand, customer lists, and innovative products from being copied or stolen.
- Tech Startups: Your whole business is built on intellectual property! This policy is crucial for protecting your code, software, and unique algorithms. It shows investors and clients that you take security seriously.
- AI Companies: Your AI models, training data, and algorithms are your most valuable assets. This policy ensures that this data and the resulting technology are protected from unauthorised use and leaks.
Why you need it
You need this policy to:
- Protect your assets: It keeps your unique ideas, inventions, and confidential information safe from competitors or former employees.
- Boost client trust: When clients see you have this policy, they know you’re serious about protecting their data and your own. This can give you a competitive edge.
- Meet legal requirements: In some cases, having a policy like this is a legal or contractual requirement. It helps you stay compliant and avoid potential lawsuits.
When you need it
You should create this policy as soon as your company starts creating anything of value, like new software, designs, or marketing plans. The sooner you have it in place, the better protected you’ll be. It’s always easier to prevent a problem than to fix one later.
Who needs it
Everyone in your company who handles your valuable information needs to know about this policy. This includes:
- Employees: They need to know what they can and can’t do with company data.
- Contractors: Anyone you hire temporarily needs to understand the rules.
- Partners: Business partners must also agree to protect your IP.
- Management: They’re responsible for making sure the policy is followed and enforced.
Where you need it
The policy should be a formal document that you can share easily. You should keep it in a secure, central location, like your company’s internal shared drive or an employee handbook portal. This way, everyone can access it whenever they need to.
How to write it
Writing the policy is all about being clear and direct.
- Define IP: First, explain what intellectual property means for your company.
- State the rules: Clearly outline the do’s and don’ts for handling company IP.
- Explain ownership: Make it clear that the company owns any IP created by employees while they’re working for you.
- Mention consequences: Let people know what happens if they don’t follow the rules.
- Review and update: Your policy should be a living document. Review it regularly to make sure it’s still relevant.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Intellectual Property Rights Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Intellectual Property Rights Policy contents page
Document Contents Page
Intellectual Property Rights Policy
Purpose
Scope
Principles
Software Licensing
Software License Assets Register
Software Risk Management
Cloud Service Supplier Selection
Changes to Software
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement - Write the ISO 27001 Intellectual Property Rights Policy purpose
The purpose of this policy is to protect intellectual property rights.
- Write the ISO 27001 Intellectual Property Rights Policy principle
Use of proprietary products are in full compliance with legal, statutory, regulatory, and contractual requirements.
- Write the ISO 27001 Intellectual Property Rights Policy scope
All employees and third-party users.
- Describe the approach to software licensing
Software used by the organisation is acquired through official channels and where a purchase is required to use the software evidence of a valid license is retained.
Software is used in line with the licensing agreement.
A software license register is maintained.
Software license reviews are conducted at least annually or after significant change.
Software patching levels are maintained in line with manufacturer recommendations.
Only software that is supported by the manufacturer is to be used.
Software is only installed by authorised, assigned persons. - Explain the software license asset register
All software is registered and recorded in the Software License Assets Register.
The following is captured as a minimum:
Software Name
Software Version
Person Responsible
Whether the software is free or paid
Number of licenses purchased
Number of licenses in use
Location of the actual license
Where the software is deployed
The last review dates
The next review dates
Who conducted the review - Set out the approach to software risk management
Software is assessed for the risk to the organisation to information security before acquisition and usage.
- Explain the cloud service selection criteria
Software selected is based on its ability to meet the needs of the business.
- Describe the approach to changes to software
Changes to the Software used will follow the Change Management Policy and Change Management Process.
Changes to existing software usage are significant changes and not to be taken lightly. This would be a significant change requiring a significant project with all associated resources and risk management and project management.
How to implement it
Putting the policy into practice is key.
- Communicate: Announce the new policy to everyone in the company.
- Train: Provide training so people understand the policy and why it’s important.
- Require agreement: Have everyone sign an agreement saying they’ve read and understood the policy.
- Enforce: Make sure you actually follow through on the rules. If someone breaks them, you need to act on it.
Examples of using it for small business
Imagine you run a small online store. Your IP policy would cover things like:
- The unique product descriptions and photos you’ve written.
- Your customer email list.
- The special branding and logo you’ve created.
It would ensure your employees don’t copy your product descriptions to sell on their own sites.
Examples of using it for tech startups
For a tech startup, the policy would focus on:
- Source code: How your developers handle the code for your app.
- Algorithms: Protecting the unique way your software works.
- User data: Making sure customer information is handled securely and not leaked.
It would specify that all code written on company time belongs to the company, not the employee.
Examples of using it for AI companies
An AI company’s policy would be very specific about:
- Training data: How to handle and protect the datasets used to train your AI models.
- Proprietary models: Ensuring your unique AI models and algorithms aren’t stolen.
- Research notes: Protecting the intellectual work of your data scientists.
It would prevent an employee from taking a copy of your trained model with them when they leave.
How the ISO 27001 toolkit can help
The ISO 27001 toolkit is like a shortcut to compliance. It includes pre-written templates and guides that help you quickly create your IP policy and other security documents. Using a toolkit saves you from reinventing the wheel and ensures your policy meets the standards.
Information security standards that need it
ISO 27001 is the big one! It’s the international standard for managing information security. To get certified, you need to show you have a policy like this in place to protect your valuable information, including IP.
List of relevant ISO 27001:2022 controls
The ISO 27001 standard has specific “controls” that relate to this policy. Here is the most important one:
ISO 27001:2022 Annex A 5.32 Intellectual property rights
ISO 27001 Intellectual Property Rights Policy FAQ
IP is a broader term for creations of the mind. Confidential information is a type of IP that isn’t publicly known, like a trade secret.
Yes, absolutely! You should have contractors sign an agreement that includes the terms of your IP policy.
Generally, if it’s not related to their work, it’s their IP. But the policy should clarify this to avoid confusion.
You should review it at least once a year, or whenever you make a major change to your business or technology.
No, a verbal agreement is hard to prove. Always get a signed, written agreement.
Consequences can range from disciplinary action to termination, or even legal action. The policy should state this clearly.
The policy helps protect the information and inventions that could lead to a patent, but you still need to file for the patent itself.
No, the policy makes it clear that work created for the company belongs to the company.
Your policy should have a section on open-source, outlining the rules for its use to avoid licensing conflicts.
It’s a good idea to have a lawyer review the policy to make sure it’s legally sound and enforceable.
It sets rules for how to handle sensitive data, which reduces the risk of it being leaked or stolen.
This policy is a key part of the documentation and controls required for ISO 27001 certification.
It’s a great idea to include it there so it’s easily accessible and part of the official company rules.
An NDA is a separate agreement that protects confidential information. Your IP policy often works alongside NDAs.
No, copyright is one type of IP. This policy covers all types of IP, including trademarks and trade secrets.
