This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.32 Intellectual property rights.
ISO 27001: 2022 Control Description
The organisation shall implement appropriate procedures to protect intellectual property rights.
Purpose
To ensure compliance with legal, statutory, regulatory, and contractual requirements related to intellectual property rights and the use of proprietary products.
Guidance on implementation
The following guidelines should be considered to protect any material that can be regarded as intellectual property:
a) defining and communicating a policy specifically focused on the protection of intellectual property rights;
b) publishing procedures for intellectual property rights compliance that define the compliant use of software and information products;
c) acquiring software only from known and reputable sources to ensure that copyright is not infringed;
d) maintaining appropriate asset registers and identifying all assets with requirements to protect intellectual property rights;
e) maintaining proof and evidence of ownership of licences, manuals, etc.;
f) ensuring that any maximum number of users or resources (e.g. central processing units, CPUs) permitted within the licence is not exceeded;
g) carrying out reviews to ensure that only authorised software and licensed products are installed;
h) providing procedures for maintaining appropriate licence conditions;
i) providing procedures for disposing of or transferring software to others;
j) complying with the terms and conditions for software and information obtained from public networks and outside sources;
k) not duplicating, converting to another format, or extracting from commercial recordings (video, audio) other than as permitted by copyright law or the applicable licences;
l) not copying, in full or in part, standards (e.g. ISO/IEC International Standards), books, articles, reports, or other documents, except as permitted by copyright law or the applicable licences.
Other Information
Intellectual property rights include software or document copyright, design rights, trademarks, patents, and source code licences.
Proprietary software products are usually supplied under a licence agreement that specifies the terms and conditions, such as limiting the use of the products to specified machines or limiting copying to the creation of backup copies only. Data can be acquired from outside sources, often under the terms of a data-sharing agreement or similar legal instrument. Such agreements should clarify the permitted processing of the acquired data, and it is advisable to clearly state the provenance of the data.
Legal, statutory, regulatory, and contractual requirements may impose restrictions on the copying of proprietary material. In particular, they may require that only material developed by the organisation or that is licensed or provided by the developer to the organisation can be used. Copyright infringement can lead to legal action, including fines and criminal proceedings.
Beyond the organisation’s need to comply with its obligations regarding third-party intellectual property rights, there are also risks associated with personnel and third parties failing to uphold the organisation’s own intellectual property rights.