Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.32 — Intellectual Property Rights

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.32 ISO 27001ISO 27002BSI ORP.5

A software audit from a major vendor reveals that the organisation runs 200 licences of a product it purchased only 50 licences for. The resulting back-licence fee and penalty exceed EUR 300,000. Meanwhile, the development team has integrated an open-source library with a copyleft licence into a proprietary product without noticing the obligation to release the source code. A.5.32 addresses both scenarios by requiring systematic management of intellectual property rights.

Intellectual property compliance is often treated as a legal afterthought. In practice, IP violations can result in significant financial penalties, forced product withdrawals and reputational damage. This control ensures that the organisation knows what IP it uses, under what terms and whether it is in compliance.

What does the standard require?

  • Establish IP procedures. The organisation must define and implement procedures for protecting intellectual property rights, covering both IP it owns and IP it uses under licence.
  • Maintain a licence register. All software and other proprietary products must be tracked with their licence terms, permitted usage, number of licences and expiry dates.
  • Acquire software legally. Software must be obtained through legitimate channels. The organisation must have controls to prevent the installation of unlicensed software.
  • Comply with licence terms. Usage must stay within the boundaries defined by the licence — number of installations, permitted use cases, distribution rights and attribution requirements.
  • Protect own IP. The organisation must also protect its own intellectual property — source code, designs, proprietary data — through appropriate access controls, NDAs and contractual clauses.

In practice

Conduct a licence inventory. Start by cataloguing all software in use — commercial, open-source and internally developed. For each product, record the licence type, permitted usage, number of licences purchased, number of installations and the next renewal or review date.

Manage open-source dependencies. Maintain a software bill of materials (SBOM) for all products the organisation develops or distributes. Track the licence type for each component and verify that licence obligations (attribution, copyleft, patent clauses) are met. Automated tools (e.g. FOSSA, Snyk, Black Duck) can scan codebases for open-source components and their licences.

Include IP clauses in contracts. Employment contracts, contractor agreements and supplier contracts should clearly define IP ownership, usage rights and confidentiality obligations. Ambiguity in IP ownership is a common source of disputes, especially for software developed by contractors.

Educate employees. Staff must understand that downloading unlicensed software, copying proprietary materials or using copyrighted content without permission creates legal liability for the organisation. Include IP awareness in onboarding and periodic security training.

Typical audit evidence

Auditors typically expect the following evidence for A.5.32:

  • Software licence register — central inventory of all software with licence types, quantities and usage
  • Open-source policy and SBOM — procedures for managing open-source components and a current bill of materials
  • IP protection procedures — documented approach for protecting the organisation’s own intellectual property
  • Contract clauses — examples of IP ownership and confidentiality clauses in employment and supplier contracts
  • Training records — evidence that employees have been trained on IP compliance requirements

KPI

% of intellectual property assets with documented protection measures

This KPI measures whether the organisation knows what IP it holds and uses, and whether appropriate protection is in place. Track the percentage of identified IP assets (software, designs, proprietary data) with a documented protection measure (licence tracking, access control, NDA, patent filing). Target: 100%.

Supplementary KPIs:

  • Percentage of software installations covered by a valid licence
  • Number of open-source licence compliance violations detected and resolved
  • Time from licence expiry notification to renewal or decommissioning

BSI IT-Grundschutz

A.5.32 maps to the BSI requirements for compliance and application security:

  • ORP.5 (Compliance management) — requires identification and tracking of legal and contractual obligations, including IP rights.
  • APP.3.2.A7 (Web application protection) — addresses licensing and IP considerations for web applications.
  • APP.6.A9 (Software licensing) — specifically covers the management of software licences and compliance with licence terms.

A.5.32 connects IP management to the broader compliance framework:

Sources

Frequently asked questions

What types of intellectual property does A.5.32 cover?

Software licences, copyrights, patents, trademarks, trade secrets, database rights and design rights. In practice, software licensing compliance is the most common area where organisations face audit findings, but the control extends to all forms of IP that the organisation uses or produces.

How does A.5.32 relate to open-source software?

Open-source licences are still licences. They impose conditions (attribution, copyleft, patent grants) that the organisation must comply with. Maintaining a software bill of materials (SBOM) and tracking the licence type for each component is essential, especially for organisations that distribute software products.

Who is responsible for IP compliance?

Responsibility is typically shared. Legal counsel advises on IP law and contract terms. IT manages software licence compliance. Procurement ensures that supplier contracts address IP ownership. The CISO coordinates the overall framework. A.5.32 requires that roles and procedures are clearly defined.