This ISO27001 control is closely related to Annex A control A5.31 - Identification of legal, statutory, regulatory and contractual requirements, where  you identified the contractual requirements placed upon your business. 

Undoubtedly, the topic of intellectual property (IP) will be mentioned, but in this control you are specifically requested to implement controls to protect IP; Both yours and of others.

What does the standard require?

The standard states that “The organisation shall implement appropriate procedures to protect intellectual property rights.” (A5.32 – Intellectual property rights).

Why is this required?

Businesses like yours invest significant time and money in developing products and services that need to be protected.  After all, you wouldn’t want your employees walking away with your products, and taking all your great ideas, would you?!  What you develop becomes highly valuable, and this can include software, hardware, creative ideas, and data.

If you don’t protect these things then this could lead to financial losses, reputational damage and a loss of competitive advantage.

We worked with a client who had developed a new software platform, which included ground-breaking techniques that could revolutionise the way their industry worked.  Unfortunately, one of their developers posted was looking for some support with code they were working on.  To short cut the process, they uploaded some of the code into an online forum.  Another coder, working for a competitor saw this, and alerted the business.

The competitor announced an early pro-type of a similar tool, and the company immediately lost its competitive advantage.

What the auditor is looking for

The auditor will want to see that your legal register references the protection of IP directly, or indirectly.  They will also expect to see IP mentioned in your contracts with suppliers and with employees and contractors.

You can also demonstrate compliance with this control by demonstrating that you have conducted software audits, to ensure that YOU comply with IP requirements of your suppliers. For example, do you have the correct number of licences for software, for the number of people in your business? Or are people sharing access codes, in order to cut costs?

What do you need to do?

To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products you need to ensure your legal register is updated with those contracts which specifically speak of IP.

You should also update your Information Classification scheme, which you can learn more about in Annex A control A5.12 – Classification of information, and outline how IP must be treated. For example, information classified as IP must be treated as Confidential, and therefore must not be shared externally (e.g. in public places), without due care and protection.

Think about how you protect your IP. It is more valuable than you might imagine. Speak to your Management Review Team (MRT) about what is classified as IP in your business, and then look at who has access to it. Restrict this access on a ‘needs to know’ basis, and then educate your business on this topic and explain what is and isn’t acceptable. You should then update your Acceptable Use Policy, with this information. You can read more about the Acceptable Use Policy, in Annex A control A5.10 - Acceptable use of information and other associated assets.

To further support this control, conduct a software audit to ensure that you have the correct kind and number of licences, and don’t exceed the number of licences you have purchased. 

It’s important to remember that IP is closely related to copyright laws, so carefully consider how you use other people's IP. For example, we see many people creating presentations and promotional materials with images they’ve copied from the internet.  But some of these images are covered by copyright laws, and they are someone else's IP.  Do you have the licence to use that image in your presentations or on your website? 

Q & A

What types of IP are there?

You should consider software copyrights, patents, trademarks, designs, source code licenses, creative ideas, and data, as IP.  Data can be classified as IP, as it takes a long time to put together. This is a catch-all word, as IP can clearly be anything which took time to develop. For example, your customer base is IP, as is the prices they pay for your products and services.

For example, would releasing the cost of producing your products negatively affect your business? It most likely would and would certainly be a competitive advantage to your competition, as they might look to undercut your offering.

Difficulty rating

We rate this a 2 out of 5 difficulty rating. This control requires no real technical skill, but as we find in Annex A control, A5.31, it requires you to review contracts and relevant laws to understand what is required.  It also requires that you review other topics, such as your Acceptable Use Policy (A5.10), and Access Control (A5.15), therefore it can get a little confusing. However, if you approach it systematically, you won’t go far wrong.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.