ISO 27001:2022 A 5.32 Intellectual property rights

According to ISO, Intellectual Property Rights is defined as “legal rights associated with intellectual property” and intellectual property is defined as “result of intellectual activities that is eligible for protection by law“. Intellectual property rights include copyright and related rights , trademarks, geographical indications, industrial design rights , patents, layout-designs (topographies) of integrated circuits and protection of undisclosed information. Intellectual property can include inventions, scientific discoveries, literary, scientific, or artistic works, symbols, designs, names, and images used in commerce, industrial designs, performances, recordings, broadcasts and other creative and industrial works. This control describes describes the steps organisations need to take to ensure compliance with intellectual property (IP) rights, including using proprietary software purchased, subscribed to, or leased from a third party. This control focuses more on obligations towards third parties whose intellectual property rights are covered by licence agreements, data sharing agreements, etc. rather then as an  IP holder. It is a preventive control that maintains risk by enforcing procedures that ensure that the business remains compliant with any prevailing IP or copyright requirements, including mitigating the risk that employees will not adhere to their own obligations. “Legal, statutory, regulatory or contractual” agreements often place restrictions on the use of proprietary software, including restrictions on copying, extracting, or reverse-engineering the source code.

Control

The organization should implement appropriate procedures to protect intellectual property rights.

Purpose

To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.

ISO 27002 Implementation Guidance

The following guidelines should be considered to protect any material that can be considered intellectual property:
a) defining and communicating a topic-specific policy on protection of intellectual property rights;
b) publishing procedures for intellectual property rights compliance that define compliant use of software and information products;
c) acquiring software only through known and reputable sources, to ensure that copyright is not infringed upon;
d) maintaining appropriate asset registers and identifying all assets with requirements to protect intellectual property rights;
e) maintaining proof and evidence of ownership of licences, manuals, etc.;
f) ensuring that any maximum number of users or resources [e.g. central processing units (CPUs)] permitted within the licence is not exceeded;
g) carrying out reviews to ensure that only authorized software and licensed products are installed;
h) providing procedures for maintaining appropriate licence conditions;
i) providing procedures for disposing of or transferring software to others;
j) complying with terms and conditions for software and information obtained from public networks and outside sources;
k) not duplicating, converting to another format or extracting from commercial recordings (video, audio) other than permitted by copyright law or the applicable licences;
l) not copying, in full or in part, standards (e.g. ISO/IEC International Standards), books, articles, reports or other documents, other than permitted by copyright law or the applicable licences.
Other information
Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences. Proprietary software products are usually supplied under a licence agreement that specifies licence terms and conditions, for example, limiting the use of the products to specified machines or limiting copying to the creation of backup copies only. See the ISO/IEC 19770 series for details about IT asset management.
Data can be acquired from outside sources. It is generally the case that such data is obtained under the terms of a data sharing agreement or similar legal instrument. Such data sharing agreements should make it clear what processing is permitted for the acquired data. It is also advisable that the provenance of the data is clearly stated. See ISO/IEC 23751:—1) for details about data sharing agreements. Legal, statutory, regulatory and contractual requirements can place restrictions on the copying of proprietary material. In particular, they can require that only material that is developed by the organization or that is licensed or provided by the developer to the organization, can be used. Copyright infringement can lead to legal action, which can involve fines and criminal proceedings. Aside from the organization needing to comply with its obligations towards third party intellectual property rights, the risks of personnel and third parties failing to uphold the organization’s own intellectual property rights should also be managed.

Intellectual Property (IP) rights are a dominant issue at any Organizations. Organizations may have many different types of research and proprietary information that can be protected via these rights. These rights are also attached to the different technologies that the organization might buy or license from others (and the rights are then protected via contract provisions).Copyright and/or IP infringement can lead to severe financial & legal consequences for any organisation that willfully or unwittingly breaches an agreement. This should be given adequate consideration in order to avoid any unnecessary business interruptions or information security incidents. A good control describes how the appropriate procedures ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. Put into simple terms, the organization should implement appropriate procedures which ensure it complies with all its requirements, whether they are legislative, regulatory or contractual – related to its use of software products or intellectual property rights. Policies, processes and technical controls are likely to be needed for both of these aspects. Within asset registers and acceptable use policies it is likely that IPR considerations will need to be made – e.g. where an asset is or contains IPR protection of this asset must consider the IPR aspect. Controls to ensure that only authorized and licensed software are in use within the organization should include regular inspection and audit. The auditor will want to see that registers of licenses owned by the organization for use of others’ software and other assets are being kept and updated. Of particular interest to them will be ensuring that where licenses include a maximum number of users or installations, that this number is not exceeded and user and installation numbers are audited periodically to check compliance. The auditor will also be looking at how the organization protects its own IPR, which might include; Data loss and prevention controls; Policies and awareness program targeting user education; or Non-disclosure and confidentiality agreements that continue post-termination of employment. Appropriate controls to identify and protect intellectual property include:

  • An intellectual property rights compliance policy (which meets copyright policy requirements of certain laws);
  • Ensuring proper use of software and other technology licenses;
  • Education and awareness on respecting IP rights;
  • Keeping track of IP assets.

Organisations should consider the following guidelines when safeguarding data, software, or assets that might be regarded as intellectual property:

  • Protecting IP rights on a case-by-case basis, in accordance with their unique operational requirements by implementing a “topic-specific” policy.
  • To remain compliant with IP standards, publish and communicate procedures that categorically define how software and ICT products should be operated.
  • To avoid any inadvertent copyright breaches, acquire software from reputable sources.
  • Identification of ICT assets with IP requirements using an organisational asset register.
  • The organisation should be able to provide proof of ownership at any time, including physical and electronic licensing documents, communications, and files.
  • Complying with software usage limits, including concurrent users, virtual resources and more.
  • Through periodic reviews, ensure the organisation’s ICT estate doesn’t contain any unlicensed or unauthorised software.
  • Keep licenses up-to-date through operational and financial procedures.
  • Provide safe, responsible, and legally compliant practices for the transfer or disposal of software assets.
  • Ensure that any software acquired from the public domain complies with the terms and conditions and fair use guidelines.
  • Any commercial recordings used by the organisation may not be extracted, copied, converted, or manipulated in any way that is not specified within the software’s terms and conditions (including licensing) or by prevailing copyright laws.
  • Observing and respecting the copyright laws or licensing terms of textual data, such as standards, books, articles, and reports.

Leave a Reply