3.4 KiB
#iso27002/2022/EN
5.32 Intellectual property rights
Control The organization should implement appropriate procedures to protect intellectual property rights.
Purpose To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.
The following guidelines should be considered to protect any material that can be considered intellectual property:
a) defining and communicating a topic-specific policy on protection of intellectual property rights;
b) publishing procedures for intellectual property rights compliance that define compliant use of software and information products;
c) acquiring software only through known and reputable sources, to ensure that copyright is not infringed upon;
d) maintaining appropriate asset registers and identifying all assets with requirements to protect intellectual property rights;
e) maintaining proof and evidence of ownership of licences, manuals, etc.;
f) ensuring that any maximum number of users or resources [e.g. central processing units (CPUs)] permitted within the licence is not exceeded;
g) carrying out reviews to ensure that only authorized software and licensed products are installed;
h) providing procedures for maintaining appropriate licence conditions;
i) providing procedures for disposing of or transferring software to others;
j) complying with terms and conditions for software and information obtained from public networks and outside sources;
k) not duplicating, converting to another format or extracting from commercial recordings (video, audio) other than permitted by copyright law or the applicable licences;
l) not copying, in full or in part, standards (e.g. ISO/IEC International Standards), books, articles, reports or other documents, other than permitted by copyright law or the applicable licences.
Other information
Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences.
Proprietary software products are usually supplied under a licence agreement that specifies licence terms and conditions, for example, limiting the use of the products to specified machines or limiting copying to the creation of backup copies only. See the ISO/IEC 19770 series for details about IT asset management.
Data can be acquired from outside sources. It is generally the case that such data is obtained under the terms of a data sharing agreement or similar legal instrument. Such data sharing agreements should make it clear what processing is permitted for the acquired data. It is also advisable that the provenance of the data is clearly stated. See ISO/IEC 23751:—1) for details about data sharing agreements.
Legal, statutory, regulatory and contractual requirements can place restrictions on the copying of proprietary material. In particular, they can require that only material that is developed by the organization or that is licensed or provided by the developer to the organization, can be used. Copyright infringement can lead to legal action, which can involve fines and criminal proceedings.
Aside from the organization needing to comply with its obligations towards third party intellectual property rights, the risks of personnel and third parties failing to uphold the organization’s own intellectual property rights should also be managed.
1) Under preparation. Stage at the time of publication: ISO/IEC PRF 23751:2022.