If you have been working with information security standards for a while, you’ll know that the transition from ISO 27001:2013 to the 2022 update brought about some significant housekeeping. One of the areas that saw a shift in placement, though its core mission remains vital is the protection of Intellectual Property Rights (IPR). In the 2022 version, this is now known as Annex A 5.32. Understanding what changed is essential for keeping your compliance on track and your valuable ideas protected.
Table of contents
The Evolution from Control 18.1.2 to 5.32
In the older ISO 27001:2013 standard, Intellectual Property Rights were addressed under control 18.1.2. It sat within the “Compliance” domain, which often meant it was treated as a legal tick-box exercise rather than a day-to-day operational priority. The focus was heavily on ensuring the organisation wasn’t using unlicensed software and that it was meeting legal obligations regarding copyrighted material.
With the arrival of ISO 27001:2022, this control has been rebranded as Annex A 5.32. It has moved into the “Organizational Controls” theme. This shift is more than just a change in numbering; it reflects a broader view of IPR as a fundamental part of organizational governance. According to insights from Hightable.io, this move encourages businesses to view IPR not just as a legal hurdle, but as a core asset that requires proactive management throughout its entire lifecycle.
What Does Annex A 5.32 Cover Now?
The essence of the control remains the same: the organisation must implement procedures to protect intellectual property. This includes everything from proprietary software code and unique business processes to trademarks, patents, and even the documentation you produce. However, the 2022 version is designed to be more streamlined. It integrates the requirement to identify, document, and protect IPR into the general flow of business operations.
The new version also places a heavier emphasis on the protection of third-party IPR. It isn’t just about your own “secret sauce.” It’s about ensuring that you are not infringing on the rights of others, which could lead to significant legal and financial repercussions. Hightable.io notes that the 2022 update aligns more closely with modern digital environments where SaaS subscriptions, open-source libraries, and cloud-based collaboration make tracking software licenses and usage rights more complex than ever before.
Key Differences in Implementation
One of the biggest practical changes between the 2013 and 2022 versions is the introduction of “Attributes.” The 2022 standard allows you to tag controls with specific attributes like “Preventive,” “Governance,” or “Information Security Properties.” For Annex A 5.32, this means you can better categorize how you are protecting your IPR, whether that is through preventative technical measures or governance-led policy enforcement.
Under the 2013 version, many companies focused primarily on “software asset management.” While that is still important, Annex A 5.32 in the 2022 version asks you to look at the broader picture. This includes ensuring that employees understand their responsibilities regarding IPR from the moment they join the company (and even after they leave), which links closely to other human resource-related controls.
Why the Change Matters for Your Business
The shift to Annex A 5.32 highlights that in the modern economy, intellectual property is often a company’s most valuable asset. The 2022 version of the standard acknowledges that protecting these assets requires a blend of legal, technical, and physical security measures. By moving IPR into the “Organizational” category, the standard ensures that management takes a more active role in overseeing how these rights are protected and respected.
For those transitioning to the new standard, the experts at Hightable.io suggest that you start by updating your IPR register. You need to ensure it doesn’t just list software licenses, but also identifies the critical proprietary information that gives your business its competitive edge. Once identified, you can apply the necessary safeguards as outlined in the new 2022 framework.
Moving Forward with ISO 27001:2022
While the change from 18.1.2 to 5.32 might seem like a simple administrative update, it represents a more holistic approach to information security. It moves us away from a “compliance-only” mindset and toward a “risk-based” approach where intellectual property is protected because it is vital to the business, not just because a law says it must be. If you are looking to update your ISMS, focusing on the refined requirements of Annex A 5.32 is a great way to ensure your most important ideas stay exactly where they belong, with you.