A.5.32 Intellectual Property Rights
What is this control?
ISO 27001 control A.5.32 Intellectual Property Rights ensures the organisation protects its own intellectual property and complies with the legal use of all third-party intellectual property including software licences, code, and data. Technical controls enforce IP protection through Purview Sensitivity Labels, software licence management in Microsoft 365 Admin Center, Intune application controls, and automated licence scanning in Azure DevOps.
How to implement in Microsoft 365
Implement A.5.32 by identifying organisational IP including code, policies, and proposals in the A.5.9 asset inventory. Apply Purview Highly Confidential Internal Protected sensitivity labels to all sensitive IP in M365. Restrict Azure DevOps repositories to private with Microsoft Entra ID access control.
Configure Microsoft Intune to restrict software installation with only CISO-approved apps allowed via Company Portal. Implement Microsoft Defender for DevOps licence scanning on all Azure DevOps repositories. Track cloud and endpoint software licences in M365 Admin Center and recover and reallocate transferrable licences on device decommission.
What an auditor looks for
Auditors will verify Purview Highly Confidential label configuration with encryption and access restrictions enabled. They will check the Microsoft 365 licence inventory report showing all assigned cloud licences and user assignments. Auditors will review Intune configuration profile restricting end-user software installation with trial and unapproved software blocked.
They will verify Microsoft Defender for DevOps active licence scanning report on Azure DevOps repositories. Auditors will check evidence of CISO approval process for software exceptions.