Implementation of ISO 27001
Do you have a template for a copyright protection policy to meet the requirement of Annex A.18.1.2?
In your pdf list of documents, you point out that A.18 does not exist as a separate folder, but the content for it can be found in the following folders:
02 - Requirements identification process
08, A.8 - Management of values
08, A.10 - cryptography
Unfortunately, we cannot find a template for a guideline for A.18.1.2 in these folders
Can you please help us here and contact an expert?
Assign topic to the user
The most related document to your need is IT security policy, located on folder 08 Annex A Security Controls >> Asset management
This template covers control A.18.1.2 by defining rules for protection of Intellectual property rights, both from organization's, and material of third-parties the organization uses.
Please note that ISO 27001 does not require a specific copyright protection policy, and from our experience the control A.18.1.2 covered by the IT Security Policy is enough for the certification purpose.
Hello Rhand Leal
Thank you for your reply!
Our external auditor requested explicitly such a policy and noted the lack as an essential N-C, so if we don't have one, we don't get certified
According to ISO 27001 'procedures' can be implemented without writing them down - see this article for more details:
- Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
Considering that, if you do not have any specific legal requirement (e.g., law, regulation or contract) demanding you to have a documented copyright protection policy, there is no basis for the auditor to raise a nonconformity, but he can raise an opportunity for improvement for you to consider if it is worthy to have such a policy documented. In case of an opportunity for improvement, you are not obliged to implement and document the policy, provided you give a sound justification to not implementing it (e.g., lack of relevant risks or legal requirements demanding this specific policy).
Comment as guest or Sign in
Apr 29, 2020