Implementation of ISO 27001

The most related document to your need is IT security policy, located on folder 08 Annex A Security Controls >>  Asset management

This template covers control A.18.1.2 by defining rules for protection of Intellectual property rights, both from organization's, and material of third-parties the organization uses.

Please note that ISO 27001 does not require a specific copyright protection policy, and from our experience the control A.18.1.2 covered by the IT Security Policy is enough for the certification purpose.

Hello Rhand Leal

Thank you for your reply!
Our external auditor requested explicitly such a policy and noted the lack as an essential N-C, so if we don't have one, we don't get certified

According to ISO 27001 'procedures' can be implemented without writing them down - see this article for more details:

• Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/

Considering that, if you do not have any specific legal requirement (e.g., law, regulation or contract) demanding you to have a documented copyright protection policy, there is no basis for the auditor to raise a nonconformity, but he can raise an opportunity for improvement for you to consider if it is worthy to have such a policy documented. In case of an opportunity for improvement, you are not obliged to implement and document the policy, provided you give a sound justification to not implementing it (e.g., lack of relevant risks or legal requirements demanding this specific policy).

Hello Rhand Leal

Thank you for your reply. I just wrote one policy. But thanks for your advise and further comments on the subject. Our problem is that the auditor already raised the nonconformity and I don't want to argue with him about this particular policy.