Incorrect use of product keys
I am writing to find out the implications of using unlicensed product keys or incorrect licenses on ISO 27001.
I have come across cases where there are certain products such as XXX, XXX and XXX that are not correctly used. Product keys were acquired, but the licenses were not.
I am under the assumption that the control A.18.1.2 requires an organization to use the correct licenses. Would these issues have an impact on certification if they are uncovered within an audit?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The situation you reported would configure a control failure, leading to a nonconformity, that if not properly handled can impact your certification.
Regardless of that, the use of unlicensed product keys or incorrect licenses is a legal offense in many countries, and even if the related software is not in your ISMS scope, your organization should seek legal advice on how to handle the situation.
These materials will also help you regarding ISO 27001 controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 21, 2021