Home  ›  Blog  ›  ISO 27001 and Software Licensing
Compliance · ISO 27001 · Software

ISO 27001 and software licensing — the Annex A controls that intersect.

ISO 27001:2022 introduced 93 Annex A controls. Six of them create documentary obligations that intersect directly with software licensing. This article maps the intersection points, shows how to reconcile certification evidence with vendor audit evidence in a single asset register, and identifies the controls most likely to be probed in your next Stage 2 audit.

Updated: June 2026 Reading time: 14 min Audience: CISO, SAM Manager, Compliance Lead
ISO 27001 and Software Licensing: Annex A Controls Mapped
The intersection point

Where ISO 27001 meets software licensing.

ISO 27001 certification is the most widely held information-security management framework in the enterprise market. The 2022 revision (ISO/IEC 27001:2022) restructured Annex A controls into 93 controls across four themes — organisational, people, physical, technological. Buried in the organisational and technological themes are six controls that pull directly on software licensing: A.5.10 acceptable use of information and other associated assets, A.5.19 supplier relationships, A.5.21 ICT supply chain security, A.5.30 ICT readiness for business continuity, A.8.6 capacity management, and A.8.32 change management. Each of these creates a documentary obligation that intersects with what your software vendors expect to see in an audit.

In our experience across 340+ engagements, the ISO 27001 control evidence that buyers maintain for their security auditor is typically held in a different system than the licence-entitlement record their procurement team holds. The gap creates a recurring problem: vendor audit teams ask for asset inventories that are not aligned with the inventories held for ISO purposes, and the buyer cannot reconcile the two under audit pressure. Reconciling them once, properly, eliminates the gap and produces a defensible position for both auditors at the same time. Where a vendor audit is already in motion, our software license audit defense practice works from that same reconciled register.

Aligning ISO 27001 with software licensing controls?

We map Annex A control evidence to vendor entitlement records so a single dataset answers both auditors.

Contact Us →
Annex A mapping

The six controls that matter most.

A.5.10 — Acceptable use of assets

The control requires a documented acceptable-use policy for information assets, which the certification auditor reads as covering software. The policy has to describe permitted use, restricted use and prohibited use of licensed software. Common failure modes: policies that reference a software catalogue that does not exist, or policies that prohibit shadow IT while telemetry shows 200+ unsanctioned SaaS applications in active use. The fix is to write the policy to match what the discovery layer actually shows, not the ideal state.

A.5.19 — Supplier relationships

Requires a documented process for managing information-security risk in supplier relationships. The control evidence is the supplier-risk register, which has to list all software suppliers (not just the security-tooling vendors) and rate the residual security risk after contractual controls. Most buyers underweight the licensing-driven security risk — a vendor with audit rights to scan your estate is a security risk if the audit data is poorly handled. Treat audit-clause data handling as a security control evidenced in this register.

A.5.21 — ICT supply chain security

The 2022 revision elevated supply-chain security to a standalone control. Software bill of materials (SBOM) requirements, embedded open-source components and downstream licence obligations all fall under this control. The control evidence is the SBOM repository and the contractual flow-down provisions in supplier contracts. Coordinate the licence review with the security review — the same contract clause often covers both.

A.5.30 — ICT readiness for business continuity

Requires that information and communications technology be planned, implemented, maintained and tested based on business-continuity objectives and ICT continuity requirements. From a licensing perspective: do your contracts permit the use of licences in a disaster-recovery environment? The Oracle, IBM and Microsoft DR clauses are notoriously inconsistent, and getting this wrong is both a continuity issue and an Annex A compliance gap.

A.8.6 — Capacity management

Capacity has to be monitored and projected. The capacity records (compute utilisation, user counts, throughput) are also the records that vendors will ask for during a licence audit. Maintain one capacity register that answers both.

A.8.32 — Change management

Changes to information processing facilities have to be controlled. A "change" includes software installation, version upgrades and deployment to new environments — each of which can trigger licence consequences. The change-management ticketing system should capture entitlement reference for software changes.

Download the Vendor Audit Defence Handbook.

How ISO 27001 evidence intersects with vendor audit defence — with templates for the unified asset register.

Get the handbook →
The unified asset register

One dataset, two auditors.

The single most valuable artefact a compliance program can build is a unified asset register that answers both the ISO certification auditor and the vendor licence auditor. The register holds, per asset: the asset identifier, location, owner, software stack, version, deployment environment (production, test, DR), licence entitlement reference, ISO classification, and last-verified date. Building this register is a six-to-nine-month effort for a mid-size enterprise but pays back through audit avoidance, certification cost reduction, and renewal optimisation in the first cycle.

The mechanics of the register: a discovery tool (Snow, Flexera, ServiceNow SAM Pro) populates the deployment records; the entitlement repository populates the licence references; an integration layer reconciles the two and surfaces gaps. The reconciliation cadence should be quarterly for high-risk vendors and semi-annual for the rest. The ISO auditor reads this as Annex A evidence; the vendor auditor reads it as the Effective Licensing Position.

The certification market

What certification auditors actually look for.

The major ISO 27001 certification bodies (BSI, DNV, LRQA, SGS, TÜV, plus a long tail) vary in approach but converge on the same evidence requests during the Stage 2 audit. For Annex A.5.19 and A.5.21, expect a request for the full supplier list with risk ratings, contractual controls evidenced, and a written process for supplier review. For A.8.6 and A.8.32, expect a deep dive into change records around the audit window. The auditors increasingly probe AI and SaaS supplier risk — if you have signed Copilot or any AI tool, expect questions about data flow and contractual data-handling provisions.

Preparing for an ISO 27001 audit?

We help organisations reconcile licensing and security evidence so both certification and vendor audits land cleanly.

Contact Us →
FAQ

Common questions on this topic.

Does ISO 27001 require software licence compliance?
Not directly, but six Annex A controls (A.5.10, A.5.19, A.5.21, A.5.30, A.8.6, A.8.32) create documentary obligations that intersect with software licensing. A certification auditor will read your software-asset inventory as evidence for these controls.
What is the difference between ISO 27001 and ISO 19770?
ISO 27001 is the information-security management standard; ISO 19770 is the software asset management standard. The two were designed to interoperate — ISO 19770 evidence directly supports A.5.19 and A.5.21 in ISO 27001.
Should the SAM team be involved in ISO 27001 certification?
Yes. The SAM team holds the entitlement repository and deployment data that the certification auditor needs for several Annex A controls. Programs that exclude SAM from certification preparation typically rebuild the evidence twice.
Can the same evidence answer both certification and vendor audits?
Yes, if the asset register is designed as a unified dataset. A unified register holds asset, owner, software stack, environment, licence reference, ISO classification, and last-verified date in a single record — one source of truth for both auditors.
Which ISO 27001 controls do vendor audit teams probe most?
Vendor auditors do not probe ISO directly, but they probe the same underlying data. The most-probed evidence is deployment discovery (A.8.6, A.8.32), supplier risk management (A.5.19), and acceptable use (A.5.10).
How long does it take to align ISO 27001 with the licensing program?
Six to nine months for a mid-size enterprise to build a unified asset register and align the evidence. The payback is typically achieved in the first certification cycle through reduced audit hours and reduced vendor audit settlements.

Aligning ISO 27001 and licensing evidence?
Get one dataset for two auditors.

We design unified asset registers that satisfy ISO certification auditors and vendor licence auditors with a single source of truth.

The Compliance Brief

Weekly compliance intelligence for IT leaders.