ISO 27001:2022 introduced 93 Annex A controls. Six of them create documentary obligations that intersect directly with software licensing. This article maps the intersection points, shows how to reconcile certification evidence with vendor audit evidence in a single asset register, and identifies the controls most likely to be probed in your next Stage 2 audit.
ISO 27001 certification is the most widely held information-security management framework in the enterprise market. The 2022 revision (ISO/IEC 27001:2022) restructured Annex A controls into 93 controls across four themes — organisational, people, physical, technological. Buried in the organisational and technological themes are six controls that pull directly on software licensing: A.5.10 acceptable use of information and other associated assets, A.5.19 supplier relationships, A.5.21 ICT supply chain security, A.5.30 ICT readiness for business continuity, A.8.6 capacity management, and A.8.32 change management. Each of these creates a documentary obligation that intersects with what your software vendors expect to see in an audit.
In our experience across 340+ engagements, the ISO 27001 control evidence that buyers maintain for their security auditor is typically held in a different system than the licence-entitlement record their procurement team holds. The gap creates a recurring problem: vendor audit teams ask for asset inventories that are not aligned with the inventories held for ISO purposes, and the buyer cannot reconcile the two under audit pressure. Reconciling them once, properly, eliminates the gap and produces a defensible position for both auditors at the same time. Where a vendor audit is already in motion, our software license audit defense practice works from that same reconciled register.
We map Annex A control evidence to vendor entitlement records so a single dataset answers both auditors.
The control requires a documented acceptable-use policy for information assets, which the certification auditor reads as covering software. The policy has to describe permitted use, restricted use and prohibited use of licensed software. Common failure modes: policies that reference a software catalogue that does not exist, or policies that prohibit shadow IT while telemetry shows 200+ unsanctioned SaaS applications in active use. The fix is to write the policy to match what the discovery layer actually shows, not the ideal state.
Requires a documented process for managing information-security risk in supplier relationships. The control evidence is the supplier-risk register, which has to list all software suppliers (not just the security-tooling vendors) and rate the residual security risk after contractual controls. Most buyers underweight the licensing-driven security risk — a vendor with audit rights to scan your estate is a security risk if the audit data is poorly handled. Treat audit-clause data handling as a security control evidenced in this register.
The 2022 revision elevated supply-chain security to a standalone control. Software bill of materials (SBOM) requirements, embedded open-source components and downstream licence obligations all fall under this control. The control evidence is the SBOM repository and the contractual flow-down provisions in supplier contracts. Coordinate the licence review with the security review — the same contract clause often covers both.
Requires that information and communications technology be planned, implemented, maintained and tested based on business-continuity objectives and ICT continuity requirements. From a licensing perspective: do your contracts permit the use of licences in a disaster-recovery environment? The Oracle, IBM and Microsoft DR clauses are notoriously inconsistent, and getting this wrong is both a continuity issue and an Annex A compliance gap.
Capacity has to be monitored and projected. The capacity records (compute utilisation, user counts, throughput) are also the records that vendors will ask for during a licence audit. Maintain one capacity register that answers both.
Changes to information processing facilities have to be controlled. A "change" includes software installation, version upgrades and deployment to new environments — each of which can trigger licence consequences. The change-management ticketing system should capture entitlement reference for software changes.
How ISO 27001 evidence intersects with vendor audit defence — with templates for the unified asset register.
The single most valuable artefact a compliance program can build is a unified asset register that answers both the ISO certification auditor and the vendor licence auditor. The register holds, per asset: the asset identifier, location, owner, software stack, version, deployment environment (production, test, DR), licence entitlement reference, ISO classification, and last-verified date. Building this register is a six-to-nine-month effort for a mid-size enterprise but pays back through audit avoidance, certification cost reduction, and renewal optimisation in the first cycle.
The mechanics of the register: a discovery tool (Snow, Flexera, ServiceNow SAM Pro) populates the deployment records; the entitlement repository populates the licence references; an integration layer reconciles the two and surfaces gaps. The reconciliation cadence should be quarterly for high-risk vendors and semi-annual for the rest. The ISO auditor reads this as Annex A evidence; the vendor auditor reads it as the Effective Licensing Position.
The major ISO 27001 certification bodies (BSI, DNV, LRQA, SGS, TÜV, plus a long tail) vary in approach but converge on the same evidence requests during the Stage 2 audit. For Annex A.5.19 and A.5.21, expect a request for the full supplier list with risk ratings, contractual controls evidenced, and a written process for supplier review. For A.8.6 and A.8.32, expect a deep dive into change records around the audit window. The auditors increasingly probe AI and SaaS supplier risk — if you have signed Copilot or any AI tool, expect questions about data flow and contractual data-handling provisions.
We help organisations reconcile licensing and security evidence so both certification and vendor audits land cleanly.
We design unified asset registers that satisfy ISO certification auditors and vendor licence auditors with a single source of truth.
Weekly compliance intelligence for IT leaders.