Of all the controls in the ISO 27001 framework, Annex A 5.10 Acceptable use of information and other associated assets, is likely the most critical for managing the human side of security. This control governs how people interact with your best assets, from data and software to hardware and cloud services.
Because it is the foundation of accountability, it is often a stumbling block in audits. A poor A.5.10 can ruin an otherwise solid Information Security Management System (ISMS). This guide gives you a practical look at how to audit ISO 27001 Annex A 5.10. We will move past the “checkbox” mindset to help you understand the requirements and gather the right evidence.
Table of contents
- Demystifying Annex A 5.10: More Than Just a Policy
- The Core of Compliance: Your Acceptable Use Policy (AUP)
- Auditing the Full Information Lifecycle
- The Modern Challenge: Auditing Cloud Services and Shadow IT
- The Auditor’s Checklist: How to Pass Your A.5.10 Audit
- Top 3 Failures That Will Earn You a Nonconformity
- Conclusion
Demystifying Annex A 5.10: More Than Just a Policy
Before you can audit or implement this control, you must understand its core purpose. Many companies think A.5.10 is just about “having an Acceptable Use Policy (AUP),” but it is much broader.
The Official Definition and Purpose
ISO 27001 says that rules for acceptable use and procedures for handling assets should be “identified, documented and implemented.”
Pay close attention to those three words. This is the rhythm of the control. Its purpose is proactive. It protects information before an incident happens. By setting clear ground rules, you remove “plausible deniability.” You cannot blame someone for breaking a rule if they did not know it existed. A.5.10 closes that gap.
The ‘Why’ Behind the Control
At its heart, Annex A 5.10 forces you to set behavioural boundaries. It secures “informed consent” from everyone. This includes staff, contractors, and third parties. It ensures everyone knows what is expected, what is banned, and that they are responsible for their actions. Without this, enforcing other technical controls is very hard.
Evolution from the 2013 Standard
In the 2022 update, Annex A 5.10 merged two older controls: acceptable use of assets and handling of assets. The standard now treats ‘use’ and ‘handling’ as two sides of the same coin. This means your rules must cover an asset’s whole life, from creation to disposal.
The Core of Compliance: Your Acceptable Use Policy (AUP)
The Acceptable Use Policy (AUP) is your main piece of evidence. It is your formal statement on how assets should be used. For an auditor, this is the starting point.
The Three Pillars of an Auditor-Proof AUP
To keep an auditor happy, your AUP must be clear and cover three key areas:
- Expected Behaviour: This defines what users should do. It covers basics like using work email for business. It sets the baseline for normal activity.
- Unacceptable Behaviour: You must be specific here. List exactly what is forbidden. If rules are vague, an auditor will assume you cannot enforce them. This includes banning pirate software or sharing data on personal apps.
- Monitoring Transparency: This is the “we are watching you” clause. By stating that you may monitor logs, you set boundaries and build trust. You also remove the expectation of privacy on work systems, which gives you legal cover.
Auditing the Full Information Lifecycle
An auditor looks beyond the AUP. The policy says what is acceptable, but procedures show how you enforce it. You must prove that these rules work across the entire lifecycle of your information.
Creation and Storage
During creation, an auditor checks for control. Your procedures must define data classification. How does a user know if a file is Public or Confidential? You must also define approved storage. For instance, you should clearly ban saving confidential data on personal cloud drives.
Transfer and Access
Moving data is risky. Auditors will check for procedures that link access rights to classification. You must also specify approved transfer methods. A key rule auditors look for is that any copy of information must be protected just as well as the original.
Disposal
This is often the “forgotten stage.” Dragging a file to the bin is not enough. You need procedures for authorised disposal, like shredding paper or wiping digital media. For confidential data, an auditor will want to see proof, like a destruction certificate.
The Modern Challenge: Auditing Cloud Services and Shadow IT
Auditors now look closely at how you manage external assets. You must account for assets you use but do not own, like cloud services.
Identifying and Assessing External Assets
You need to identify all cloud services and put them in your asset inventory. This links back to control A.5.9. Once identified, you must assess the risks of using them.
Enforcing Your AUP Through Contracts
It is not enough to have rules; you must enforce them on vendors. If your AUP bans storing data abroad, your contract with a cloud provider must guarantee data residency. If it doesn’t, you have a compliance gap.
Tackling Shadow IT
Shadow IT happens when staff use unapproved tools. This violates A.5.10 the moment they move company data there. Your AUP must be clear about the approval process for new software. To an auditor, unapproved tools prove you lack control.
The Auditor’s Checklist: How to Pass Your A.5.10 Audit
Compliance comes down to evidence. Here is what an auditor will ask for when you are figuring out how to audit ISO 27001 Annex A 5.10.
Evidence #1: The Acceptable Use Policy (AUP)
The auditor will check the document itself. It must be the current version, approved by management, and reviewed within the last year.
Evidence #2: The Critical Proof of Verifiable Acceptance
This is the most common point of failure. Auditors will not accept “we sent an email” as proof. They need evidence that every user accepted the AUP.
Acceptable proof includes a system log showing a user clicked “I accept,” a training certificate, or a signed document. Tools like hightable.io can be invaluable here, as they automate the tracking of policy acceptance, ensuring you can pull up a record for any user instantly.
An auditor might ask for a random sample of 20 employees. If you cannot show their acceptance records, you will likely receive a nonconformity.
Evidence #3: An Interconnected System
Auditors look for a system, not isolated papers. They check that your AUP links to other policies, like Access Control and Media Disposal. This shows that acceptable use is woven through your whole system.
Top 3 Failures That Will Earn You a Nonconformity
Most failures are not technical. They are gaps in procedure and evidence.
Failure #1: Lack of Active, Provable Acceptance
The Mistake: Thinking that putting a policy on the intranet is enough. If an employee shrugs when asked about the policy, you fail.
The Fix: Treat acceptance as a core task. Use a platform to track active consent from every user.
Failure #2: Forgetting the Non-Obvious Lifecycle Stages
The Mistake: Focusing on laptops but forgetting printer memory or backup tapes. An AUP that ignores disposal is incomplete.
The Fix: Ensure acceptable use covers everything, including a secure disposal procedure. A gap here is a red flag.
Failure #3: Poor Document Control
The Mistake: Mismatched version numbers or no proof of review. This signals a “dead system” that is not being maintained.
The Fix: Be tidy with your documents. Ensure versions match and reviews are recorded, even if no changes were made.
Conclusion
Annex A 5.10 is the anchor for the human side of your security. To pass your audit, focus on two things: covering the full lifecycle from creation to disposal, and getting proof of acceptance from every user. Master these, and you will show a strong approach to one of the most vital controls in ISO 27001.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
