ISO 27001 Annex A 5.10 is a security control that establishes rules for the legitimate handling and use of organizational information. The primary implementation requirement focuses on formal policy distribution and user accountability, ensuring the business benefit of reduced legal liability and enhanced data integrity across all operational environments.
Auditing the acceptable use of information and assets ensures that personnel understand their responsibilities and that the organisation maintains a secure, compliant operating environment. This process focuses on the alignment between documented policies, technical enforcement through IAM roles, and the physical tracking of equipment within a master Asset Register.
1. Formalise the Acceptable Use Policy (AUP) Framework
- Inspect the current AUP to ensure it covers all information asset categories, including mobile devices, cloud storage, and removable media.
- Verify that the policy explicitly defines prohibited activities, such as unauthorised software installation or the bypass of security controls.
- Requirement: Provision a comprehensive policy document that is reviewed annually and aligned with the organisation’s risk appetite.
2. Classify Information Assets for Usage Tiering
- Audit the Asset Register to ensure every item has a defined classification level (e.g., Confidential, Public).
- Verify that the AUP provides specific handling instructions for each classification tier.
- Requirement: Ensure that high-value assets are mapped to specific IAM roles to prevent over-privileged access.
3. Distribute the AUP to All Relevant Personnel
- Verify that the policy is accessible to all staff, contractors, and third parties through a centralised portal or handbook.
- Check that any updates to the policy were communicated via formal channels, such as email or internal briefings.
- Requirement: Maintain a distribution list that includes all active users within the scope of the ISMS.
4. Validate User Acknowledgements and Training Evidence
- Cross-reference the employee manifest with signed AUP acknowledgement forms to ensure 100% coverage.
- Review security awareness training logs to confirm that “Acceptable Use” modules have been completed by all active users.
- Requirement: Formalise a record-keeping process that links IAM role activation to the successful completion of policy training.
5. Audit the Master Asset Register for Ownership
- Inspect the Asset Register to confirm that every hardware and software asset has a designated owner and a unique identifier.
- Sample 10 random assets and verify their physical location or logical assignment against the register.
- Requirement: Provision an up-to-date inventory that includes serial numbers, physical locations, and asset classifications.
6. Provision Multi-Factor Authentication (MFA) and Technical Guards
- Test the implementation of MFA for all remote access points and sensitive internal systems.
- Assess the configuration of Endpoint Detection and Response (EDR) tools to ensure they block unauthorised software execution.
- Requirement: Enforce technical controls that prevent policy violations, such as blocking unauthorised USB devices or unapproved cloud storage.
7. Evaluate Rules of Engagement (ROE) for Remote Work
- Review the ROE documents for remote staff to ensure they mandate the use of secure VPNs and disk encryption.
- Check for signed ROE agreements for any third-party contractors accessing the internal network.
- Requirement: Secure all remote access pathways with encrypted tunnels and certificate-based authentication.
8. Analyse System Logs and Monitoring Alerts
- Review SIEM logs for evidence of attempted policy breaches, such as access to restricted web categories or unauthorised data egress.
- Verify that the security team investigates and documents the outcome of high-severity alerts related to asset misuse.
- Requirement: Maintain a 90-day searchable log history for all critical asset access events.
9. Document and Authorise Policy Exceptions
- Identify any instances where users have been granted exceptions to the AUP, such as local admin rights for specific developers.
- Verify that each exception is supported by a formal risk assessment and management sign-off.
- Requirement: Create an Exception Register that includes expiry dates and review periods for all non-standard configurations.
10. Synchronise the AUP with HR Disciplinary Procedures
- Verify that the AUP explicitly references the organisation’s disciplinary process for policy violations.
- Review a sample of security incidents to see if policy breaches resulted in documented disciplinary actions.
- Requirement: Ensure a clear feedback loop exists between the IT Security team and Human Resources for enforcement.
ISO 27001 Annex A 5.10 Audit Implementation Matrix
| Audit Step | How to Audit | Common Examples |
|---|---|---|
| 1. Policy Scope | Compare the AUP against the Asset Register to ensure all asset types are covered. | AUP Document, Master Asset Register. |
| 2. Classification | Inspect asset labels and metadata for classification tags. | Database Schema, Physical Asset Tags. |
| 3. Distribution | Check the intranet ‘read’ logs for the policy document. | Intranet Analytics, Email Read Receipts. |
| 4. Training | Sample 10 user profiles in the LMS for ‘Acceptable Use’ completion status. | LMS Reports, Training Certificates. |
| 5. Ownership | Trace an asset from the register back to a specific department head. | Signed Asset Transfer Forms. |
| 6. MFA Enforcement | Attempt to log in to the VPN without a second factor. | Conditional Access Policies, MFA Logs. |
| 7. Remote ROE | Review the ‘Working from Home’ agreement for security clauses. | Signed ROE PDF, VPN Configuration. |
| 8. Log Analysis | Query the SIEM for ‘Policy Violation’ tags over the last 30 days. | SIEM Dashboard, Incident Reports. |
| 9. Exceptions | Audit the list of users with local admin privileges. | Privileged Access Review, Exception Register. |
| 10. Discipline | Check HR files for warnings issued following a data breach. | Disciplinary Records, Incident Post-Mortems. |
Common SaaS and GRC Platform Audit Failures
| Failure Point | SaaS/GRC Platform Limitation | Audit Risk |
|---|---|---|
| Policy Engagement Gap | Platforms track ‘clicks’ on a policy but cannot verify if the user actually read or understood the technical requirements. | Personnel claim ignorance during security incidents, leading to legal and compliance liability. |
| Disconnected Inventory | Many GRC tools do not sync in real-time with physical Asset Registers or local EDR status. | The auditor sees a ‘Green’ status for a policy while physical assets remain unencrypted or untracked. |
| False Security Sense | Automated ‘check-the-box’ templates often miss organisation-specific risks like proprietary hardware or legacy systems. | Critical gaps in bespoke operational environments are ignored by generic software automation. |
| Manual ROE Blindness | GRC platforms often fail to capture the nuances of physical Rules of Engagement (ROE) that require wet-ink signatures. | Inability to provide ‘burden of proof’ to an external auditor during a deep-dive investigation. |
| API Lag and Stale Data | Reliance on API connectors can hide the fact that an IAM role was changed or an asset was disposed of weeks ago. | Unauthorised access remains active longer than the policy allows because the software failed to update. |
About the author
