In this ultimate how to audit guide to ISO 27001 Annex A 5.10 Acceptable Use of Information and Other Associated Assets, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Formalise the Acceptable Use Policy (AUP) Framework
- 2. Classify Information Assets for Usage Tiering
- 3. Distribute the AUP to All Relevant Personnel
- 4. Validate User Acknowledgements and Training Evidence
- 5. Audit the Master Asset Register for Ownership
- 6. Provision Multi-Factor Authentication (MFA) and Technical Guards
- 7. Evaluate Rules of Engagement (ROE) for Remote Work
- 8. Analyse System Logs and Monitoring Alerts
- 9. Document and Authorise Policy Exceptions
- 10. Synchronise the AUP with HR Disciplinary Procedures
- ISO 27001 Annex A 5.10 Audit Implementation Matrix
- Common SaaS and GRC Platform Audit Failures
ISO 27001 Annex A 5.10 is a security control that establishes rules for the legitimate handling and use of organizational information. The primary implementation requirement focuses on formal policy distribution and user accountability, ensuring the business benefit of reduced legal liability and enhanced data integrity across all operational environments.
Auditing the acceptable use of information and assets ensures that personnel understand their responsibilities and that the organisation maintains a secure, compliant operating environment. This process focuses on the alignment between documented policies, technical enforcement through IAM roles, and the physical tracking of equipment within a master Asset Register.
1. Formalise the Acceptable Use Policy (AUP) Framework
- Inspect the current AUP to ensure it covers all information asset categories, including mobile devices, cloud storage, and removable media.
- Verify that the policy explicitly defines prohibited activities, such as unauthorised software installation or the bypass of security controls.
- Requirement: Provision a comprehensive policy document that is reviewed annually and aligned with the organisation’s risk appetite.
2. Classify Information Assets for Usage Tiering
- Audit the Asset Register to ensure every item has a defined classification level (e.g., Confidential, Public).
- Verify that the AUP provides specific handling instructions for each classification tier.
- Requirement: Ensure that high-value assets are mapped to specific IAM roles to prevent over-privileged access.
3. Distribute the AUP to All Relevant Personnel
- Verify that the policy is accessible to all staff, contractors, and third parties through a centralised portal or handbook.
- Check that any updates to the policy were communicated via formal channels, such as email or internal briefings.
- Requirement: Maintain a distribution list that includes all active users within the scope of the ISMS.
