How to implement ISO 27001 Annex A 5.10

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets is the backbone of a defensible security culture. It goes beyond firewalls and encryption to manage the human element. It sets clear ground rules for how everyone in your organisation handles company data. At its core, this control removes plausible deniability. You cannot hold someone responsible for breaking a rule if they can honestly say, “I didn’t know the rule existed.”

This guide gives you a practical approach on how to implement ISO 27001 Annex A 5.10. We will break down its purpose, outline the mandatory steps, and show you how to write an effective Acceptable Use Policy (AUP) to help you pass your certification audit.

1. Deconstructing Annex A 5.10: Understanding Its Core Purpose
- The Evolution from ISO 27001:2013
2. Your Implementation Blueprint: The Four Mandatory Steps
3. Crafting an Auditor-Proof Acceptable Use Policy (AUP)
4. Applying the AUP Across the Full Asset Lifecycle
5. Navigating Modern Challenges: Cloud Services and Shadow IT
6. Passing the Audit: How to Prove Your Compliance
- The Critical Importance of “Verifiable Acceptance”
7. Top 3 Common Mistakes (And How to Avoid Them)
8. Conclusion: Anchoring Accountability in Your ISMS

1. Deconstructing Annex A 5.10: Understanding Its Core Purpose

Before you start the “how,” you need to understand the “why.” Annex A 5.10 is not just a box you tick for compliance. It is the foundation of user accountability. Its purpose is to force a critical conversation in your business to define the line between right and wrong when using company resources.

The standard states that rules for acceptable use and procedures for handling assets must be “identified, documented and implemented.” This is your mandate. It is not enough to just have a policy. You must define the rules, support them with procedures, and prove they are being used.

The Evolution from ISO 27001:2013

The 2022 version of Annex A 5.10 merges two controls from the older 2013 standard: Acceptable use of assets and Handling of assets.

By combining these, the standard makes a strong statement. “Using” and “handling” are two sides of the same coin. This means your rules must cover the entire life of an asset. This ranges from its creation and storage to its transfer, sharing, and final disposal.

2. Your Implementation Blueprint: The Four Mandatory Steps

To satisfy an auditor and build a strong culture, you need a clear plan. You can break down the requirements for Annex A 5.10 into four mandatory actions.

Universal Awareness: Your first task is ensuring all personnel know your security requirements. This includes staff, contractors, and third parties. There are no exceptions. Auditors expect you to prove that everyone with access to your assets knows the rules.
Assigned Accountability: You must assign clear accountability. People must be responsible for how they use company assets. This makes them answerable for their actions regarding information, hardware, and software.
A Central Policy: You need a solid Acceptable Use Policy (AUP). This document is the central reference for all rules and expectations regarding asset use.
Documented & Enforced Procedures: Finally, you must document and enforce procedures that come from the AUP. You need to translate high-level rules into step-by-step instructions that people can follow in their daily work.

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

3. Crafting an Auditor-Proof Acceptable Use Policy (AUP)

The AUP is the centrepiece of your compliance. A vague or hidden AUP is a common reason for failure during an ISO 27001 audit. To be effective, your AUP must be clear and cover three key areas.

Expected Behaviour

This section defines what people should do. It outlines the appropriate use of company assets. For instance, it should state that corporate email is for business, perhaps with allowances for light personal use.

Unacceptable Behaviour

You must be explicit about what is forbidden. Vague statements do not work here. List specific prohibited activities, such as installing pirated software, visiting illegal websites, or sharing confidential data on personal chat apps.

Transparency About Monitoring

This is a critical clause. Your AUP must state that you may monitor network traffic and access logs for security. This transparency sets boundaries, builds trust, and provides legal cover.

To make these rules easy to understand, use a simple matrix in your policy.

Category	Acceptable Use (Do)	Unacceptable Use (Don’t)
Internet	Research, Banking (during lunch break)	Gambling, Adult Content, Dark Web
Email	Business communications, Light personal use	Chain letters, Harassment, Phishing
Hardware	Work tasks, Charging a personal phone	Installing pirated software, Crypto mining
Social Media	Professional use (e.g., LinkedIn)	Posting confidential company data

4. Applying the AUP Across the Full Asset Lifecycle

An effective AUP needs to work in the real world. You must translate its principles into procedures that cover every stage of an asset’s life.

Creation and Storage

Procedures must define your data classification scheme (like Public, Internal, or Confidential). Users need to know how to label information when they create it. You must also specify approved storage locations. A critical rule is that confidential data cannot sit on personal cloud drives.

Transfer and Access

Procedures for accessing info must link to its classification. You need a record of who is allowed to access sensitive systems. You also need to define how to transfer data. For example, you might forbid using WhatsApp for business. If you send a copy of a report, you must protect it just like the original.

Disposal

This is the “forgotten stage” where many gaps appear. You must define how to dispose of different assets. This might mean shredding paper or using secure wipe software for digital files. Dragging a file to the trash can is not enough. For highly confidential data, you need proof of destruction.

5. Navigating Modern Challenges: Cloud Services and Shadow IT

Auditors are now checking how you apply these rules to assets you use but do not own. Your duty under Annex A 5.10 extends to cloud services and “Shadow IT.”

First, identify all cloud and SaaS resources you use. This links to control A.5.9 (Inventory of information). Once identified, assess the risks.

Next, enforce your rules via agreements. If your AUP forbids storing data outside your country, but your SaaS contract does not guarantee data residency, you have a gap. You are failing to enforce your own policy.

Finally, address Shadow IT. This happens when employees use unapproved tools. If they move company data into an unvetted tool, it violates Annex A 5.10. Your AUP must clearly state the approval process for new tools.

6. Passing the Audit: How to Prove Your Compliance

Good policies are not enough to pass an audit. You need evidence. An auditor will ask for three things:

The approved and current AUP.
Documented procedures that support the AUP.
Verifiable acceptance of the AUP from every user.

The Critical Importance of “Verifiable Acceptance”

Verifiable acceptance is the issue that derails most certifications. An auditor will not accept “we sent an email” as proof. They need evidence that each person agreed to the policy. Valid proof includes system logs showing a user clicked “I accept,” a training certificate, or a signed document.

An auditor might pick 20 random employees and ask for their acceptance records. If you cannot show them, you have a nonconformity.

7. Top 3 Common Mistakes (And How to Avoid Them)

Failures in control A.5.10 are rarely technical. They are usually gaps in procedure. Here is how to avoid the most common pitfalls.

Lack of Active Acceptance: Do not assume posting the policy on the intranet is enough. Embed acceptance into onboarding and annual training. Require active consent every time you update the policy.
Forgetting Non-Obvious Lifecycle Stages: Do not just focus on laptops. Remember to cover the secure destruction or transfer of printers, backup tapes, and mobile devices.
Incorrect Document Control: Avoid administrative errors. Ensure every policy has a clear owner, a review history, and accurate version numbers. A document with no review comments for years signals a dead system.

8. Conclusion: Anchoring Accountability in Your ISMS

ISO 27001 Annex A 5.10 is more than a document. It is the control that governs the human element of security. A failure here puts your entire system at risk. Success depends on provable acceptance from every user.

This control connects to other key parts of your security, such as Asset Inventory and Information Classification. Tools like hightable.io can be valuable for managing these interconnected assets and policies within your ISMS.

By mastering Annex A 5.10, you build a foundation for user responsibility. You strengthen your defences and create a resilient, security-conscious culture.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

How to Implement ISO 27001 Annex A 5.10: A Practical Guide to Acceptable Use

Table of contents