Implementing ISO 27001 Annex A 5.10 is the establishment of clear behavioural boundaries for information security, ensuring employees understand their responsibilities when using organizational assets. It requires a legally binding Acceptable Use Policy (AUP) enforced by technical controls—such as screen locks, USB blocking, and web filtering—to prevent data exfiltration and unauthorized system access.
ISO 27001 Annex A Acceptable use of information and other associated assets Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.10. Compliance with this control requires strictly defined boundaries of behaviour enforced by technical controls and binding HR contracts, not just a passive “I Agree” button in a compliance portal.
1. Draft a Specific Acceptable Use Policy (AUP)
Control Requirement: Rules for the acceptable use of information and associated assets must be identified and documented.
Required Implementation Step: Open your word processor and draft a policy that explicitly lists forbidden actions relevant to your tech stack. Do not use a generic template. Explicitly ban specific activities: “Crypto-mining on company servers,” “Pasting customer PII into public LLMs (e.g., ChatGPT),” and “Storing corporate data on personal Google Drives.”
Minimum Requirement: A policy document (PDF) containing a specific section on “Prohibited Activities” customized to your business operations.
2. Integrate AUP Acceptance into Employment Contracts
Control Requirement: Users must acknowledge and agree to the rules of acceptable use.
Required Implementation Step: Work with your HR Director to make the AUP a mandatory annex to the employment contract. Require a wet signature or a legally binding electronic signature (e.g., DocuSign) before the employee receives their laptop. A tick-box in a GRC dashboard is often insufficient for legal enforcement during disciplinary action.
Minimum Requirement: A signed contract on file for every active employee referencing the latest AUP version.
3. Enforce Screen Locking via Group Policy/MDM
Control Requirement: Procedures for the protection of assets must be implemented.
Required Implementation Step: Do not rely on politeness. Configure your Mobile Device Management (MDM) or Active Directory Group Policy Object (GPO) to force a screen lock after 5 minutes of inactivity. Apply this universally to Windows, macOS, and mobile devices accessing corporate data.
Minimum Requirement: Screenshot of the GPO or MDM configuration showing “MaxInactivityTimeDeviceLock” set to 300 seconds or less.
4. Block Removable Media (USB) Access
Control Requirement: prevent unauthorized data exfiltration or malware introduction.
Required Implementation Step: Navigate to your Endpoint Protection platform (e.g., Defender for Endpoint, CrowdStrike) or GPO settings. Set the policy to “Block Write Access” or “Block Execution” for all removable storage classes. Create an exception group only for specific IT personnel who require it for reimaging devices.
Minimum Requirement: Evidence of a “Deny Write” policy applied to the “All Users” group for USB storage devices.
5. Restrict Local Administrative Privileges
Control Requirement: Users should only have the permissions necessary for their role.
Required Implementation Step: Remove “Local Admin” rights from standard user accounts. This prevents users from installing unauthorized software (Shadow IT) or disabling security agents. Use an endpoint management tool to handle legitimate software updates automatically.
Minimum Requirement: A report from your directory service showing that standard users are not members of the local “Administrators” group.
6. Regulate Browser Extensions and Plugins
Control Requirement: Control the installation of software that can read browser data.
Required Implementation Step: Configure Google Chrome or Edge policies to “Block all extensions” by default. Create an “Allowlist” of approved business extensions (e.g., LastPass, Grammarly Business). Unregulated extensions are a primary vector for data theft and spyware.
Minimum Requirement: A screenshot of the browser policy showing ExtensionInstallBlocklist = *.
7. Define Generative AI & LLM Usage Boundaries
Control Requirement: Address modern risks associated with information processing.
Required Implementation Step: Update the AUP to explicitly address AI. If you allow ChatGPT/Copilot, mandate that “Data Training” is turned off or use the Enterprise version. If you ban it, block the domains (openai.com, anthropic.com) at your web gateway or firewall.
Minimum Requirement: A specific clause in the AUP titled “Artificial Intelligence and Machine Learning usage”.
8. Implement a ‘Clear Desk and Clear Screen’ Policy
Control Requirement: Paper and removable media must be secured when not in use.
Required Implementation Step: Walk through the office at 17:30. Physically remove and lock away any confidential documents left on desks. Leave a “Security Notice” card on the desk of the offender. For remote workers, mandate a video-call background or a dedicated workspace requirement in the AUP.
Minimum Requirement: A log of “Clear Desk Audits” performed quarterly.
9. Monitor for Shadow IT and Unacceptable SaaS
Control Requirement: Monitoring of acceptable use compliance.
Required Implementation Step: configure your CASB (Cloud Access Security Broker) or simple DNS filter (e.g., Cloudflare Gateway) to flag visits to file-sharing sites (WeTransfer, Mega.nz) or unauthorized collaboration tools. Generate a weekly report of “Blocked Attempts” to identify users trying to bypass the policy.
Minimum Requirement: A weekly report showing top blocked domains categorized by “File Sharing” or “Anonymizers”.
10. Establish Disciplinary Procedures for Violations
Control Requirement: Consequences for violations must be clear.
Required Implementation Step: Work with Legal/HR to define a 3-strike process: 1. Verbal Warning, 2. Written Warning, 3. Termination. Document this in the Employee Handbook. Without a defined penalty, the AUP is merely a suggestion, not a control.
Minimum Requirement: A documented disciplinary process explicitly linked to Information Security Policy violations.
ISO 27001 Annex A 5.10 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Policy Acceptance | Employees click “I Read This” in a GRC portal popup. | Failure: Clicking a button is rarely legally defensible in court for gross misconduct. You need a digitally signed PDF or a wet signature stored in the HR personnel file. |
| Screen Locking | The GRC tool asks: “Do you lock your screen?” (Self-Attestation). | Failure: Users lie or forget. Compliance is achieved only when the Registry Key or MDM profile forces the lock. If the user can disable it, you are not compliant. |
| Shadow IT | A survey asking users “What software do you use?” | Failure: Users won’t admit to using pirated software or unauthorized SaaS. You need DNS logs and strict local admin removal to stop Shadow IT, not a survey. |
| Generative AI | Generic policy templates provided by the tool (often outdated). | Failure: Old templates don’t mention ChatGPT. If an employee pastes source code into a public LLM, your generic policy won’t save you. You need specific clauses. |
| Removable Media | A policy line saying “Do not use USBs”. | Failure: If the USB port works, someone will use it. Compliance requires technically disabling the port via Endpoint Protection, not just writing a rule about it. |
| Clear Desk | An annual email reminder to “keep desks tidy”. | Failure: Physical security requires physical checks. If you don’t walk the floor and confiscate papers, the policy is ignored. GRC tools cannot see your desks. |
| Evidence | A green generic “100% Compliant” badge on the dashboard. | Failure: An auditor wants to see the specific GPO config export and the disciplinary log for violations. A green badge proves nothing about actual security posture. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
