In this ultimate how to implement guide to ISO 27001 Annex A 5.10 Acceptable Use of Information and Other Associated Assets, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Acceptable Use Implementation Checklist
- 1. Draft a Specific Acceptable Use Policy (AUP)
- 2. Integrate AUP Acceptance into Employment Contracts
- 3. Enforce Screen Locking via Group Policy/MDM
- 4. Block Removable Media (USB) Access
- 5. Restrict Local Administrative Privileges
- 6. Regulate Browser Extensions and Plugins
- 7. Define Generative AI & LLM Usage Boundaries
- 8. Implement a ‘Clear Desk and Clear Screen’ Policy
- 9. Monitor for Shadow IT and Unacceptable SaaS
- 10. Establish Disciplinary Procedures for Violations
- ISO 27001 Annex A 5.10 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.10 is the establishment of clear behavioural boundaries for information security, ensuring employees understand their responsibilities when using organisational assets. It requires a legally binding Acceptable Use Policy (AUP) enforced by technical controls, such as screen locks, USB blocking, and web filtering, to prevent data exfiltration and unauthorised system access.
ISO 27001 Acceptable Use Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.10. Compliance with this control requires strictly defined boundaries of behaviour enforced by technical controls and binding HR contracts, not just a passive “I Agree” button in a compliance portal.
1. Draft a Specific Acceptable Use Policy (AUP)
Control Requirement: Rules for the acceptable use of information and associated assets must be identified and documented.
Required Implementation Step: Open your word processor and draft a policy that explicitly lists forbidden actions relevant to your tech stack. Do not use a generic template. Explicitly ban specific activities: “Crypto-mining on company servers,” “Pasting customer PII into public LLMs (e.g., ChatGPT),” and “Storing corporate data on personal Google Drives.”
Minimum Requirement: A policy document (PDF) containing a specific section on “Prohibited Activities” customized to your business operations.
2. Integrate AUP Acceptance into Employment Contracts
Control Requirement: Users must acknowledge and agree to the rules of acceptable use.
Required Implementation Step: Work with your HR Director to make the AUP a mandatory annex to the employment contract. Require a wet signature or a legally binding electronic signature (e.g., DocuSign) before the employee receives their laptop. A tick-box in a GRC dashboard is often insufficient for legal enforcement during disciplinary action.
Minimum Requirement: A signed contract on file for every active employee referencing the latest AUP version.
3. Enforce Screen Locking via Group Policy/MDM
Control Requirement: Procedures for the protection of assets must be implemented.
Required Implementation Step: Do not rely on politeness. Configure your Mobile Device Management (MDM) or Active Directory Group Policy Object (GPO) to force a screen lock after 5 minutes of inactivity. Apply this universally to Windows, macOS, and mobile devices accessing corporate data.
Minimum Requirement: Screenshot of the GPO or MDM configuration showing “MaxInactivityTimeDeviceLock” set to 300 seconds or less.
