ISO 27001 Annex A 5.10 Acceptable Use of Information and Other Associated Assets is a security control that dictates how employees handle company resources. The primary implementation requirement is enforcing a formal, acknowledged Acceptable Use Policy, yielding the business benefit of reduced insider risk, clear disciplinary grounds, and assured compliance.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.10 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.10 Acceptable Use of Information and Other Associated Assets
ISO 27001 Annex A 5.10 requires organizations to define and communicate rules for the acceptable use of information and assets (such as laptops, email, and cloud services). This is a foundational “preventive” control that bridges the gap between technical security and human behavior. The goal is to ensure that every employee, contractor, and third-party user knows exactly what they can and cannot do with company resources, reducing the risk of accidental data leaks, legal liability, and system abuse.
Core requirements for compliance include:
- Formal AUP Implementation: You must have a documented Acceptable Use Policy (AUP) that is approved by management and explicitly acknowledged by all users.
- Full Lifecycle Handling: Acceptable use applies from the moment an asset is assigned until it is returned or destroyed. This includes rules for data classification, secure storage, and correct disposal.
- Cloud & Personal Devices: The rules must extend to assets not owned by the company, such as Cloud Services (SaaS) and BYOD (Bring Your Own Device), if they are used to process company information.
- Monitoring Disclosure: The policy must clearly state what monitoring the organization performs (e.g., email screening or web filtering) to ensure transparency and legal compliance.
- Behavioral Expectations: You must define “prohibited behaviors,” such as installing pirated software, sharing passwords, or visiting high-risk websites (gambling, dark web).
Audit Focus: Auditors will look for “The Acceptance Gap”:
- Acknowledgement Proof: “Show me the signed AUP for your three most recent hires. Did they sign it before they were given their laptops?”
- Staff Knowledge: They may interview a random employee and ask: “Are you allowed to install your own software on this machine? How do you know?”
- Disciplinary Link: Auditors will check if the AUP is linked to your formal Disciplinary Process (A.6.4) to ensure the rules have “teeth.”
AUP Do’s and Don’ts Matrix (Audit Prep):
| Category | Acceptable Use (Do) | Prohibited Use (Don’t) | ISO 27001:2022 Control |
|---|---|---|---|
| Internet | Work research; light personal banking. | Gambling, adult content, or dark web. | Annex A 5.10 / 8.23 |
| Professional comms; light personal use. | Chain letters, harassment, or phishing. | Annex A 5.10 / 8.22 | |
| Hardware | Official tasks; charging personal phone. | Mining Crypto or installing pirated tools. | Annex A 5.10 / 8.9 |
| Social Media | Professional networking (LinkedIn). | Posting confidential company data or code. | Annex A 5.10 / 5.14 |
Table of contents
- What is ISO 27001 Annex A 5.10?
- Watch the ISO 27001 Annex A 5.10 Tutorial
- ISO 27001 Annex A 5.10 Podcast
- ISO 27001 Annex A 5.10 Implementation Guidance
- How to implement ISO 27001 Annex A 5.10
- ISO 27001 Annex A 5.10 Implementation Checklist
- How to audit ISO 27001 Annex A 5.10
- ISO 27001 Annex A 5.10 Audit Checklist
- Do’s and Don’ts Matrix
- ISO 27001 Acceptable Use Template
- How to comply
- How to pass the ISO 27001 Annex A 5.10 audit
- What will an audit check?
- Top 3 ISO 27001 Annex A 5.10 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.10 across different business models.
- Fast Track ISO 27001 Annex A 5.10 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.10 Applicable Laws and Related Standards
- ISO 27001 Annex A 5.10 FAQ
- ISO 27001 Related Controls and Further Reading
- ISO 27001 Controls and Attribute Values
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
What is ISO 27001 Annex A 5.10?
ISO 27001 Annex A 5.10 is about acceptable use which means people need to be informed what is and what is not acceptable to ensure the proper use, handling and protection of organisation assets.
ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets is an ISO 27001 control that requires an organisation to implement rules and procedures for the acceptable use of information and other assets.
ISO 27001 Annex A 5.10 Purpose
The purpose of ISO 27001 Annex A 5.10 is a preventive control that ensures information and other associated assets are appropriately protected, used and handled.
ISO 27001 Annex A 5.10 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.10 as:
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets
Watch the ISO 27001 Annex A 5.10 Tutorial
In the video ISO 27001 Annex A 5.10 Acceptable Use Of Information And Associated Assets Explained show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.10 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.10 Implementation Guidance
To implement ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets you are going to have to ensure that
- Personnel, contractors and third party users are made aware of the information security requirements for protecting and handling assets and information
- People are responsible for their use of company assets
- There is a topic specific policy on acceptable use
- Acceptable use procedures are documented, communicated and in place
What should an acceptable use policy cover?
The Acceptable Use Policy should cover the following topics
- Expected behaviour for information security
- Unacceptable behaviour for information security
- What monitoring the organisation is doing
What acceptable use processes do I need?
You are going to have acceptable use processes for the full information security lifecycle based on its classification and identified risks. What this means is you will consider
- Access restrictions that are based on classification
- Having a record of authorised users of information and systems
- Protecting information that has been copied to the same level as the original
- Following manufacturers specifications when storing information
- Marking storage media for the attention of the recipient
- Processes for disposing information and other assets including deletion methods and authorisation
Acceptable Use and Cloud Services
So what about assets that do not belong to the organisation? Cloud based assets for example. Well you need to identify those as well and record them as applicable and controlled. You are going to ensure there are agreements are in place and those agreements provide the required controls.
How to implement ISO 27001 Annex A 5.10
Implementing ISO 27001 Annex A 5.10 is about more than just a policy document; it is about ensuring every user understands their responsibilities when handling organisational assets. By following this 10-step implementation framework, you will create a culture of accountability and significantly reduce the risk of accidental data breaches or malicious insiders. As a Lead Auditor, I look for clear evidence that these rules are communicated, enforced, and technically supported across the entire information estate.
1. Formalise the Acceptable Use Policy (AUP)
- Draft a comprehensive Acceptable Use Policy that defines permitted and prohibited activities for all information assets.
- Ensure the policy covers hardware, software, network resources, and cloud-based services.
- Result: A legally sound and clear set of expectations that forms the foundation of your asset security governance.
2. Define Asset Classifications and Handling Rules
- Link the AUP to your Information Classification Policy to specify how “Confidential” or “Restricted” assets must be used.
- Identify specific restrictions for mobile devices, removable media, and personal equipment (BYOD).
- Result: Context-specific rules that protect assets based on their sensitivity and value to the organisation.
3. Map Rules to the Centralised Asset Register
- Cross-reference acceptable use requirements with individual entries in your Asset Register.
- Ensure that every asset category identified in Annex A 5.9 has a corresponding set of usage rules.
- Result: A structured approach ensuring no technical or information asset is left without oversight.
4. Provision Identity and Access Management (IAM) Roles
- Configure IAM roles to enforce acceptable use by restricting access to only those assets required for a specific job function.
- Utilise the principle of least privilege to ensure users cannot access prohibited resources.
- Result: Technical enforcement of policy by preventing unauthorised asset interactions at the infrastructure level.
5. Enforce Multi-Factor Authentication (MFA) for Asset Access
- Mandate MFA for all users accessing critical business systems or sensitive data repositories.
- Integrate MFA prompts into the login workflow for remote access and administrative accounts.
- Result: Verification of user identity before allowing asset use, mitigating the risk of credential theft.
6. Implement Technical Controls and Monitoring
- Deploy Endpoint Detection and Response (EDR) or Data Loss Prevention (DLP) tools to monitor for policy violations.
- Configure web filters and application whitelisting to prevent the use of unauthorised software or sites.
- Result: Real-time visibility into asset usage and automated prevention of high-risk activities.
7. Execute Formal Policy Acknowledgment
- Require all employees, contractors, and third-party users to sign the AUP during onboarding.
- Maintain a digital audit trail of acknowledgments within your HR system or GRC tool.
- Result: Defensible evidence of user commitment to follow security rules, essential for HR disciplinary processes.
8. Deliver Role-Based Security Awareness Training
- Conduct regular training sessions that explain the practical application of acceptable use in daily tasks.
- Use real-world examples of security risks, such as phishing or shadow IT, to illustrate the importance of compliance.
- Result: A well-informed workforce that understands why rules exist and how to protect assets effectively.
9. Establish Procedures for the Return of Assets (ROE)
- Update the Record of Equipment (ROE) documents to include specific return protocols during offboarding.
- Verify that all hardware, software licenses, and access tokens are recovered when a user’s contract ends.
- Result: Prevention of “asset sprawl” and ensuring that former users no longer have physical or logical access.
10. Audit Asset Usage and Policy Compliance
- Schedule periodic audits of system logs and access reports to verify that assets are being used as intended.
- Review policy effectiveness annually or following significant changes to the technical environment.
- Result: Continuous improvement of security posture and readiness for formal ISO 27001 certification audits.
I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.
ISO 27001 Annex A 5.10 Implementation Checklist
The ISO 27001 Annex A 5.10 implementation checklist provides a roadmap for establishing clear behavioural expectations regarding organisational assets. By aligning policy with technical enforcement, such as IAM and MFA, organisations can significantly reduce the risk of insider threats and accidental data exposure.
| Step | Requirement | Implementation Example |
|---|---|---|
| 1 | Draft Acceptable Use Policy (AUP) | Creating a formal document defining permitted and prohibited actions for all information assets. |
| 2 | Define Asset Handling Rules | Specifying that “Confidential” data must never be stored on unencrypted removable media. |
| 3 | Establish BYOD Requirements | Defining security minimums (e.g., biometric locks, remote wipe) for personal devices used for business. |
| 4 | Formalise Policy Acknowledgment | Requiring all new starters to sign the AUP during the induction process via an HR portal. |
| 5 | Map to IAM Roles | Provisioning access based on “least privilege” so users only interact with assets required for their role. |
| 6 | Deploy Monitoring Tools | Implementing Endpoint Detection and Response (EDR) to flag unauthorised software installations. |
| 7 | Deliver Awareness Training | Running annual workshops on phishing, shadow IT, and the consequences of policy breaches. |
| 8 | Implement Data Loss Prevention (DLP) | Configuring technical blocks to prevent the uploading of sensitive files to unauthorised cloud storage. |
| 9 | Link to Disciplinary Process | Updating the Employee Handbook to confirm that AUP violations result in formal disciplinary action. |
| 10 | Conduct Usage Audits | Reviewing system logs and access reports quarterly to ensure assets are used according to policy. |
How to audit ISO 27001 Annex A 5.10
Auditing Annex A 5.10 requires a shift from simply checking for a policy to verifying that the rules for acceptable use are actually embedded within the organisation’s daily operations. As a Lead Auditor, I look for evidence that users are not just aware of the rules, but are technically restricted from breaking them. Use the following 10-step framework to conduct a robust audit of your acceptable use controls, ensuring they meet the high standards required for ISO 27001 certification.
1. Validate the Acceptable Use Policy (AUP) Approval
- Review the formal Acceptable Use Policy to ensure it has been approved by senior management within the last 12 months.
- Confirm the policy explicitly covers all asset types, including cloud services, personal devices, and proprietary information.
- Result: Confirmation that the organisation has a legally defensible and management-backed set of usage rules.
2. Audit Policy Communication and Acknowledgment
- Sample employee records to verify that a signed or digital acknowledgment of the AUP is on file for every user.
- Check that third-party contractors and temporary staff have also formalised their commitment to these rules.
- Result: Assurance that all individuals with access to assets have been legally notified of their responsibilities.
3. Inspect Training Records and Competence
- Examine security awareness training logs to ensure that acceptable use is a core component of the curriculum.
- Verify that training is conducted during onboarding and refreshed at least annually.
- Result: Evidence that the organisation has taken proactive steps to educate the workforce on safe asset handling.
4. Cross-Reference AUP with the Asset Register
- Verify that the rules defined in the AUP align with the categories listed in the centralised Asset Register.
- Ensure that high-value assets identified in Annex A 5.9 have specific, stricter usage requirements.
- Result: Structural alignment between what the organisation owns and how it dictates those items should be used.
5. Review Technical Enforcement of Access (IAM)
- Sample Identity and Access Management (IAM) roles to ensure that permissions are restricted based on the AUP.
- Verify that “prohibited activities,” such as unauthorised software installation, are blocked at the system level.
- Result: Proof that the organisation does not rely solely on “good faith” but uses technical barriers to prevent misuse.
6. Verify MFA and Secure Authentication Logs
- Audit system logs to confirm that Multi-Factor Authentication (MFA) is active for all remote and administrative access.
- Check for “failed login” alerts that might indicate a breach of acceptable use or external tampering.
- Result: Validation that asset access is restricted to verified identities in accordance with the security policy.
7. Audit the Record of Equipment (ROE) and Returns
- Review the Record of Equipment (ROE) to ensure that assets are tracked to specific users.
- Sample recent leavers to verify that all physical and logical assets were returned or revoked promptly.
- Result: Confirmation that the organisation maintains control over its assets throughout the entire employment lifecycle.
8. Inspect Endpoint Monitoring and DLP Alerts
- Review reports from Endpoint Detection and Response (EDR) or Data Loss Prevention (DLP) tools.
- Look for evidence that policy violations, such as unauthorised data transfers, are flagged and investigated.
- Result: Evidence of active monitoring and a functional response to breaches of acceptable use rules.
9. Evaluate Disciplinary Process Integration
- Confirm that the AUP is explicitly linked to the organisation’s formal disciplinary procedure.
- Review (anonymised) records of any policy breaches to see if the disciplinary process was followed correctly.
- Result: Verification that there are real-world consequences for ignoring information security requirements.
10. Audit Periodic Review and Compliance Reporting
- Examine management review meeting minutes for evidence that AUP compliance is reported and discussed.
- Check that the policy is updated in response to new technical risks or changes in the threat landscape.
- Result: Demonstration of a “Plan-Do-Check-Act” approach to asset management and user accountability.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
ISO 27001 Annex A 5.10 Audit Checklist
This ISO 27001 Annex A 5.10 Audit Checklist is designed to provide a rigorous verification process for auditors assessing acceptable use controls. It ensures that behavioural expectations are not only documented in policy but are actively monitored and technically restricted across the information security management system.
| Item | What to Check | Audit Evidence Example | GRC Platform Check |
|---|---|---|---|
| 1 | Policy Approval and Scope | Review the formal Acceptable Use Policy (AUP) for management approval and asset coverage. | Policy module: Review date and approval status. |
| 2 | Policy Communication | Verify that all employees and contractors have been notified of the latest AUP version. | Internal communications log or policy portal notification. |
| 3 | Signed Acknowledgments | Sample user records for signed or digital acknowledgments of the usage rules. | HR or Compliance module: Signed AUP records. |
| 4 | Security Training Alignment | Confirm that onboarding training includes specific acceptable use scenarios and risks. | Training module: Course content and completion logs. |
| 5 | BYOD and Remote Access | Verify that specific rules for personal devices and remote asset access are defined and followed. | Asset Register: BYOD classification and remote access logs. |
| 6 | Technical Restrictions | Check system configurations that block unauthorised software or access to prohibited sites. | Technical control validation: EDR/Web-filter configuration reports. |
| 7 | IAM Role Enforcement | Sample IAM roles to ensure user permissions align with the “least privilege” principles of the AUP. | IAM module: Role-based access control (RBAC) report. |
| 8 | Asset Return at Termination | Audit the offboarding process to ensure assets are recovered and access revoked immediately. | Leavers report vs. Asset Return logs. |
| 9 | Compliance Monitoring | Review reports from DLP or monitoring tools for policy breach alerts and investigations. | Incident/Alert module: Acceptable use violation logs. |
| 10 | Disciplinary Alignment | Confirm that the disciplinary process is active and has been triggered by recorded AUP breaches. | Disciplinary module: Link between policy breach and HR action. |
Do’s and Don’ts Matrix
| Category | Acceptable Use (Do) | Unacceptable Use (Don’t) |
| Internet | Research, Banking (Lunch break). | Gambling, Adult Content, Dark Web. |
| Business comms, Light personal use. | Chain letters, Harassment, Phishing. | |
| Hardware | Work tasks, Charging personal phone. | Installing pirated software, Mining Crypto. |
| Social Media | LinkedIn (Professional). | Posting confidential company data. |
ISO 27001 Acceptable Use Template
The ISO 27001 acceptable use policy template is pre written and ready to go.
How to comply
To comply with ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Implement a topic specific Acceptable Use Policy
- Implement Acceptable Use Procedures
- Communicate and gain acceptance of the Acceptable Use Policy
How to pass the ISO 27001 Annex A 5.10 audit
To pass an audit of ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to make sure that you have followed the steps above in how to comply.
What will an audit check?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have an Acceptable Use Policy
What this means is that you need to show that you have an acceptable use policy in place, that it has been approved and signed off.
2. That your Acceptable Use Policy has been communicated and accepted
You need to communicate the Acceptable Use Policy to all staff and get them to accept it. There are many ways to record acceptance of policy from getting email confirmation, an actual signature or using a training tool to distribute and seek understanding and acceptance.
3. That you have covered the entire information lifecycle
Acceptable use covers the entire information lifecycle. It is unlikely that the acceptable use policy will cover everything that is required and it would not make sense for it to do so. Rather you will have a suite of topic specific policies that are complimentary covering things such as logging and monitoring, access control.
Top 3 ISO 27001 Annex A 5.10 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.10 are
1. Your haven’t got acceptance from people of the policy
As well as having the policy you need to communicate it and get people to accept it. Often people think is enough just to ‘have’ a policy. It is not.
2. You forgot the bits that were not obvious
Acceptable use is part of many of the policies that you will have as you are communicating to people what is expected of them. Having a complete set of policies that cover the entire information lifecycle is important. Considering access control, information destruction, handling, information transfer and more.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.10 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Basic Asset Hygiene. Without complex firewalls, your “Human Firewall” is key. The Acceptable Use Policy (AUP) must simply state that work laptops are for work, not for torrenting movies or family gaming. |
• Prohibited Sites: A simple rule in the handbook banning Gambling, Adult Content, and Dark Web access on company devices. • Incidental Use: Defining that “Light Personal Use” (e.g., checking personal email during lunch) is permitted, but running a side-hustle business on company IT is not. |
| Tech Startups |
Shadow IT & Cloud Tools. The AUP must address the “Move Fast” culture. Developers cannot spin up personal AWS instances or sign up for random SaaS tools with corporate credit cards without approval. |
• Crypto Mining Ban: Explicitly prohibiting the use of high-powered dev laptops or cloud instances for cryptocurrency mining. • Shadow IT Rule: Mandating that no new SaaS tool (e.g., Trello, Notion) can be used for company data unless it has passed a basic security review. |
| AI Companies |
GenAI & Data Ethics. The Acceptable Use Policy must catch up with modern tech. It is critical to forbid pasting proprietary code or PII into public AI models (like ChatGPT or Claude) that train on inputs. |
• Public AI Ban: A strict rule stating “Do not paste customer PII or confidential source code into public LLM interfaces.”
• Ethical Scraping: Ensuring researchers only use web scrapers in accordance with the site’s |
Fast Track ISO 27001 Annex A 5.10 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.10 (Acceptable use of information and other associated assets), the requirement is to identify, document, and implement rules for the acceptable use of information and assets. This is about ensuring people know what is and isn’t allowed from email behaviour to social media posting.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Standard Ownership | Rents access to your rules; if you cancel the subscription, your documented behavioral standards and signature history vanish. | Permanent Assets: Fully editable Word/Excel Acceptable Use Policies (AUP) that you own and host forever. | A localized “Acceptable Use Policy” defining specific rules for LinkedIn, AI tool usage, and personal device (BYOD) limits. |
| Cultural Utility | Attempts to “automate” behavior via generic modules that cannot define what “acceptable” looks like for your specific company culture. | Governance-First: Provides a “Do’s and Don’ts Matrix” to formalize your existing culture into an auditor-ready framework. | A completed “Employee Code of Conduct” sign-off sheet proving staff understand prohibited actions (e.g., crypto-mining). |
| Cost Efficiency | Charges a “Headcount Tax” based on the number of users who sign the AUP, creating perpetual overhead as you hire. | One-Off Fee: A single payment covers your AUP governance for 10 employees or 1,000+. | Allocating budget to actual security awareness training rather than monthly “policy acknowledgment” software fees. |
| Behavioral Freedom | Mandates rigid monitoring formats that often fail to align with creative startup environments or flexible remote-work models. | 100% Agnostic: Procedures adapt to your operating style—from strict traditional offices to rapid, remote-first teams. | The ability to evolve your social media and email standards without reconfiguring a rigid, third-party SaaS compliance module. |
Summary: For Annex A 5.10, the auditor wants to see that you have a formal Acceptable Use Policy and proof that it has been communicated to and accepted by all staff. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.10 Applicable Laws and Related Standards
| Framework / Law | Reference Clause | Mapping Context and Requirement |
|---|---|---|
| GDPR / UK Data (Use and Access) Act 2025 | Article 32 (Security of Processing) | Mandates that organisations implement measures to ensure users only process data according to instructions, enforced via Acceptable Use Policies. |
| NIS2 / UK Cyber Security and Resilience Bill | Article 21 (Risk Management) | Requires entities to have policies for “human resources security” and “asset management,” specifically defining how critical infrastructure assets are accessed and used. |
| DORA (Digital Operational Resilience Act) | Article 9 (Protection and Prevention) | Financial entities must define clear usage rules for ICT assets to prevent unauthorised access or data leakage that could impact operational resilience. |
| NIST CSF 2.0 | PR.AT-01, PR.AC-01 | Focuses on user awareness and training (Acceptable Use) and ensuring that identity-based access is restricted to authorised activities. |
| SOC2 (Trust Services Criteria) | CC6.1, CC6.3 | Requires the communication of usage requirements and the implementation of logical access controls to prevent unauthorised asset use. |
| EU AI Act | Article 15 (Cybersecurity) | Requires providers of high-risk AI systems to define acceptable use to prevent adversarial attacks or “jailbreaking” that violates safety parameters. |
| HIPAA Security Rule | 45 CFR § 164.308(a)(5) | Requires “Security Awareness and Training,” including specific protocols for how employees interact with and protect workstation assets containing ePHI. |
| CCPA / CPRA (California) | Section 1798.100 | Implicitly requires acceptable use rules to ensure personal data is not handled in ways that contradict the “purpose limitation” disclosed to consumers. |
| CIRCIA (USA) | Reporting Requirements | Requires reporting of significant incidents, many of which are triggered by a breach of acceptable use (e.g., unauthorised access or data exfiltration). |
| EU Product Liability Directive (PLD) | Cybersecurity Flaws | Extends liability to software providers, necessitating clear “acceptable use” documentation to define the limits of software application and provider liability. |
| ECCF (European Cybersecurity Cert. Framework) | Security Labelling | Standardised security labels require clear documentation on how a product or service is intended to be used securely by the end-user. |
ISO 27001 Annex A 5.10 FAQ
What is ISO 27001 Annex A 5.10?
ISO 27001 Annex A 5.10 is an organisational control that requires rules for the acceptable use of information and other associated assets to be identified, documented, and implemented.
- Defines how employees and contractors should interact with company hardware and software.
- Protects the organisation from legal liability and reputational damage.
- Ensures that assets are only used for their intended business purposes.
- Establishes clear boundaries for personal use of corporate resources.
Is an Acceptable Use Policy (AUP) mandatory for ISO 27001?
Yes, a documented Acceptable Use Policy is considered a mandatory piece of evidence to satisfy the requirements of Annex A 5.10 during a certification audit.
- Provides verifiable proof that users have been informed of their responsibilities.
- Supports compliance with Clause 7.3 (Awareness) and Annex A 5.4 (Disciplinary process).
- Sets the legal groundwork for monitoring and enforcement activities.
- Acts as a primary reference for auditors to gauge the maturity of your ISMS.
What should be included in an ISO 27001 Acceptable Use Policy?
A comprehensive AUP must define permitted and prohibited behaviours regarding the use of organisational networks, devices, and data.
- Rules for internet and email usage (e.g., prohibiting illegal content).
- Guidelines for social media and external communications.
- Restrictions on unauthorised software installation or hardware modification.
- Requirements for password hygiene and screen locking.
- Clear definitions of what constitutes “incidental” personal use.
Does Annex A 5.10 apply to remote workers and BYOD?
Yes, the control applies to any asset used to access organisational information, regardless of whether it is company-owned or a personal device.
- Must define security requirements for accessing the corporate network via VPN.
- Requires clear rules on data segregation between personal and business use.
- Should mandate the use of anti-malware and encryption on personal devices (BYOD).
- States the organisation’s right to wipe corporate data from personal hardware upon termination.
How often should the Acceptable Use Policy be reviewed?
Organisations should review their AUP at least annually or whenever significant technical or organisational changes occur.
- Triggers for review include the adoption of new technologies like Generative AI.
- Must be updated following a major security incident involving asset misuse.
- Ensures alignment with changing legal, regulatory, or contractual requirements.
- Helps maintain relevance as working patterns (like hybrid work) evolve.
What are the consequences of violating an AUP?
Violations of the AUP should trigger formalised disciplinary procedures as defined in your organisational HR policies and Annex A 5.4.
- May result in the immediate revocation of access to corporate systems.
- Can lead to formal warnings, suspension, or termination of employment.
- Might involve legal action if the misuse involves data breaches or criminal activity.
- Acts as a deterrent to other employees by demonstrating enforcement of security rules.
ISO 27001 Related Controls and Further Reading
- How to Implement ISO 27001 Annex A 5.10: A Practical Guide to Acceptable Use
- How to Audit ISO 27001 Annex A 5.10: An Auditor’s Step-by-Step Guide
- Your 10-Point Checklist for Mastering ISO 27001 Annex A 5.10: Acceptable Use
- Pass Your ISO 27001 Audit: A 10-Point Checklist for Annex A 5.10
- A Practical Guide for AI Companies to ISO 27001 Annex A 5.10: Acceptable Use of Information and Assets
- A Tech Startup’s Practical Guide to ISO 27001 Annex A 5.10: Acceptable Use
- A Practical Guide for SMEs to ISO 27001 Annex A 5.10: Acceptable Use of Information and Assets
- ISO 27001 Acceptable Use Policy Beginner’s Guide
- ISO 27001 Asset Management Policy Template
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Asset management | Protection |
| Integrity | ||||
| Availability |
About the author
