ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.10 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.10 Acceptable Use of Information and Other Associated Assets

ISO 27001 Annex A 5.10 requires organizations to define and communicate rules for the acceptable use of information and assets (such as laptops, email, and cloud services). This is a foundational “preventive” control that bridges the gap between technical security and human behavior. The goal is to ensure that every employee, contractor, and third-party user knows exactly what they can and cannot do with company resources, reducing the risk of accidental data leaks, legal liability, and system abuse.

Core requirements for compliance include:

Formal AUP Implementation: You must have a documented Acceptable Use Policy (AUP) that is approved by management and explicitly acknowledged by all users.
Full Lifecycle Handling: Acceptable use applies from the moment an asset is assigned until it is returned or destroyed. This includes rules for data classification, secure storage, and correct disposal.
Cloud & Personal Devices: The rules must extend to assets not owned by the company, such as Cloud Services (SaaS) and BYOD (Bring Your Own Device), if they are used to process company information.
Monitoring Disclosure: The policy must clearly state what monitoring the organization performs (e.g., email screening or web filtering) to ensure transparency and legal compliance.
Behavioral Expectations: You must define “prohibited behaviors,” such as installing pirated software, sharing passwords, or visiting high-risk websites (gambling, dark web).

Audit Focus: Auditors will look for “The Acceptance Gap”:

Acknowledgement Proof: “Show me the signed AUP for your three most recent hires. Did they sign it before they were given their laptops?”
Staff Knowledge: They may interview a random employee and ask: “Are you allowed to install your own software on this machine? How do you know?”
Disciplinary Link: Auditors will check if the AUP is linked to your formal Disciplinary Process (A.6.4) to ensure the rules have “teeth.”

AUP Do’s and Don’ts Matrix (Audit Prep):

Category	Acceptable Use (Do)	Prohibited Use (Don’t)	ISO 27001:2022 Control
Internet	Work research; light personal banking.	Gambling, adult content, or dark web.	Annex A 5.10 / 8.23
Email	Professional comms; light personal use.	Chain letters, harassment, or phishing.	Annex A 5.10 / 8.22
Hardware	Official tasks; charging personal phone.	Mining Crypto or installing pirated tools.	Annex A 5.10 / 8.9
Social Media	Professional networking (LinkedIn).	Posting confidential company data or code.	Annex A 5.10 / 5.14

What is ISO 27001 Annex A 5.10?
Watch the ISO 27001 Annex A 5.10 Tutorial
ISO 27001 Annex A 5.10 Podcast
ISO 27001 Annex A 5.10 Implementation Guidance
How to implement ISO 27001 Annex A 5.10
Do’s and Don’ts Matrix
ISO 27001 Acceptable Use Template
How to comply
How to pass the ISO 27001 Annex A 5.10 audit
What will an audit check?
Top 3 ISO 27001 Annex A 5.10 Mistakes People Make and How to Avoid Them
Applicability of ISO 27001 Annex A 5.10 across different business models.
Fast Track ISO 27001 Annex A 5.10 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.10 FAQ
Further Reading
Related ISO 27001 Controls
ISO 27001 Controls and Attribute Values

What is ISO 27001 Annex A 5.10?

ISO 27001 Annex A 5.10 is about acceptable use which means people need to be informed what is and what is not acceptable to ensure the proper use, handling and protection of organisation assets.

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets is an ISO 27001 control that requires an organisation to implement rules and procedures for the acceptable use of information and other assets.

ISO 27001 Annex A 5.10 Purpose

The purpose of ISO 27001 Annex A 5.10 is a preventive control that ensures information and other associated assets are appropriately protected, used and handled.

ISO 27001 Annex A 5.10 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.10 as:

Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets

Watch the ISO 27001 Annex A 5.10 Tutorial

In the video ISO 27001 Annex A 5.10 Acceptable Use Of Information And Associated Assets Explained show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.10 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.10 Implementation Guidance

To implement ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets you are going to have to ensure that

Personnel, contractors and third party users are made aware of the information security requirements for protecting and handling assets and information
People are responsible for their use of company assets
There is a topic specific policy on acceptable use
Acceptable use procedures are documented, communicated and in place

What should an acceptable use policy cover?

The Acceptable Use Policy should cover the following topics

Expected behaviour for information security
Unacceptable behaviour for information security
What monitoring the organisation is doing

What acceptable use processes do I need?

You are going to have acceptable use processes for the full information security lifecycle based on its classification and identified risks. What this means is you will consider

Access restrictions that are based on classification
Having a record of authorised users of information and systems
Protecting information that has been copied to the same level as the original
Following manufacturers specifications when storing information
Marking storage media for the attention of the recipient
Processes for disposing information and other assets including deletion methods and authorisation

Acceptable Use and Cloud Services

So what about assets that do not belong to the organisation? Cloud based assets for example. Well you need to identify those as well and record them as applicable and controlled. You are going to ensure there are agreements are in place and those agreements provide the required controls.

How to implement ISO 27001 Annex A 5.10

Implementing ISO 27001 Annex A 5.10 requires a transition from informal guidelines to a structured governance framework that dictates how personnel interact with organisational assets. By defining clear boundaries for the use of information, networks, and hardware, an organisation can significantly reduce the risk of insider threats and data leakage. This action-orientated guide outlines the technical and procedural steps necessary to formalise your Acceptable Use Policy and ensure it is technically enforced across the Information Security Management System.

1. Formalise the Topic-Specific Acceptable Use Policy

Establish a documented policy that defines the permitted and prohibited behaviours regarding organisational assets. This action results in a legally defensible governance layer that sets clear expectations for all employees, contractors, and third-party users.

Define specific Rules of Engagement (ROE) for the use of corporate email, internet access, and social media platforms.
Identify prohibited actions, such as the installation of unauthorised software or the bypass of security controls like Multi-Factor Authentication (MFA).
Document the organisational stance on incidental personal use to prevent the misuse of company resources.

2. Provision Asset Ownership and User Responsibilities

Assign every information asset to a designated owner and map user access through an Identity and Access Management framework. This result-focused step ensures that every interaction with a system or dataset is attributable to an individual identity.

Maintain an accurate Information Asset Register that links hardware and software to specific owners.
Utilise Role-Based Access Control (RBAC) to ensure that users only interact with assets relevant to their specific job function.
Incorporate asset return procedures into employment contracts to ensure hardware is recovered upon termination.

3. Deploy Technical Enforcement Mechanisms

Implement automated safeguards that prevent users from violating the Acceptable Use Policy. This action results in a proactive security posture where policy compliance is not solely dependent on human behaviour.

Configure web filtering gateways to block access to high-risk or inappropriate categories of websites.
Deploy Endpoint Detection and Response (EDR) solutions to prevent the execution of unauthorised executable files or scripts.
Enforce session timeouts and screen-lock policies via Group Policy Objects (GPO) or Mobile Device Management (MDM) profiles.

4. Execute Mandatory Awareness Training and Sign-off

Deliver comprehensive security awareness training that focuses on the practical application of the Acceptable Use Policy. This result-oriented step creates a documented compliance trail that confirms user understanding and consent.

Require all staff to complete an annual training module that covers the core tenets of Annex A 5.10.
Obtain a formal digital sign-off from every user, confirming they have read, understood, and agreed to abide by the AUP.
Perform periodic phishing simulations to test the efficacy of the training and identify areas for further education.

5. Establish Monitoring and Disciplinary Protocols

Enforce the policy through continuous monitoring of system logs and a formalised disciplinary process for violations. This action results in a credible deterrent against the misuse of assets and ensures that security incidents are handled consistently.

Integrate asset usage logs with a Security Information and Event Management (SIEM) system to detect anomalous activity.
Establish a clear link between policy violations and the organisational disciplinary process defined in Annex A 5.4.
Conduct regular management reviews of access logs to ensure that use remains aligned with business requirements.

Do’s and Don’ts Matrix

Category	Acceptable Use (Do)	Unacceptable Use (Don’t)
Internet	Research, Banking (Lunch break).	Gambling, Adult Content, Dark Web.
Email	Business comms, Light personal use.	Chain letters, Harassment, Phishing.
Hardware	Work tasks, Charging personal phone.	Installing pirated software, Mining Crypto.
Social Media	LinkedIn (Professional).	Posting confidential company data.

ISO 27001 Acceptable Use Template

The ISO 27001 acceptable use policy template is pre written and ready to go.

ISO 27001 Acceptable Use Policy - ISO 27001 Annex A 5.10 template

Get the ISO 27001 Acceptable Use Policy Template

How to comply

To comply with ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

Implement a topic specific Acceptable Use Policy
Implement Acceptable Use Procedures
Communicate and gain acceptance of the Acceptable Use Policy

How to pass the ISO 27001 Annex A 5.10 audit

To pass an audit of ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to make sure that you have followed the steps above in how to comply.

What will an audit check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you have an Acceptable Use Policy

What this means is that you need to show that you have an acceptable use policy in place, that it has been approved and signed off.

2. That your Acceptable Use Policy has been communicated and accepted

You need to communicate the Acceptable Use Policy to all staff and get them to accept it. There are many ways to record acceptance of policy from getting email confirmation, an actual signature or using a training tool to distribute and seek understanding and acceptance.

3. That you have covered the entire information lifecycle

Acceptable use covers the entire information lifecycle. It is unlikely that the acceptable use policy will cover everything that is required and it would not make sense for it to do so. Rather you will have a suite of topic specific policies that are complimentary covering things such as logging and monitoring, access control.

Top 3 ISO 27001 Annex A 5.10 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.10 are

1. Your haven’t got acceptance from people of the policy

As well as having the policy you need to communicate it and get people to accept it. Often people think is enough just to ‘have’ a policy. It is not.

2. You forgot the bits that were not obvious

Acceptable use is part of many of the policies that you will have as you are communicating to people what is expected of them. Having a complete set of policies that cover the entire information lifecycle is important. Considering access control, information destruction, handling, information transfer and more.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.10 across different business models.

Business Type	Applicability & Interpretation	Examples of Control
Small Businesses	Basic Asset Hygiene. Without complex firewalls, your “Human Firewall” is key. The Acceptable Use Policy (AUP) must simply state that work laptops are for work, not for torrenting movies or family gaming.	• Prohibited Sites: A simple rule in the handbook banning Gambling, Adult Content, and Dark Web access on company devices. • Incidental Use: Defining that “Light Personal Use” (e.g., checking personal email during lunch) is permitted, but running a side-hustle business on company IT is not.
Tech Startups	Shadow IT & Cloud Tools. The AUP must address the “Move Fast” culture. Developers cannot spin up personal AWS instances or sign up for random SaaS tools with corporate credit cards without approval.	• Crypto Mining Ban: Explicitly prohibiting the use of high-powered dev laptops or cloud instances for cryptocurrency mining. • Shadow IT Rule: Mandating that no new SaaS tool (e.g., Trello, Notion) can be used for company data unless it has passed a basic security review.
AI Companies	GenAI & Data Ethics. The Acceptable Use Policy must catch up with modern tech. It is critical to forbid pasting proprietary code or PII into public AI models (like ChatGPT or Claude) that train on inputs.	• Public AI Ban: A strict rule stating “Do not paste customer PII or confidential source code into public LLM interfaces.” • Ethical Scraping: Ensuring researchers only use web scrapers in accordance with the site’s `robots.txt` and terms of service, preventing legal liability.

Applicability of ISO 27001 Annex A 5.10 across different business models.

Fast Track ISO 27001 Annex A 5.10 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.10 (Acceptable use of information and other associated assets), the requirement is to identify, document, and implement rules for the acceptable use of information and assets. This is about ensuring people know what is and isn’t allowed from email behaviour to social media posting.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Standard Ownership	Rents access to your rules; if you cancel the subscription, your documented behavioral standards and signature history vanish.	Permanent Assets: Fully editable Word/Excel Acceptable Use Policies (AUP) that you own and host forever.	A localized “Acceptable Use Policy” defining specific rules for LinkedIn, AI tool usage, and personal device (BYOD) limits.
Cultural Utility	Attempts to “automate” behavior via generic modules that cannot define what “acceptable” looks like for your specific company culture.	Governance-First: Provides a “Do’s and Don’ts Matrix” to formalize your existing culture into an auditor-ready framework.	A completed “Employee Code of Conduct” sign-off sheet proving staff understand prohibited actions (e.g., crypto-mining).
Cost Efficiency	Charges a “Headcount Tax” based on the number of users who sign the AUP, creating perpetual overhead as you hire.	One-Off Fee: A single payment covers your AUP governance for 10 employees or 1,000+.	Allocating budget to actual security awareness training rather than monthly “policy acknowledgment” software fees.
Behavioral Freedom	Mandates rigid monitoring formats that often fail to align with creative startup environments or flexible remote-work models.	100% Agnostic: Procedures adapt to your operating style—from strict traditional offices to rapid, remote-first teams.	The ability to evolve your social media and email standards without reconfiguring a rigid, third-party SaaS compliance module.

Summary: For Annex A 5.10, the auditor wants to see that you have a formal Acceptable Use Policy and proof that it has been communicated to and accepted by all staff. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.10 FAQ

What is ISO 27001 Annex A 5.10?

ISO 27001 Annex A 5.10 is an organisational control that requires rules for the acceptable use of information and other associated assets to be identified, documented, and implemented.

Defines how employees and contractors should interact with company hardware and software.
Protects the organisation from legal liability and reputational damage.
Ensures that assets are only used for their intended business purposes.
Establishes clear boundaries for personal use of corporate resources.

Is an Acceptable Use Policy (AUP) mandatory for ISO 27001?

Yes, a documented Acceptable Use Policy is considered a mandatory piece of evidence to satisfy the requirements of Annex A 5.10 during a certification audit.

Provides verifiable proof that users have been informed of their responsibilities.
Supports compliance with Clause 7.3 (Awareness) and Annex A 5.4 (Disciplinary process).
Sets the legal groundwork for monitoring and enforcement activities.
Acts as a primary reference for auditors to gauge the maturity of your ISMS.

What should be included in an ISO 27001 Acceptable Use Policy?

A comprehensive AUP must define permitted and prohibited behaviours regarding the use of organisational networks, devices, and data.

Rules for internet and email usage (e.g., prohibiting illegal content).
Guidelines for social media and external communications.
Restrictions on unauthorised software installation or hardware modification.
Requirements for password hygiene and screen locking.
Clear definitions of what constitutes “incidental” personal use.

Does Annex A 5.10 apply to remote workers and BYOD?

Yes, the control applies to any asset used to access organisational information, regardless of whether it is company-owned or a personal device.

Must define security requirements for accessing the corporate network via VPN.
Requires clear rules on data segregation between personal and business use.
Should mandate the use of anti-malware and encryption on personal devices (BYOD).
States the organisation’s right to wipe corporate data from personal hardware upon termination.

How often should the Acceptable Use Policy be reviewed?

Organisations should review their AUP at least annually or whenever significant technical or organisational changes occur.

Triggers for review include the adoption of new technologies like Generative AI.
Must be updated following a major security incident involving asset misuse.
Ensures alignment with changing legal, regulatory, or contractual requirements.
Helps maintain relevance as working patterns (like hybrid work) evolve.

What are the consequences of violating an AUP?

Violations of the AUP should trigger formalised disciplinary procedures as defined in your organisational HR policies and Annex A 5.4.

May result in the immediate revocation of access to corporate systems.
Can lead to formal warnings, suspension, or termination of employment.
Might involve legal action if the misuse involves data breaches or criminal activity.
Acts as a deterrent to other employees by demonstrating enforcement of security rules.

ISO 27001 Controls and Attribute Values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Protect	Asset management	Protection
	Integrity
	Availability

Asset Management, Availability, Confidentiality, Governance and Ecosystem, Information Protection, Integrity, Preventive, Protect, Protection

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 5.10?

ISO 27001 Annex A 5.10 Purpose

ISO 27001 Annex A 5.10 Definition

Watch the ISO 27001 Annex A 5.10 Tutorial

ISO 27001 Annex A 5.10 Podcast

ISO 27001 Annex A 5.10 Implementation Guidance

What should an acceptable use policy cover?

What acceptable use processes do I need?

Acceptable Use and Cloud Services

How to implement ISO 27001 Annex A 5.10

1. Formalise the Topic-Specific Acceptable Use Policy

2. Provision Asset Ownership and User Responsibilities

3. Deploy Technical Enforcement Mechanisms

4. Execute Mandatory Awareness Training and Sign-off

5. Establish Monitoring and Disciplinary Protocols

Do’s and Don’ts Matrix

ISO 27001 Acceptable Use Template

How to comply

How to pass the ISO 27001 Annex A 5.10 audit

What will an audit check?

1. That you have an Acceptable Use Policy

2. That your Acceptable Use Policy has been communicated and accepted

3. That you have covered the entire information lifecycle

Top 3 ISO 27001 Annex A 5.10 Mistakes People Make and How to Avoid Them

1. Your haven’t got acceptance from people of the policy

2. You forgot the bits that were not obvious

3. Your document and version control is wrong

Applicability of ISO 27001 Annex A 5.10 across different business models.

Fast Track ISO 27001 Annex A 5.10 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 5.10 FAQ

What is ISO 27001 Annex A 5.10?

Is an Acceptable Use Policy (AUP) mandatory for ISO 27001?

What should be included in an ISO 27001 Acceptable Use Policy?

Does Annex A 5.10 apply to remote workers and BYOD?

How often should the Acceptable Use Policy be reviewed?

What are the consequences of violating an AUP?

Further Reading

Related ISO 27001 Controls

ISO 27001 Controls and Attribute Values

Stuart Barker