ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets

ISO 27001 Acceptable Use Of Information And Other Associated Assets

In this ultimate guide to ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets you will learn

  • What is ISO 27001 Annex A 5.10?
  • How to implement ISO 27001 Annex A 5.10

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 5.10?

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets is an ISO 27001 Annex A control that requires an organisation to implement rules and procedures for the acceptable use of information and other assets.

People need to be informed what is and what is not acceptable to ensure the proper use, handling and protection of organisation assets.

Purpose

The purpose of ISO 27001 Annex A 5.10 is a preventive control that ensures information and other associated assets are appropriately protected, used and handled.

Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.10 as:

Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets

Implementation Guide

To implement ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets you are going to have to ensure that

  • Personnel, contractors and third party users are made aware of the information security requirements for protecting and handling assets and information
  • People are responsible for their use of company assets
  • There is a topic specific policy on acceptable use
  • Acceptable use procedures are documented, communicated and in place

Acceptable Use

What should an acceptable use policy cover?

The Acceptable Use Policy should cover the following topics

  • Expected behaviour for information security
  • Unacceptable behaviour for information security
  • What monitoring the organisation is doing

What acceptable use processes do I need?

You are going to have acceptable use processes for the full information security lifecycle based on its classification and identified risks. What this means is you will consider

  • Access restrictions that are based on classification
  • Having a record of authorised users of information and systems
  • Protecting information that has been copied to the same level as the original
  • Following manufacturers specifications when storing information
  • Marking storage media for the attention of the recipient
  • Processes for disposing information and other assets including deletion methods and authorisation

Acceptable Use and Cloud Services

So what about assets that do not belong to the organisation? Cloud based assets for example. Well you need to identify those as well and record them as applicable and controlled. You are going to ensure there are agreements are in place and those agreements provide the required controls.

Watch the Tutorial

Watch How to implement ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets

ISO 27001 Templates

The ISO 27001 acceptable use policy template is pre written and ready to go.

ISO 27001 Acceptable Use Policy Template
ISO 27001 Toolkit

How to comply

To comply with ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Implement a topic specific Acceptable Use Policy
  • Implement Acceptable Use Procedures
  • Communicate and gain acceptance of the Acceptable Use Policy

How to pass an audit

To pass an audit of ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to make sure that you have followed the steps above in how to comply.

What will an audit check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you have an Acceptable Use Policy

What this means is that you need to show that you have an acceptable use policy in place, that it has been approved and signed off.

2. That your Acceptable Use Policy has been communicated and accepted

You need to communicate the Acceptable Use Policy to all staff and get them to accept it. There are many ways to record acceptance of policy from getting email confirmation, an actual signature or using a training tool to distribute and seek understanding and acceptance.

3. That you have covered the entire information lifecycle

Acceptable use covers the entire information lifecycle. It is unlikely that the acceptable use policy will cover everything that is required and it would not make sense for it to do so. Rather you will have a suite of topic specific policies that are complimentary covering things such as logging and monitoring, access control.

Top 3 Mistakes People Make

The top 3 Mistakes People Make For ISO 27001 Annex A 5.10 are

1. Your haven’t got acceptance from people of the policy

As well as having the policy you need to communicate it and get people to accept it. Often people think is enough just to ‘have’ a policy. It is not.

2. You forgot the bits that were not obvious

Acceptable use is part of many of the policies that you will have as you are communicating to people what is expected of them. Having a complete set of policies that cover the entire information lifecycle is important. Considering access control, information destruction, handling, information transfer and more.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

FAQ

Is ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets a new ISO 27001 control?

No. It is a combination of controls ISO 27001:2013 Clause 8.1.3 Acceptable Use of Assets and ISO 27001:2013 Clause 8.2.3 handling of assets.

Why is ISO 27001 Annex A 5.10 important?

People cannot be expected to act in a certain way unless we tell them what is expected of them. We want to protect our organisation and our organisation assets and we want to let people know how they can use them. Even if they are what we might think are common sense. So we work out what is acceptable to us and we communicate it. It is part of information security training and awareness and it makes for a safer work environment. It is one of the first lines of information security defence.

What clause of ISO 27001 covers acceptable use?

ISO 27001 annex A 5.10 covers acceptable use of information and other associated assets.

What clause of ISO 27002 covers acceptable use?

ISO 27002 clause 5.10 covers acceptable use of information and other associated assets.

What is the difference between ISO 27001 annex A 5.10 and ISO 27002 clause 5.10?

Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectAsset managementProtection
Integrity
Availability
ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing