ISO 27001 Annex A 5.10 Audit Checklist

Use this pass/fail checklist to strictly validate compliance with ISO 27001 Annex A 5.10 (Acceptable use of information and other associated assets). For a detailed methodology on how to conduct the interviews and system tests required to generate this evidence, refer to our Annex A 5.10 Audit Guide.

1. Acceptable Use Policy (AUP) Formally Documented

• Verification Criteria: A specific “Acceptable Use Policy” (or equivalent section in the IT Security Policy) exists, is written in clear language, and bears a recent approval date from senior management.
• Required Evidence: The Master Policy Document with a “Document Control” table showing approval within the last 12 months.

Pass/Fail Test: If the rules exist only in an email chain, intranet post, or verbal “common knowledge” rather than a formal controlled document, mark as Non-Compliant.

2. “Prohibited Behaviours” Explicitly Defined

• Verification Criteria: The policy explicitly lists specific banned activities (e.g., “installation of pirated software,” “running a personal business,” “sharing passwords”) rather than vague statements like “be secure.”
• Required Evidence: The specific “Unacceptable Use” section of the AUP containing a bulleted list of banned actions.

Pass/Fail Test: If the policy lists what users should do but fails to explicitly list what they must not do, mark as Non-Compliant.

3. Monitoring & Privacy Expectations Clarified

• Verification Criteria: The policy contains a clear clause stating that the organisation reserves the right to monitor systems and that users should have no expectation of privacy on corporate devices.
• Required Evidence: The “Monitoring and Privacy” clause within the AUP.

Pass/Fail Test: If the policy is silent on monitoring, creating a legal ambiguity regarding the organisation’s right to inspect logs during an incident, mark as Non-Compliant.

4. User Acceptance Actively Logged

• Verification Criteria: Evidence exists that 100% of active users have affirmatively accepted the current version of the policy.
• Required Evidence: A report from the HR/GRC system showing “Date Accepted” and “Version ID” for a random sample of 5 employees (including one new starter).

Pass/Fail Test: If you find a signed form for Version 1.0 but the current policy is Version 3.0, mark as Non-Compliant.

5. Cloud & Shadow IT Usage Addressed

• Verification Criteria: The policy explicitly covers the use of non-corporate assets (BYOD) and third-party cloud services (SaaS), setting rules for “Shadow IT.”
• Required Evidence: A section in the AUP or a separate “Cloud Usage Policy” referencing unauthorised cloud storage (e.g., “Do not upload corporate data to personal Dropbox”).

Pass/Fail Test: If the policy only mentions “Company Computers” and ignores mobile devices or cloud apps, mark as Non-Compliant.

6. Information Transfer Rules Defined

• Verification Criteria: Clear procedures are documented for how information should be securely transferred (e.g., “Use encrypted email for PII,” “Do not use WhatsApp for business”).
• Required Evidence: The “Information Transfer” procedure or specific AUP clauses regarding file sharing and instant messaging.

Pass/Fail Test: If users are sending sensitive data via unapproved tools (e.g., WeTransfer, personal email) because the policy doesn’t ban it, mark as Non-Compliant.

7. Remote Work & Physical Security Included

• Verification Criteria: The AUP includes specific requirements for physical security when working remotely (e.g., “Lock screen when away,” “Do not work on sensitive documents in public view”).
• Required Evidence: The “Remote Working” or “Clear Desk/Clear Screen” section of the policy.

Pass/Fail Test: If the policy fails to address risks specific to home working or public Wi-Fi usage, mark as Non-Compliant.

8. Return of Assets Obligation Stated

• Verification Criteria: The policy clearly states the obligation to return all assets and delete data from personal devices upon termination of employment.
• Required Evidence: A “Termination of Access” or “Return of Assets” clause in the AUP (linking to Annex A 5.11).

Pass/Fail Test: If the policy does not explicitly state that intellectual property created on personal devices belongs to the company, mark as Non-Compliant.

9. Reporting Procedures for Security Events

• Verification Criteria: The policy mandates that users must report suspected security weaknesses or incidents immediately and provides the contact channel.
• Required Evidence: The “Incident Reporting” section providing a specific email address, phone number, or portal for reporting.

Pass/Fail Test: If the policy says “Report incidents” but doesn’t say who to report them to, mark as Non-Compliant.

10. Lifecycle Management of the Policy Verified

• Verification Criteria: The AUP itself is subject to regular review and updates to reflect changing technology (e.g., AI usage).
• Required Evidence: Version history showing a review or update within the last 12 months, specifically checking for modern risks (e.g., “ChatGPT/Generative AI usage”).

Pass/Fail Test: If the policy was last updated in 2019 and fails to mention modern collaboration tools (Teams/Slack) or AI, mark as Non-Compliant.