ISO 27001 Annex A 5.10 Audit Checklist

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets, manages the most unpredictable part of security: people. This control acts as a vital shield. It sets clear ground rules for everyone who touches your company’s data or systems. This applies to staff, contractors, and third-party users alike.

When we say “associated assets,” we don’t just mean data. We mean hardware, software, cloud services, and networks. The main goal here is to stop “plausible deniability.” You need to make sure every user knows exactly where the line is drawn. If you want to turn your policy into the solid proof an auditor needs, this ISO 27001 Annex A 5.10 audit checklist is your roadmap.

The Ultimate 10-Point Audit Checklist for Annex A 5.10
Top 3 Mistakes That Will Derail Your Audit
Conclusion: From Policy to Proof

The Ultimate 10-Point Audit Checklist for Annex A 5.10

An auditor wants to see a strong system, not just a pile of papers. The following ten points outline the evidence an auditor will scrutinise. Mastering these helps you build a security culture that can easily withstand an audit.

1. Is Your Acceptable Use Policy (AUP) Formally Documented?

The Acceptable Use Policy (AUP) is the main document for this control. It protects information before a mistake happens by setting clear expectations. An auditor will check if this document exists, if it is approved, and if you maintain it.

What the auditor wants to see:

A documented AUP or IT Security Policy.
Proof that senior management signed off on it.
A document control section showing a review in the last 12 months.

2. Does the AUP Clearly Define Expected and Unacceptable Behaviour?

To be “auditor proof,” your policy must be crystal clear. It cannot be vague. It must list exactly what users should do and what is strictly banned. This removes confusion and helps you enforce the rules.

Make sure your policy covers these areas:

Expected Behaviour: Using work email for business, following data classification rules, and using approved transfer methods.
Unacceptable Behaviour: Installing pirate software, running a personal business on company assets, sharing confidential data on WhatsApp, or visiting banned websites (like gambling sites).

3. Is Your Policy Transparent About Organisational Monitoring?

You need a clause about monitoring. Some companies hesitate to include a “we are watching you” section, but auditors view it as a sign of maturity. It sets boundaries and builds trust through honesty. It also gives you legal cover by removing the “expectation of privacy” on work systems.

4. Is Acceptance of the Policy Actively and Verifiably Tracked?

This is a common point of failure. An auditor will not accept a mass email as proof of acceptance. You need active, provable consent from every single user. This is where tools like the Hightable.io ISO 27001 toolkit can save you. They help you track who has read and signed policies automatically.

You need one of the following proofs:

System logs showing a user clicked “I accept.”
Certificates from a training module.
Signed documents confirming they read the policy.

5. Are Documented Procedures in Place for the Entire Lifecycle?

The AUP sets the rules, but procedures show how people follow them. The 2022 standard merged “use” and “handling” of assets. An auditor will check for procedures covering three stages:

Creation and Storage: Define how to classify data (Public, Confidential) and where to save it. For example, ban personal cloud drives.
Transfer and Access: detailed rules on who accesses data and how they send it. Forbid insecure apps for business chat.
Disposal: Don’t forget this stage. You need rules for shredding paper or wiping hard drives.

You must prove that any copy of information is as secure as the original.

6. Do Your Rules Cover Cloud Services and Non-Company Assets?

Auditors now look closely at “Shadow IT.” This happens when staff use free online tools for work without asking. Your rules must cover assets you use but do not own, like SaaS platforms.

To prove compliance, you need:

An asset inventory (A.5.9) that includes cloud resources.
Contracts with providers that enforce your rules (like data residency).
A clear approval process for new tools.

7. Are Responsibilities Clearly Assigned and Communicated?

It is not enough for people to know the rules. They must know they are responsible for their actions. An auditor will check that your system assigns personal accountability to every user.

8. Is There an Ongoing Training and Awareness Programme?

You cannot just ask staff to sign a document once and forget it. To build a culture of security, you need regular training and reminders. This keeps security fresh in everyone’s mind.

9. Is Your Document Control Process Flawless?

Auditors love to find errors in document control. Simple mistakes in version numbers or dates suggest you have a “dead system.”

Watch out for these failures:

Version numbers that do not match across documents.
No proof of an annual review.
A document with no tracked changes for years.

10. Is the AUP Integrated with Other Security Policies?

An auditor expects to see a connected system. Your AUP acts as an anchor. It must link to other controls like Inventory (A.5.9), Classification (A.5.12), and Information Transfer (A.5.14). Showing these links proves your system works as a whole.

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Top 3 Mistakes That Will Derail Your Audit

As a lead auditor might tell you, failures often come from basic process gaps, not tech issues. Here is how to avoid them.

Lack of Active Acceptance

This is the number one fail. If an auditor asks an employee about the policy and they shrug, you fail. You must capture active consent. Using a platform like Hightable.io ensures you have a digital audit trail for every user.

Forgetting the “Non-Obvious” Stages

Many write rules for using a laptop but forget about destroying old backup tapes. Your policy must cover the whole lifecycle, including disposal.

Sloppy Document Control

Mismatched versions or missing dates are red flags. They hurt your credibility. Keep your documents tidy and up to date.

Conclusion: From Policy to Proof

Complying with Annex A 5.10 is about accountability across the whole life of your data. It requires more than a document; it needs a system that creates proof. By using this ISO 27001 Annex A 5.10 audit checklist, you can turn policy into evidence. Tools like the Hightable.io ISO 27001 toolkit can streamline this, giving you the confidence to pass your audit with ease.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Pass Your ISO 27001 Audit: A 10-Point Checklist for Annex A 5.10

Table of contents