In this ultimate how to audit guide to ISO 27001 Annex A 5.10 Acceptable Use of Information and Other Associated Assets, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Acceptable Use Policy (AUP) Formally Documented
- 2. “Prohibited Behaviours” Explicitly Defined
- 3. Monitoring & Privacy Expectations Clarified
- 4. User Acceptance Actively Logged
- 5. Cloud & Shadow IT Usage Addressed
- 6. Information Transfer Rules Defined
- 7. Remote Work & Physical Security Included
- 8. Return of Assets Obligation Stated
- 9. Reporting Procedures for Security Events
- 10. Lifecycle Management of the Policy Verified
Auditing ISO 27001 Annex A.5.10 verifies that an organisation has established and enforced rules for the acceptable use of information and associated assets. The audit confirms the Primary Implementation Requirement of a formally documented and user-accepted Acceptable Use Policy (AUP). The Business Benefit is the reduction of human error, insider threats, and legal liability stemming from misuse.
Use this pass/fail checklist to strictly validate compliance with ISO 27001 Annex A 5.10 (Acceptable use of information and other associated assets). For a detailed methodology on how to conduct the interviews and system tests required to generate this evidence, refer to our Annex A 5.10 Audit Guide.
1. Acceptable Use Policy (AUP) Formally Documented
- Verification Criteria: A specific “Acceptable Use Policy” (or equivalent section in the IT Security Policy) exists, is written in clear language, and bears a recent approval date from senior management.
- Required Evidence: The Master Policy Document with a “Document Control” table showing approval within the last 12 months.
Pass/Fail Test: If the rules exist only in an email chain, intranet post, or verbal “common knowledge” rather than a formal controlled document, mark as Non-Compliant.
2. “Prohibited Behaviours” Explicitly Defined
- Verification Criteria: The policy explicitly lists specific banned activities (e.g., “installation of pirated software,” “running a personal business,” “sharing passwords”) rather than vague statements like “be secure.”
- Required Evidence: The specific “Unacceptable Use” section of the AUP containing a bulleted list of banned actions.
Pass/Fail Test: If the policy lists what users should do but fails to explicitly list what they must not do, mark as Non-Compliant.
3. Monitoring & Privacy Expectations Clarified
- Verification Criteria: The policy contains a clear clause stating that the organisation reserves the right to monitor systems and that users should have no expectation of privacy on corporate devices.
- Required Evidence: The “Monitoring and Privacy” clause within the AUP.
Pass/Fail Test: If the policy is silent on monitoring, creating a legal ambiguity regarding the organisation’s right to inspect logs during an incident, mark as Non-Compliant.
