ISO 27001 Annex A 5.10 for AI Companies

Introduction: Beyond the Checkbox

If you are working towards ISO 27001 certification, you might view ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets as just another form to fill out. Viewing the Acceptable Use control as a bureaucratic hurdle is a mistake. This control is actually your foundation for managing the most unpredictable part of security: people.

For AI companies, this is even more critical. Your team constantly creates and moves your most valuable assets—proprietary data, unique algorithms, and intellectual property. The security of these assets depends on clear rules. This guide helps you break down ISO 27001 Annex A 5.10 for AI companies into simple steps. We will move past the “checkbox” mindset to build a culture of security that is compliant and strong.

Introduction: Beyond the Checkbox
Decoding Annex A 5.10: What is Acceptable Use?
Building Your Cornerstone: The Acceptable Use Policy (AUP)
- Essential Components of an Auditor-Proof AUP
- Defining the Scope: What Assets Are Covered?
Operationalising Your Policy: Procedures for the Full Lifecycle
Navigating Modern IT: Cloud Services and Shadow IT
- Applying A 5.10 to Cloud Resources
- The Risk of Shadow IT
Passing the Audit: A Guide to Demonstrating Compliance
Top 3 Mistakes That Will Sink Your Audit
Conclusion: Anchoring Accountability

Decoding Annex A 5.10: What is Acceptable Use?

Before implementing controls, you need to understand their purpose. A clear grasp of Annex A 5.10 is vital for building a framework that passes an audit. Here is what the official mandate means for you.

The Official Mandate

The ISO 27001 standard gives a direct definition for control A 5.10. It states that rules for acceptable use and procedures for handling information must be identified, documented, and implemented. An auditor will check this against a three-part structure:

Identified: Have you defined specific rules for your AI context, or is it just a generic template?
Documented: Are these rules written down in a formal policy?
Implemented: Is there proof these rules are active in your company?

A well-written policy isn’t enough. You need proof that it is a living part of your system.

The Core Purpose: Your First Line of Defence

Think of Annex A 5.10 as a preventive measure. It sets the “ground rules” for everyone who accesses your assets. The goal is to remove “plausible deniability.” You cannot hold someone responsible for breaking a rule if they didn’t know it existed.

By ensuring every user knows the boundaries, you build a strong defence against insider threats. This applies to everyone, from your lead data scientists to third-party contractors.

Evolution in the 2022 Revision

The 2022 update merged two older controls regarding the use and handling of assets. This sends a clear message: using an asset and handling it are connected. Your rules must cover the entire life of an asset. This ranges from the moment a developer trains a new model to the day you destroy an old dataset.

Building Your Cornerstone: The Acceptable Use Policy (AUP)

The Acceptable Use Policy (AUP) is the main document for Annex A 5.10. It is more than a list of rules; it is the bedrock of accountability. Platforms like hightable.io can be excellent resources for structuring these policies effectively.

Essential Components of an Auditor-Proof AUP

To pass an audit, your AUP must cover three key areas:

Expected Behaviour: This sets the baseline for professional conduct. For example, state that corporate email is for work only.
Unacceptable Behaviour: Be explicit here. Forbid pirated software, gambling sites, or sharing company code on personal chat apps.
Transparency About Monitoring: Clearly state that you may monitor network traffic and logs. This builds trust through honesty and provides legal cover for your security team.

Defining the Scope: What Assets Are Covered?

Your AUP covers more than just laptops. It applies to all assets in your organisation. An auditor will check if your scope matches your inventory. Make sure to include:

Hardware: Laptops, phones, and servers.
Software: Operating systems, AI models, and code libraries.
Services: Cloud platforms (SaaS, IaaS), email, and hosting.
Data: Training datasets, databases, and documents.

Operationalising Your Policy: Procedures for the Full Lifecycle

Policies set the rules, but procedures explain how to follow them. You must document steps for every stage of the information lifecycle. This proves to an auditor that your AUP is real.

Creation and Storage

Protection starts when information is created. Your procedures should guide users on:

Data Classification: Label data as Public, Internal, or Confidential.
Secure Storage: Define where to store data. Explicitly forbid saving sensitive algorithms on personal drives.

Transfer and Access

Transferring data is risky. Human error here can cause breaches. Your procedures must be strict:

Access Control: Link access rights to data classification. Keep a record of authorised users.
Approved Transfer Methods: Use encrypted email or secure file sharing. Ban the use of personal apps like WhatsApp for business.
Protection of Copies: Treat copies of a report or dataset with the same security level as the original.

Disposal: The Forgotten Stage

Don’t overlook the end of the lifecycle. Dragging a file to the trash bin is not enough for sensitive AI training data.

Define authorised disposal methods, like secure wipe software for digital media.
Ensure the disposal method matches the data’s sensitivity. You need proof of destruction for confidential data to satisfy an audit.

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Navigating Modern IT: Cloud Services and Shadow IT

ISO 27001 Annex A 5.10 for AI companies extends beyond your physical office. Auditors look closely at how you handle external services. Since AI relies heavily on cloud infrastructure, this is non-negotiable.

Applying A 5.10 to Cloud Resources

You are responsible for assets outside your network perimeter. First, identify all cloud resources and add them to your inventory. This links back to control A 5.9.

A common mistake is failing to enforce rules with cloud providers. If your policy forbids storing personal data abroad, your cloud contract must guarantee local data residency. Without this, you have a compliance gap.

The Risk of Shadow IT

“Shadow IT” happens when employees use unapproved tools to work faster. For an AI firm, this might mean pasting code into an unapproved online tool. This violates handling rules.

To an auditor, this looks like a lack of control. Your AUP must clearly state the approval process for new tools. If you need a robust way to track these assets and risks, tools like hightable.io can help centralise your inventory and policy management.

Passing the Audit: A Guide to Demonstrating Compliance

This is the final hurdle. Good policies mean nothing without evidence. An auditor’s job is to verify, not trust. Here is what they need to see.

The Three Pillars of Evidence

An auditor will look for three things:

The AUP Document: A formal, up-to-date policy signed by senior management.
Supporting Procedures: Step-by-step instructions for the full information lifecycle.
Verifiable Acceptance: Proof that every user has read and accepted the AUP.

The Critical Point of Failure: Proving Acceptance

This is the most common reason for failure. Auditors won’t accept “we sent an email” as proof. You need logs showing users clicked “I accept” or digital signatures.

Auditors will test this. They might pick 20 random employees and ask for their acceptance records. If you miss one, you have a nonconformity.

Demonstrating an Interconnected System

Your AUP is the hub of your system. Auditors will check if your handling procedures match your data classification labels. Failing to link these controls (A 5.9, A 5.12, A 5.14) is a red flag.

Top 3 Mistakes That Will Sink Your Audit

Failures are rarely technical. They are usually gaps in evidence. Avoid these top mistakes.

Lack of Active, Provable Acceptance

This is the number one failure. Do not rely on mass emails. Use an HR system or a GRC tool to track “I accept” clicks for every employee during onboarding and policy updates.

Forgetting Non-Obvious Lifecycle Stages

Companies often forget about secure destruction. You might secure laptops but ignore old backup tapes. Map your AUP against your disposal policies to ensure every stage is covered.

Incorrect Document Control

Auditors love document control. Mismatched versions or policies not reviewed in years signal a “dead system.” Keep your AUP alive with regular, documented reviews.

Conclusion: Anchoring Accountability

Annex A 5.10 governs the “human element” of security. It dictates behaviour from the moment an asset is created until it is destroyed. For an AI company, where value lies in data and IP, this control is your anchor. By implementing ISO 27001 Annex A 5.10 for AI companies correctly, you turn a static document into a dynamic tool for success.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

A Practical Guide for AI Companies to ISO 27001 Annex A 5.10: Acceptable Use of Information and Assets