ISO 27001 Annex A 5.10 SME Guide: Acceptable Use

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified.

Key Takeaways: ISO 27001 Annex A 5.10 Acceptable Use of Information and Assets (SME Edition)

For Small and Medium-sized Enterprises (SMEs), ISO 27001 Annex A 5.10 is the foundation of your company culture regarding security. It establishes the “Rules of the Road” for every employee, contractor, and partner who touches your data. Without this control, you cannot hold staff accountable for security breaches because they can legitimately claim they “didn’t know” the rules. This is not about restricting productivity; it is about providing clear instructions to prevent accidental data leaks and misuse.

Core requirements for compliance include:

The “Living” Policy: You must have a documented Acceptable Use Policy (AUP). It cannot just be a file on a server; it must be communicated, understood, and actively agreed to by all users.
Defined Behaviour: The policy must explicitly state what is allowed (e.g. using corporate email for business) and what is forbidden (e.g. installing unauthorised software or sharing passwords).
Lifecycle Coverage: The rules must cover the entire lifecycle of information and assets – from creation (labelling) to storage (secure servers) and finally disposal (shredding/wiping).
Monitoring Transparency: You must inform employees that the organisation reserves the right to monitor corporate networks and devices. This builds trust and provides legal protection.
Shadow IT Control: The policy must address the use of unapproved cloud tools (Shadow IT). Staff must know they cannot just “sign up” for a new free tool with their work email without approval.

Audit Focus: Auditors will look for “The Consent Trail”:

Verifiable Acceptance: “Show me the record that proves Jane Doe read and accepted the latest version of your AUP.” (A signature or digital log is required).
New Joiner Process: “How do you ensure new employees see this policy on Day 1? Show me the onboarding checklist.”
Reality Check: “Your policy says ‘Clean Desk’, but I see passwords on sticky notes. Your policy is not being implemented.”

SME Acceptable Use Checklist (Audit Prep):

Topic	The “Do’s” (Acceptable)	The “Don’ts” (Prohibited)
Email	Business communication only.	Sending confidential data to personal email.
Internet	Research & work-related sites.	Illegal sites, gambling, or piracy.
Software	Approved apps only.	Installing unapproved/pirated software.
Devices	Lock screen when away.	Leaving devices in cars/unlocked.
Data	Save to company server/cloud.	Saving corporate data to personal USB/Drive.

What is ISO 27001 Annex A 5.10?
How to implement ISO 27001 Annex A 5.10 for SMEs
The Information Lifecycle for SMEs
Modern Challenges: Cloud Services and Shadow IT
- Cloud Services
- Shadow IT
What the auditor will check
Top 3 ISO 27001 Annex A 5.10 Mistakes SMEs Make and How to Avoid Them
Fast Track ISO 27001 Annex A 5.10 Compliance for SMEs with the ISO 27001 Toolkit
Conclusion: Your Accountability Anchor

What is ISO 27001 Annex A 5.10?

Understanding the official definition is vital because an auditor will test you against the specific wording. The standard requires that rules for acceptable use and procedures for handling assets be “identified, documented and implemented.”

This means simply having a policy hidden on a server is not enough. You must prove it is a living part of your business. The 2022 version of the standard merges two older controls: one for the ‘use’ of assets and another for ‘handling’ them.

This merger is significant. It means you cannot separate using an asset from handling it. An auditor expects to see rules that govern an asset from the moment you create it until the moment you destroy it.

How to implement ISO 27001 Annex A 5.10 for SMEs

The Acceptable Use Policy (AUP) is the heart of your compliance for Annex A 5.10. It is the first document an auditor will ask to see. It must be a crystal-clear guide for everyone, including staff and contractors.

Pillar 1: Defining Expected Behaviour

This section sets the baseline for normal, approved activities. It should list things like:

Using corporate email for work communications.
Accessing approved software to do your job.
Storing data only in secure corporate locations.

Pillar 2: Outlining Unacceptable Behaviour

You must clearly state what is forbidden. Leave no room for guessing. This includes:

Installing unauthorised software.
Visiting prohibited websites, such as gambling sites.
Sharing confidential data on personal apps like WhatsApp.

Pillar 3: Transparency on Monitoring

This clause builds trust and ensures legal protection. You must state that the organisation reserves the right to monitor its networks for security. By being upfront, you remove any expectation of privacy on corporate devices.

The Information Lifecycle for SMEs

A common mistake is creating an AUP that only looks at daily computer use. An auditor looks for procedures that cover the whole life of your data. You need rules for every stage.

Creation and Storage

When you create a document, you need to know how to label it. This links to your data classification scheme. Your rules should state that confidential client data must sit on secure corporate storage, not on a personal drive.

Access and Transfer

This is where many leaks happen. Your rules must ensure only the right people can see sensitive data. You also need to define how to send data safely. If you email a sensitive report, you must protect the attachment just as much as the original file.

Disposal

Secure disposal is often the “forgotten stage.” Dragging a file to the recycling bin is not enough. Your rules must define how to destroy data properly, such as shredding paper or using secure-wipe software. If the data is confidential, the auditor will want proof that you destroyed it.

Modern Challenges: Cloud Services and Shadow IT

Auditors are now looking closely at assets you use but do not own. If you ignore cloud services, you will likely fail the audit.

Cloud Services

Annex A 5.10 covers the cloud tools your team uses. First, identify every service and put it in your asset inventory. Platforms like hightable.io are excellent for maintaining this inventory and mapping it to your policies. Second, check your contracts. If your policy says data must stay in your country, but your cloud provider does not guarantee that, you have a gap.

Shadow IT

“Shadow IT” happens when an employee uses a free tool to get work done without asking. If they move company data into that tool, it breaks the rules. Your AUP must clearly state that new tools need approval before anyone puts company data in them.

What the auditor will check

In an audit, if it is not written down, it did not happen. To prove compliance, you need evidence. I typically look for three things.

1. The Approved AUP Document

The auditor checks for document control. They want to see approval from management, a version number, and a review date from the last 12 months.

2. Supporting Procedures

The AUP does not stand alone. An auditor wants to see how it connects to other policies, like Access Control or Media Handling. This shows your security is a complete system.

3. Verifiable Acceptance

This is the most common failure point. Sending an email is not enough. You need proof that every user agreed to the rules. This could be a log showing they clicked “I accept” or a signed document. An auditor might pick 20 employees at random and ask to see their acceptance records. If you cannot show them, you fail.

Top 3 ISO 27001 Annex A 5.10 Mistakes SMEs Make and How to Avoid Them

Most failures here are not technical; they are procedural. Here is how to avoid them.

1. The “Passive Acceptance” Fallacy

Do not assume posting a link is enough. You need active consent. Make sure every user takes a tangible action to agree to the policy, especially when you update it.

Do not focus only on computers. Auditors look for gaps. Do you have rules for the office printer? What about destroying old backup tapes? Make sure your rules cover physical media too.

3. “Dead Document” Syndrome

A policy with no recent review date is a red flag. It tells the auditor you are neglecting the system. Ensure every document shows a clear history of review and approval.

Fast Track ISO 27001 Annex A 5.10 Compliance for SMEs with the ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Annex A 5.10 (Acceptable use of information and other associated assets) is your strongest proactive defence. It establishes the ground rules for every individual touching your company data, building a culture of security and providing “informed consent”. Without this, you cannot hold someone accountable for a breach if they can say they did not know the rule existed.

While SaaS compliance platforms often try to sell you “automated policy acknowledgements” or complex “usage monitoring dashboards”, they cannot actually define what constitutes “acceptable behaviour” for your specific business culture or handle the legal nuances of monitoring transparency. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides the governance framework you need without a recurring subscription fee.

1. Ownership: You Own Your Acceptable Use Policy Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your usage rules and store your acceptance logs inside their proprietary system, you are essentially renting your own accountability anchor.

The Toolkit Advantage: You receive the Acceptable Use Policy (AUP) and Supporting Procedures in fully editable Word formats. These files are yours forever. You maintain permanent ownership of your standards, such as specific rules for cloud services or shadow IT, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for the Human Side of Security

Annex A 5.10 is about setting clear expectations across the entire information lifecycle. You do not need a complex new software interface to manage what a well-written AUP and a verifiable acceptance process already do perfectly.

The Toolkit Advantage: SMEs need clear, unambiguous rules. What they need is the governance layer to prove to an auditor that every user has actively agreed to the policy. The Toolkit provides pre-written “Expected vs Unacceptable Behaviour” pillars that formalise your security culture into an auditor-ready framework, without forcing your team to learn a new software platform just to accept a policy update.

3. Cost: A One-Off Fee vs. The “User Seat” Tax

Many compliance SaaS platforms charge more based on the number of “active users” or “policy attestations” you track. For an SME, these monthly costs can scale aggressively for very little added value.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you have 5 employees or 50, the cost of your Acceptable Use Documentation remains the same. You save your budget for actual security tools rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Accountability Strategy

SaaS tools often mandate specific ways to report on and monitor “policy acceptance”. If their system does not match your unique business model or specialized industry requirements, such as handling BYOD or physical media disposal, the tool becomes a bottleneck to efficiency.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Acceptable Use Procedures to match exactly how you operate, whether you use digital signatures or simple, risk-managed email confirmations. You maintain total freedom to evolve your accountability strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see a crystal-clear AUP and verifiable proof of active acceptance from every single user (e.g. logs or signed documents). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Conclusion: Your Accountability Anchor

Annex A 5.10 is more than a document. It governs the human side of your security. Its success depends on one thing: provable acceptance from every user. Without that, you have no accountability.

This control anchors your Information Security Management System (ISMS). It works best when linked to other controls, like inventory and classification. Tools like hightable.io can help you manage these links effectively. By implementing Annex A 5.10 well, you turn a rulebook into a proactive defence that protects your business.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 5.10 Acceptable Use of Information and Assets for SMEs

Table of contents