Let’s be clear: the biggest security risk to your small business isn’t usually a hacker in a far-off country. It is often an employee who clicks the wrong link or uses the wrong app. ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets addresses this head-on.
For a small business, this isn’t just another box to tick. It is your strongest defence. It sets the ground rules for every person who touches your company data. This control builds a culture of security. From an auditor’s view, it establishes informed consent. You cannot hold someone responsible for breaking a rule if they can honestly say, “I didn’t know that rule existed.” By setting clear expectations, you build a fence that protects your organisation before an incident happens.
Table of contents
- Decoding Annex A 5.10: What the Standard Actually Demands
- The Cornerstone of Compliance: Crafting Your Acceptable Use Policy (AUP)
- From Creation to Deletion: The Information Lifecycle
- Modern Challenges: Cloud Services and Shadow IT
- Preparing for the Audit: Turning Policies into Proof
- Top 3 Mistakes That Sink an Audit
- Conclusion: Your Accountability Anchor
Decoding Annex A 5.10: What the Standard Actually Demands
Understanding the official definition is vital because an auditor will test you against the specific wording. The standard requires that rules for acceptable use and procedures for handling assets be “identified, documented and implemented.”
This means simply having a policy hidden on a server is not enough. You must prove it is a living part of your business. The 2022 version of the standard merges two older controls: one for the ‘use’ of assets and another for ‘handling’ them.
This merger is significant. It means you cannot separate using an asset from handling it. An auditor expects to see rules that govern an asset from the moment you create it until the moment you destroy it.
The Cornerstone of Compliance: Crafting Your Acceptable Use Policy (AUP)
The Acceptable Use Policy (AUP) is the heart of your compliance for Annex A 5.10. It is the first document an auditor will ask to see. It must be a crystal-clear guide for everyone, including staff and contractors.
Pillar 1: Defining Expected Behaviour
This section sets the baseline for normal, approved activities. It should list things like:
- Using corporate email for work communications.
- Accessing approved software to do your job.
- Storing data only in secure corporate locations.
Pillar 2: Outlining Unacceptable Behaviour
You must clearly state what is forbidden. Leave no room for guessing. This includes:
- Installing unauthorised software.
- Visiting prohibited websites, such as gambling sites.
- Sharing confidential data on personal apps like WhatsApp.
Pillar 3: Transparency on Monitoring
This clause builds trust and ensures legal protection. You must state that the organisation reserves the right to monitor its networks for security. By being upfront, you remove any expectation of privacy on corporate devices.
From Creation to Deletion: The Information Lifecycle
A common mistake is creating an AUP that only looks at daily computer use. An auditor looks for procedures that cover the whole life of your data. You need rules for every stage.
Creation and Storage
When you create a document, you need to know how to label it. This links to your data classification scheme. Your rules should state that confidential client data must sit on secure corporate storage, not on a personal drive.
Access and Transfer
This is where many leaks happen. Your rules must ensure only the right people can see sensitive data. You also need to define how to send data safely. If you email a sensitive report, you must protect the attachment just as much as the original file.
Disposal
Secure disposal is often the “forgotten stage.” Dragging a file to the recycling bin is not enough. Your rules must define how to destroy data properly, such as shredding paper or using secure-wipe software. If the data is confidential, the auditor will want proof that you destroyed it.
Modern Challenges: Cloud Services and Shadow IT
Auditors are now looking closely at assets you use but do not own. If you ignore cloud services, you will likely fail the audit.
Cloud Services
Annex A 5.10 covers the cloud tools your team uses. First, identify every service and put it in your asset inventory. Platforms like hightable.io are excellent for maintaining this inventory and mapping it to your policies. Second, check your contracts. If your policy says data must stay in your country, but your cloud provider does not guarantee that, you have a gap.
Shadow IT
“Shadow IT” happens when an employee uses a free tool to get work done without asking. If they move company data into that tool, it breaks the rules. Your AUP must clearly state that new tools need approval before anyone puts company data in them.
Preparing for the Audit: Turning Policies into Proof
In an audit, if it is not written down, it did not happen. To prove compliance, you need evidence. I typically look for three things.
The Approved AUP Document
The auditor checks for document control. They want to see approval from management, a version number, and a review date from the last 12 months.
Supporting Procedures
The AUP does not stand alone. An auditor wants to see how it connects to other policies, like Access Control or Media Handling. This shows your security is a complete system.
Verifiable Acceptance
This is the most common failure point. Sending an email is not enough. You need proof that every user agreed to the rules. This could be a log showing they clicked “I accept” or a signed document. An auditor might pick 20 employees at random and ask to see their acceptance records. If you cannot show them, you fail.
Top 3 Mistakes That Sink an Audit
Most failures here are not technical; they are procedural. Here is how to avoid them.
The “Passive Acceptance” Fallacy
Do not assume posting a link is enough. You need active consent. Make sure every user takes a tangible action to agree to the policy, especially when you update it.
Lifecycle Blind Spots
Do not focus only on computers. Auditors look for gaps. Do you have rules for the office printer? What about destroying old backup tapes? Make sure your rules cover physical media too.
“Dead Document” Syndrome
A policy with no recent review date is a red flag. It tells the auditor you are neglecting the system. Ensure every document shows a clear history of review and approval.
Conclusion: Your Accountability Anchor
Annex A 5.10 is more than a document. It governs the human side of your security. Its success depends on one thing: provable acceptance from every user. Without that, you have no accountability.
This control anchors your Information Security Management System (ISMS). It works best when linked to other controls, like inventory and classification. Tools like hightable.io can help you manage these links effectively. By implementing Annex A 5.10 well, you turn a rulebook into a proactive defence that protects your business.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
