ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets for Tech Startups

/ By
ISO 27001 Annex A 5.10 for Tech Startups

ISO 27001 Annex A 5.10 is a security control that establishes rules for the Acceptable Use of Information and Other Associated Assets. It requires organizations to document and communicate clear guidelines on how employees should handle data and devices to prevent misuse. This provides the Business Benefit of reducing human error, preventing data leaks, and establishing a legal basis for disciplinary action in cases of misconduct.

In the fast-paced world of a tech startup, information security often feels like a list of technical tasks. You set up firewalls, configure encryption, and check access logs. But the most critical part of your security is actually the “human element.” This is where ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets steps in.

For a growing company, this control is not about creating red tape. It is about building a layer of accountability. It stops security incidents before they happen. It operates on a simple principle: you cannot hold someone responsible for breaking a rule if they can honestly say, “I didn’t know the rule existed.”

The Business Case: Why This Actually Matters

If you don’t define “Acceptable Use,” then everything is acceptable. Including mining Bitcoin on company servers or uploading your entire codebase to ChatGPT.

  • Sales Angle: Enterprise clients send Security Questionnaires asking: “Do you have an Acceptable Use Policy (AUP) signed by all employees?” If you say “No,” they assume your internal security hygiene is zero. You look unprofessional, and the deal stalls.
  • Risk Angle: The “Rogue Employee” Defense. If an employee steals data or harasses a client using company email, your AUP is your primary legal defense. Without a signed AUP, firing them or taking legal action becomes incredibly difficult because you never formally told them they couldn’t do it.

The “No-BS” Translation: Decoding the Requirement

The Auditor’s View: “Rules for the acceptable use of information and of associated assets shall be identified, documented and implemented.”

The Startup’s View: Write down the rules of the road. Tell staff exactly what they can and cannot do with their laptops, email, and Slack access. Then make them sign it.

For a Developer, this translates to:

  • Don’t: Push AWS keys to public GitHub repos.
  • Don’t: Install cracked software or games on your work MacBook.
  • Do: Lock your screen when you go for coffee.

DORA, NIS2, and AI Laws

Annex A 5.10 is the front line for compliance with new regulations.

  • DORA (Fintech): Requires financial entities to manage ICT risks. An AUP is essential to define how staff use critical ICT systems. If a trader uses WhatsApp for deals (Shadow IT), that is a DORA violation. Your AUP must explicitly ban unmonitored channels.
  • NIS2: Mandates “Cyber Hygiene.” This includes basic practices like password security and device handling. Your AUP is the document that enforces these hygiene standards across the workforce.
  • AI Act: If your staff use Generative AI, you need an AUP update immediately. You must define what data can be put into public models (ChatGPT) vs private instances. Without this, you risk leaking IP or violating GDPR through AI tools.

Why the ISO 27001 Toolkit Trumps SaaS Platforms

SaaS platforms turn policy management into “Click-Next-Ware.” They focus on getting a tick in a box, not on whether staff actually understand the rules.

Feature ISO 27001 Toolkit (High Table) Online SaaS GRC Platform
Comprehension Encourages you to tailor the document to your culture. Generic, long-winded templates that staff scroll past in 2 seconds.
Ownership You own the PDF/Word doc. It lives in your HR system. If you stop paying, you lose your audit trail of who signed what.
Cost One-off fee. Monthly subscription per user. You pay every time you hire a new dev.
Flexibility Edit instantly when a new threat (like AI) appears. Wait for the SaaS vendor to update their “Module.”

Top 3 Non-Conformities When Using SaaS Platforms

  1. The “Scroll and Click” Failure: The SaaS tool shows 100% compliance because everyone clicked “I Agree.” But during the audit interview, a developer admits they use WeTransfer for sensitive data because “nobody told me not to.” The auditor fails you for ineffective implementation.
  2. The “Version Lag” Trap: You updated the policy in the SaaS portal, but the HR onboarding emails are still sending the old PDF version. Inconsistent documentation is an easy win for an auditor.
  3. The “Unreadable Policy” Error: The SaaS template provides a 40-page AUP full of legal jargon. Staff ignore it. The standard requires rules to be “communicated.” If it is unreadable, it hasn’t been communicated.

The Evolution of A.5.10

The 2022 version merges “Acceptable use” and “Handling of assets.” This is crucial. It means you can’t just have a rule about logging in; you need rules about the entire lifecycle. Creating, storing, moving, and destroying data.

Crafting Your Acceptable Use Policy (AUP)

Do not write a novel. Write a rulebook. Build it on three pillars:

Pillar 1: Expected Behaviour

Be specific. “Use corporate email for business.” “Store code in the official GitHub org.” “Keep laptops encrypted.”

Pillar 2: Unacceptable Behaviour

Draw the line. “Do not disable antivirus.” “Do not visit gambling sites.” “Do not share passwords via Slack.”

Pillar 3: Monitoring Transparency

State clearly that you monitor logs. This removes the “expectation of privacy” on work devices and protects you legally.

From Policy to Practice: The Lifecycle

  • Creation: Label data (Confidential/Public) when you create it.
  • Transfer: Use approved encrypted channels (e.g., Signal, encrypted Zip), not WeTransfer.
  • Disposal: Don’t just bin old hard drives. Securely wipe them or physically destroy them.

Cloud Services and Shadow IT

“Shadow IT” is just an employee trying to do their job efficiently with a tool you haven’t approved. Your AUP must explicitly state the process for approving new tools. If you don’t, you will have company data in Trello, Monday, Asana, and Notion simultaneously.

The Evidence Locker: What the Auditor Needs to See

To pass the audit, have these artifacts ready:

  • The AUP Document: Signed, dated, and version controlled.
  • Onboarding Checklist: Showing that new hires signed the AUP on Day 1.
  • Asset Return Log: Evidence that leavers returned their laptops and access was revoked.
  • Training Records: Proof that you explained the policy to staff, not just emailed it.

Common Pitfalls and Auditor Traps

  • The “CEO Exemption”: The CEO doesn’t sign the policy or refuses to use MFA. Instant fail. Leadership must lead by example.
  • The “Zombie Policy”: The policy is dated 2019. It mentions “fax machines” but misses “AI”. Auditor knows you haven’t reviewed it.
  • Lack of Enforcement: You have a policy against Shadow IT, but the auditor sees “Spotify” and “Steam” installed on the developer’s laptop during the screen share.

Handling Exceptions: The Break Glass Protocol

What if a dev needs admin rights to install a specific tool for a project?

  • The Trigger: “I need to install Docker Desktop, but I don’t have admin rights.”
  • The Action: Submit a ticket. CTO approves temporary elevation of privilege.
  • The Paper Trail: Log the exception in the Service Desk. “Admin rights granted for 4 hours for installation.”
  • Cleanup: Rights are automatically revoked after the window.

The Process Layer: Standard Operating Procedure (SOP)

Tools: HR Platform (BambooHR/Hibob), DocuSign.

  1. Pre-Hire: Send AUP with the contract via DocuSign.
  2. Day 1: Manager verifies signature before handing over the laptop.
  3. Annual: Automated email from HR system asking staff to re-read and re-sign the updated AUP.
  4. Exit: HR ticks box confirming assets returned and AUP obligations (like confidentiality) reminded.

Frequently Asked Questions (FAQ)

What is ISO 27001 Annex A 5.10 for tech startups?

ISO 27001 Annex A 5.10 requires startups to define and implement rules for the acceptable use of information and other associated assets. For 100% compliance, leadership must document an Acceptable Use Policy (AUP) that governs how employees interact with company data, hardware, and SaaS platforms to mitigate the 90% of security breaches caused by human error.

What are the mandatory elements of an ISO 27001 AUP?

A compliant AUP must provide clear instructions on prohibited activities and security responsibilities for all personnel. To satisfy Annex A 5.10, the policy should include these 4 critical components:

     
  • Information Classification: Rules for handling data based on its sensitivity level (e.g. Restricted vs Public).
    •  
  • Asset Protection: Requirements for physical security, such as “Clean Desk” rules and screen locking.
    •  
  • Communication Tools: Restrictions on the use of personal email, messaging apps, or unauthorised SaaS tools for business data.
    •  
  • Remote Working: Specific security protocols for 100% remote or hybrid teams using home Wi-Fi or public spaces.

How do startups manage BYOD under Annex A 5.10?

Startups must enforce strict rules for Bring Your Own Device (BYOD) to prevent 1st-party data leakage into unmanaged environments. Implementation usually requires 100% of personal devices to have Mobile Device Management (MDM) software installed. This allows for remote wiping of business data, which protects an average of £15,000 per device in potential intellectual property loss.

How do you communicate acceptable use rules to staff?

Rules must be communicated during the 100% mandatory onboarding process and reinforced through annual security awareness training. Auditors require objective evidence that employees have read and signed the AUP. Digital signature platforms (e.g. DocuSign) can reduce the administrative burden of tracking compliance by approximately 80% for high-growth firms.

What are the consequences of non-compliance with the AUP?

The AUP must explicitly state that failure to follow acceptable use rules results in disciplinary action, which may include termination for gross misconduct. Including these enforcement clauses ensures 100% alignment with Annex A 5.1 and Clause 7.2. Startups with a formalised enforcement framework see a 50% improvement in security culture maturity scores during external audits.

Conclusion

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

ISO 27001 Annex A 5.10 isn’t about policing your staff; it’s about protecting them and the business. By defining clear boundaries using the ISO 27001 Toolkit, you empower your team to work securely without second-guessing every click. Get the policy right, enforce it fairly, and you turn a vulnerability into a strength.

Shopping Basket
Scroll to Top