In the fast-paced world of a tech startup, information security often feels like a list of technical tasks. You set up firewalls, configure encryption, and check access logs. But the most critical part of your security is actually the “human element.” This is whereISO 27001 Annex A 5.10 Acceptable use of information and other associated assets steps in.
For a growing company, this control is not about creating red tape. It is about building a layer of accountability. It stops security incidents before they happen. It operates on a simple principle: you cannot hold someone responsible for breaking a rule if they can honestly say, “I didn’t know the rule existed.”
The standard is brutally simple here. It says rules for acceptable use and handling of assets must be “identified, documented and implemented.” This is the whole game. You must define the rules, put them into practice, and prove they are in use. A policy sitting on a digital shelf offers zero protection to your business.
Table of contents
- The Why Behind the What: Understanding the Evolution of A.5.10
- The Cornerstone of Compliance: Crafting Your Acceptable Use Policy (AUP)
- From Policy to Practice: Covering the Full Information Lifecycle
- The Modern Tech Challenge: Cloud Services and Shadow IT
- Preparing for the Audit: Evidence and How to Avoid Failures
- Connecting the Dots: How A.5.10 Anchors Your ISMS
The Why Behind the What: Understanding the Evolution of A.5.10
To understand this control, you need to look at its history. The 2022 version of Annex A 5.10 merges two older controls: Acceptable use of assets and Handling of assets. This was a deliberate move.
By combining these, the standard makes a clear statement. “Using” and “handling” are two sides of the same coin. An auditor now expects to see a single thread of rules. These rules must cover an asset from the moment you create it until the moment you destroy it. If you fail in one stage, like disposal, you fail the whole control.
The Cornerstone of Compliance: Crafting Your Acceptable Use Policy (AUP)
When an auditor looks at control A.5.10, they will ask for your Acceptable Use Policy (AUP) first. This document is your main defence. To satisfy an auditor, your AUP must be clear and built on three pillars.
Pillar 1: Expected Behaviour
This section defines what users should do. Do not be vague. Use examples relevant to your startup. Require the use of corporate email for business. Mandate that all source code stays in the official repository. Direct that company data must sit in approved, secure storage.
Pillar 2: Unacceptable Behaviour
You must also define what not to do. Draw a line in the sand. Forbid installing unauthorised software. Ban access to risky websites like gambling sites. Crucially, ban the sharing of confidential data on personal apps like WhatsApp. This is a common risk in modern startups.
Pillar 3: Transparency About Monitoring
Do not get nervous about this. Your AUP must state that you may monitor activities like network traffic and access logs. This sets a clear boundary. It builds trust through honesty. It also provides legal cover by removing any “reasonable expectation of privacy” on company systems.
From Policy to Practice: Covering the Full Information Lifecycle
A policy document alone is not enough. You need to prove that your rules work in real life. You must cover every stage of an asset’s life.
Creation and Storage
You need clear data classification levels, like Public, Internal, or Confidential. Ensure every new piece of info gets a label. Specify approved storage locations. Explicitly prohibit storing confidential data on personal drives like Dropbox.
Transfer and Access
Link access rights to your classification levels. Grant access on a need-to-know basis. Define how to transfer info safely. If you email a confidential report, you must protect the attachment just as much as the original file.
Disposal
This is the “forgotten stage.” Your procedures cannot end when you stop using an asset. Define how to destroy data. Use shredding for paper and secure wipe software for digital media. If the data is confidential, the auditor will want proof that you destroyed it.
The Modern Tech Challenge: Cloud Services and Shadow IT
For tech startups, cloud assets are a major focus for auditors. Control A.5.10 covers assets that “don’t belong to the organisation.” This means your rules must cover every SaaS platform and third-party tool you use.
Identify and Inventory
You cannot protect what you do not know about. First, identify every cloud tool your team uses. Include them in your asset inventory. This links directly to control A.5.9. Tools like hightable.io are essential here for maintaining a dynamic inventory of these external assets.
Check Your Contracts
Your AUP is only as strong as your vendor contracts. If your policy says data must stay in your country, but your SaaS provider does not guarantee that, you have a compliance gap. This is a direct failure to implement the control.
Tackling Shadow IT
“Shadow IT” happens when an employee signs up for a free tool to get a job done quickly. This violates A.5.10. If they move company data into that tool, they break the handling rules. Your AUP must state the approval process for new tools explicitly.
Preparing for the Audit: Evidence and How to Avoid Failures
You can have great policies, but if you cannot prove them, you will fail. Successful implementation means presenting concrete evidence.
The Three Pillars of Evidence
When an auditor walks in, they will demand three things:
- The AUP Document: It must be current and formally approved by management.
- Supporting Procedures: These are the “how-to” guides for creation, storage, transfer, and disposal.
- Verifiable Acceptance: This is the most common failure point. You need proof that every user accepted the AUP. An email is not enough. You need a system log or a signed document. An auditor might pick a random developer and ask for their acceptance record. If you cannot show it, you have a problem.
Top Three Mistakes to Avoid
Failures are rarely technical. They are usually procedural.
- Lack of Active Acceptance: You cannot hold someone accountable if they did not know the rule. Get active, provable consent every time the policy changes.
- Forgetting Lifecycle Stages: Do not just focus on access. Remember to cover secure disposal. You need procedures for old hard drives and backup tapes too.
- Sloppy Document Control: Auditors check version numbers. If your policy and procedure versions do not match, or if a document has no review history, it signals a dead system.
Connecting the Dots: How A.5.10 Anchors Your ISMS
Annex A 5.10 does not exist in a vacuum. It anchors the human side of your Information Security Management System (ISMS). It connects to other key controls.
It links to A.5.9 (Inventory), which defines what you protect. It links to A.5.12 (Classification), which drives your handling rules. And it links to A.5.14 (Information transfer), which provides the technical rules for moving data. By getting Annex A 5.10 right, you build a strong foundation for your entire security programme.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
