Acceptable Use

To achieve compliance with ISO 27001 Annex A 5.10, organisations must establish clear rules for the acceptable use of information and assets. This implementation process ensures that every user understands their responsibilities, reducing the risk of data breaches and equipment misuse. Follow these ten technical steps to formalise your acceptable use framework and satisfy auditor requirements.

1. Catalog All Information Assets

• Update the central Asset Register to include all physical devices, software licenses, and cloud-hosted data sets.
• Identify the specific owners for each asset class to ensure accountability for usage rule enforcement.
• Verify that every item in the inventory has a unique identifier for tracking throughout its lifecycle.

2. Formalise the Acceptable Use Policy (AUP)

• Draft a comprehensive AUP that defines the expected behaviour for employees, contractors, and third-party vendors.
• Include specific clauses regarding the personal use of corporate equipment and the prohibition of illegal activities.
• Ensure the policy is written in clear language and approved by senior management to give it regulatory weight.

3. Define Technical Rules of Engagement (ROE)

• Document the ROE for high-risk systems, specifying exactly how administrators and users should interact with sensitive databases.
• Establish boundaries for penetration testing or security research to prevent accidental service disruption.
• Distinguish between standard user operations and privileged administrative actions within the documentation.

4. Align Usage Rules with Information Classification

• Map the AUP requirements to your Information Classification Schema, ensuring stricter rules for “Confidential” or “Secret” data.
• Specify handling instructions for different media types, including paper records, removable storage, and digital transfers.
• Identify prohibited storage locations for sensitive data, such as personal cloud drives or unencrypted devices.

5. Enforce Identity and Access Management (IAM) Roles

• Provision access based on the Principle of Least Privilege (PoLP), ensuring users only access assets required for their role.
• Integrate Multi-Factor Authentication (MFA) as a mandatory requirement for accessing any asset covered by the AUP.
• Automate role-based access controls to revoke permissions immediately when a user’s job function changes.

6. Deploy Security Monitoring and Logging

• Implement logging across all endpoints to track file access, login attempts, and policy violations.
• Configure Data Loss Prevention (DLP) tools to block the unauthorised transfer of sensitive information as defined in the AUP.
• Establish a process for regular log reviews to identify anomalies that may indicate a breach of acceptable use.

7. Execute Mandatory Awareness Training and Sign-off

• Roll out a security awareness programme that specifically covers the contents and consequences of the AUP.
• Capture a formal digital sign-off from every user acknowledging they have read, understood, and agreed to the rules.
• Maintain a version-controlled record of these sign-offs for presentation during an ISO 27001 certification audit.

8. Secure Mobile and Remote Access

• Extend the AUP to cover Bring Your Own Device (BYOD) and remote working scenarios through Mobile Device Management (MDM).
• Require the use of encrypted Virtual Private Networks (VPNs) for any remote access to the corporate network.
• Define clear rules for the use of company assets in public spaces, focusing on physical security and shoulder surfing risks.

9. Establish Asset Return and Offboarding Protocols

• Formalise the process for the return of all physical and logical assets when an individual leaves the organisation.
• Update the Asset Register to reflect the return and redistribution of equipment, ensuring no “ghost” assets remain active.
• Revoke all digital credentials and IAM roles as the final step in the offboarding workflow to prevent unauthorised post-employment access.

10. Conduct Periodic Compliance Audits

• Perform regular internal audits to verify that the AUP is being followed across different departments.
• Review the policy at least annually, or when significant changes occur to the IT infrastructure or threat landscape.
• Document any non-conformities and implement corrective actions to continuously improve the security posture.