ISO27002:2022 Clause A 5.10 Acceptable Use Of Information And Other Associated Assets
In this article I lay bare the ISO27001:2022 Annex A 5.10 Acceptable use of information and other associated assets. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex A 5.10
Table of contents
- ISO27002:2022 Clause A 5.10 Acceptable Use Of Information And Other Associated Assets
- What is ISO27001 Annex A 5.10 Acceptable use of information and other associated assets?
- ISO27001 Annex A 5.10 Definition
- ISO27001 Annex A 5.10 Implementation Guide
- Acceptable Use
- Acceptable Use and Cloud Services
- ISO27001 Annex A 5.10 Templates
- How to comply with ISO27001 Annex A 5.10
- How to pass an audit of ISO27001 Annex A 5.10
- What will an audit check?
- Top 3 Mistakes People Make for ISO27001 Annex A 5.10
- Why is ISO27001 Annex A 5.10 Acceptable use of information and other associated assets Important?
- ISO27001 Annex A 5.10 FAQ
- Matrix of controls and attribute values
- See Also
What is ISO27001 Annex A 5.10 Acceptable use of information and other associated assets?
ISO27001 Annex A 5.10 Acceptable use of information and other associated assets is an ISO27002:2022 control that requires an organisation to implement rules and procedures for the acceptable use of information and other assets.
People need to be informed what is and what is not acceptable to ensure the proper use, handling and protection of organisation assets.
ISO27001 Annex A 5.10 Definition
The ISO27001 standard defines ISO27001 Annex A 5.10 Acceptable use of information and other associated assets as:
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.ISO27001 Annex A 5.10 Acceptable use of information and other associated assets
ISO27001 Annex A 5.10 Implementation Guide
You are going to have to ensure that:
- Personnel, contractors and third party users are made aware of the information security requirements for protecting and handling assets and information
- People are responsible for their use of company assets
- There is a topic specific policy on acceptable use
- Acceptable use procedures are documented, communicated and in place
What should an acceptable use policy cover?
The Acceptable Use Policy should cover the following topics
- Expected behaviour for information security
- Unacceptable behaviour for information security
- What monitoring the orgnisation is doing
What acceptable use processes do I need?
You are going to have acceptable use processes for the full information security lifecycle based on its classifitcation identified risks. What this means is you will consider
- Access restrictions that are based on classification
- Having a record of authorised users of information and systems
- Protecting information that has been copied to the same level as the original
- Following manufacturers specifications when storing information
- Marking storage media for the attention of the recipient
- Processes for disposing information and other assets including deletion methods and authorisation
Acceptable Use and Cloud Services
So what about assets that do not belong to the organisation? Cloud based assets for example. Well you need to identify those as well and record them as applicable and controlled. You are going to ensure there are agreements are in place and those agreements provide the required controls.
ISO27001 Annex A 5.10 Templates
You can save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
How to comply with ISO27001 Annex A 5.10
To comply with ISO27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Implement a topic specific Acceptable Use Policy
- Implement Acceptable Use Procedures
- Communicate and gain acceptance of the Acceptable Use Policy
How to pass an audit of ISO27001 Annex A 5.10
To pass an audit of ISO27001 Annex A 5.10 Acceptable use of information and other associated assets you are going to make sure that you have followed the steps above in how to comply.
You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.
What will an audit check?
The audit is going to check a number of areas. Lets go through the main ones
#1 That you have an Acceptable Use Policy
What this means is that you need to show that you have an acceptable use policy in place, that it has been approved and signed off.
#2 That your Acceptable Use Policy has been communicated and accepted
You need to communicate the Acceptable Use Policy to all staff and get them to accept it. There are many ways to record acceptance of policy from getting email confirmation, an actual signature or using a training tool to distribute and seek understanding and accpetance.
#3 That you have covered the entire information lifecycle
Acceptable use covers the entire information lifecycle. It is unlikely that the acceptable use policy will cover everything that is required and it would not make sense for it to do so. Rather you will have a suite of topic specific policies that are complimentary covering things such as logging and monitoring, access control.
Top 3 Mistakes People Make for ISO27001 Annex A 5.10
The top 3 Mistakes People Make For ISO27001 Annex A 5.9 are
#1 Your haven’t got acceptance from people of the policy
As well as having the policy you need to communicate it and get people to accept it. Often people think is enough just to ‘have’ a policy. It is not.
#2 You forgot the bits that were not obvious
Acceptable use is part of many of the policies that you will have as you are communicating to people what is expected of them. Having a complete set of policies that cover the entire information lifecycle is important. Considering access control, information destruction, handling, information transfer and more.
#3 Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is ISO27001 Annex A 5.10 Acceptable use of information and other associated assets Important?
People cannot be expected to act in a certain way unless we tell them what is expected of them. We want to protect our organisation and our organisation assets and we want to let people know how they can use them. Even if they are what we might think are common sense. So we work out what is acceptable to us and we communicate it. It is part of information security training and awareness and it makes for a safer work environment. It is one of the first lines of information security defence.
ISO27001 Annex A 5.10 FAQ
No. It is a combination of controls ISO27001:2013 Clause 8.1.3 Acceptable Use of Assets and ISO27001:2013 Clause 8.2.3 handling of assets.
ISO27001:2022 annex A 5.10 covers acceptable use of information and other associated assets.
ISO27002:2022 clause 5.10 covers acceptable use of information and other associated assets.
Nothing, they are the same thing. ISO27002 is a standard in its own right and is included as an Annex to the ISO27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.
Matrix of controls and attribute values
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- The Ultimate Reference Guide to ISO 27001 Controls