ISO 27001:2022 Annex A Control 5.10 (A.5.10)

Explaining Control 5.10 (A.5.10) Acceptable use of information and other associated assets

ISO 27001 Annex A Control 5.10 establishes the rules for acceptable use and proper handling of information and other associated assets within your organization. This control helps you maintain confidentiality, integrity, and availability of data by clearly defining usage boundaries and responsibilities. By implementing a topic-specific Acceptable Use Policy, you can reduce the likelihood of unauthorized activities, data breaches, or loss of critical information.

Iso 27001 Control 5.10 (A.5.10)

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Asset Management
  • Information Protection

Security Domains

  • Governance and Ecosystem
  • Protection

Objective of Control 5.10

The main objective of Control 5.10 is to set clear guidelines on how information and related assets can be used within your organization. This ensures that employees, contractors, and external parties understand the allowed and restricted activities, along with the consequences of non-compliance. Through a well-defined acceptable use framework, your organization can reduce security risks, manage resources more effectively, and maintain overall compliance with ISO 27001 requirements.

Purpose of Acceptable Use

The purpose of establishing an Acceptable Use Policy is to protect your organization’s information resources throughout their entire lifecycle, from creation to disposal. This includes:

  1. Defining Acceptable Behaviors: Highlighting permissible and impermissible actions regarding the use of devices, software, data, and online services.
  2. Reducing Risks: Minimizing incidents related to negligence or deliberate misuse of resources.
  3. Protecting Information: Ensuring that all data, whether stored on-premises or in the cloud, is handled in a way that preserves confidentiality, integrity, and availability.
  4. Supporting Business Operations: Enabling authorized individuals to use resources efficiently without jeopardizing security.

Policy Requirements

Scope and Applicability

Your Acceptable Use Policy should apply to all individuals and entities that interact with your organization’s assets. This includes employees, contractors, vendors, and partners who access data, systems, or services.

  • All Devices and Platforms: Incorporate details covering workstations, mobile devices, cloud services, and any third-party environments.
  • Data Sensitivity Levels: Address how different data classification levels must be handled according to their confidentiality requirements.

Expected and Unacceptable Behaviors

Define acceptable actions so everyone is aware of what is permitted. Provide concrete examples of behaviors that are acceptable and those that are not.

  • Acceptable Actions: Using email and internet access for legitimate business purposes, safeguarding login credentials, encrypting sensitive files.
  • Unacceptable Actions: Sharing passwords, accessing unauthorized systems, installing unapproved software, or bypassing security measures.

Monitoring and Auditing

Your organization should communicate that it reserves the right to monitor system usage to validate compliance.

  • Transparency: Clearly mention the monitoring activities, such as email, internet traffic, and device logs.
  • Privacy Considerations: Outline how privacy is respected, but note that misuse of assets can lead to investigations.

Permitted and Prohibited Use of Information

Categorize which activities and data usage scenarios are permissible. Prohibited uses can include any actions that may expose your organization to legal, regulatory, or reputational risk.

  • Business vs. Personal Use: Clarify boundaries for personal activities, such as limited personal email or internet browsing, if allowed.
  • Download Controls: State rules for downloading software and plugins, emphasizing the need for security approval.

Communication and Awareness

  • Policy Distribution
    Provide the Acceptable Use Policy to all relevant personnel and ensure they acknowledge it. Make the document readily available, for instance on your organization’s intranet or shared drive.

  • Regular Training
    Offer periodic training that explains acceptable use principles. Update these sessions whenever the policy changes or new risks emerge.

  • User Acknowledgment
    Require staff and external parties to confirm that they have read and understood the policy, for example by signing a statement or completing an e-learning module.

Acceptable Use Procedures

Full Information Lifecycle Coverage

Your organization’s procedures should cover the creation, storage, distribution, use, and disposal of information. This comprehensive approach helps maintain security at every stage.

  1. Access Restrictions: Align access rights with classification levels. Only individuals with the appropriate clearance should handle sensitive data.
  2. Authorized Users Record: Keep an updated record of all individuals allowed to work with specific information assets.
  3. Protection of Copies: If data is copied (for instance, for collaboration or backup), treat those copies with the same level of protection as the original.
  4. Storage Guidance: Store assets according to manufacturers’ specifications, and consider environmental factors such as temperature, humidity, and secure enclosures.
  5. Marking and Labeling: Label physical and electronic media to reflect their classification or sensitivity level.
  6. Disposal and Deletion: Outline secure destruction methods for documents, media, and electronic data. Clarify the process for authorizing disposal requests.

Ensuring Compliance in Collaborative Environments

Your organization may use cloud-based collaboration tools or external platforms. Specify how data classification, labeling, and secure disposal apply in these environments.

  • Shared Responsibility: Make sure agreements with third-party providers include acceptable use conditions and data protection measures.
  • Encryption: Where possible, use encryption for data shared in public or hybrid clouds.

Roles and Responsibilities

  • Management
    Approve the acceptable use policy and ensure it aligns with business objectives.
    Allocate the necessary resources for consistent implementation and oversight.

  • Information Security Team
    Draft, review, and update the policy.
    Conduct routine audits and assessments to confirm adherence to acceptable use guidelines.
    Investigate and respond to any violations or incidents.

  • All Personnel and External Parties
    Understand and comply with the Acceptable Use Policy.
    Report any suspected or known policy violations or security incidents.
    Keep login credentials and other sensitive information secure at all times.

Guidance Highlights

  • Security Awareness: Reinforce awareness so employees recognize the role they play in maintaining information security.
  • Third-Party Management: Include specific acceptable use clauses in supplier contracts to ensure external parties follow your security standards.
  • Protect Data Everywhere: Encourage encryption of data at rest and in transit, along with strong access controls.
  • Documentation: Maintain audit trails and incident logs to keep track of usage patterns and detect anomalies.

Related Controls

  • Control 5.12 – Classification of Information
    This control outlines how to classify data based on its sensitivity, which directly influences acceptable use procedures and access rights.

  • Control 7.8 – Storage Media Protection
    This relates to how storage media should be physically and logically protected, reinforcing the principles in your acceptable use guidelines.

  • Control 7.10 – Transport of Information
    Addresses secure methods for transporting or transferring information. It aligns with marking, labeling, and monitoring obligations.

  • Control 8.10 – Disposal of Media
    Specifies proper disposal methods to ensure no retrievable data remains on media once it is discarded, aligning with the acceptable use disposal clause.

Templates for Implementation

  • Acceptable Use Policy Template
    A standardized template that includes sections on scope, acceptable behaviors, prohibited actions, monitoring, and user responsibilities. You can adapt it to your organization’s specific requirements.

  • Asset Register Template
    A document that helps track information assets (hardware, software, and data). This assists in assigning ownership, defining access levels, and maintaining a real-time view of who has permissions to handle specific assets.

  • Information Handling Procedures
    A step-by-step guide that describes how to handle data in alignment with classifications. It ensures consistency across departments and clarifies tasks such as labeling, access control, and storage practices.

  • User Training Presentation
    A set of slides or an online course that covers key points of the Acceptable Use Policy, plus practical examples of common pitfalls and best practices. This can be updated to address emerging threats or new organizational policies.

Conclusion

Control 5.10 in ISO 27001 guides you on how to create, maintain, and enforce an Acceptable Use Policy for information and other associated assets. By clarifying permitted activities, defining roles and responsibilities, and setting procedures for the full data lifecycle, you build a secure foundation for your organization’s daily operations. A well-communicated policy, combined with ongoing training and robust monitoring, enables you to safeguard confidential information, reduce risk, and maintain compliance with your information security objectives.

Control 5.9
ISO 27001 overview
Control 5.11