One of the most practical controls in the ISO 27001 framework is the “Acceptable Use Policy” (AUP). It’s the set of rules that tells everyone, from the CEO to the newest intern, what they can and cannot do with the company’s laptops, data, and systems. In the 2022 update of the standard, this control was moved and refined, becoming Annex A 5.10: “Acceptable use of information and other associated assets.”
If you are transitioning from the 2013 version (where this was primarily control A.8.1.3), there are some structural and qualitative changes you need to know about. Let’s break down the evolution of “Acceptable Use” and what it means for your modern workplace.
Table of contents
The Structural Merge: From Two Controls into One
The most obvious change in the 2022 revision is consolidation. In the 2013 version, the rules were somewhat split: A.8.1.3 focused on the Acceptable Use of assets, while A.8.2.3 focused on the Handling of assets. These two were closely related but sat in different sub-sections.
In the ISO 27001:2022 update, these have been combined into the single control: Annex A 5.10. According to Hightable.io, this merge is designed to make the standard more user-friendly by grouping all “user-facing” rules for asset interaction in one place. It creates a more logical flow: first you identify the assets (5.9), and then you define how they should be used and handled (5.10).
From Physical “Assets” to “Information and Other Associated Assets”
Language matters in ISO standards, and the change in the title of this control is significant. The 2013 version was titled “Acceptable use of assets.” The 2022 version is titled “Acceptable use of information and other associated assets.”
This shift emphasizes that information is the star of the show. Your policy shouldn’t just be about not spilling coffee on a laptop; it needs to cover how data is handled across cloud platforms, SaaS tools, and personal devices (BYOD). As noted by Hightable.io, the “associated assets” are the supporting cast—the hardware and software—but the focus of the rules must remain on protecting the data they contain.
New Requirements for Disposal and Deletion
One of the more “hidden” changes in the 2022 version is a new emphasis on the end of the asset lifecycle. While the 2013 version touched on asset return, Annex A 5.10 now explicitly includes requirements for the approval of disposal and the use of supported deletion methods.
In a world of remote work, simply “returning a laptop” isn’t the end of the story. The 2022 standard expects your acceptable use procedures to cover how information is securely wiped or deleted when it’s no longer needed, especially when that information resides on assets that aren’t strictly company-owned (like a contractor’s personal machine or a temporary cloud storage bucket).
Key Elements of an Updated Acceptable Use Policy
To meet the 2022 standard, your policy needs to be more than a list of “don’ts.” It should be a comprehensive guide to safe behavior. Effective implementation now typically includes:
- Clear Boundaries: Defining exactly what constitutes “personal use” and whether it is permitted on company systems.
- Cloud and SaaS Rules: Explicitly stating which cloud services are approved and how data should be handled within them.
- Social Media and Communication: Guidelines for using company email, Slack, Teams, and social media platforms.
- Acknowledgment: A formal process where users sign off on the policy, showing they understand their specific responsibilities.
- Monitoring Transparency: Clearly stating if and how the organisation monitors system use, ensuring this is balanced with privacy laws.
Why the Change Matters for Your Audit
Auditors looking at the 2022 version will be searching for evidence that your acceptable use rules are actually implemented and communicated, not just written down. They will want to see that your staff aren’t just aware of the policy, but that they are following specific procedures for handling sensitive information.
The transition from 2013 to 2022 reflects a shift toward information-centric security. By combining usage and handling into Annex A 5.10, the standard makes it easier for you to build a culture where everyone understands that protecting information is a daily, active responsibility.