ISO 27001 Annex A 5.10 is about making rules for how people can use a company’s information and other assets. The goal is to make sure that these items are used safely and correctly. This helps keep data private, correct, and available.
What to Do
The main rule is that you must have rules for how people use company information and things. You should write these rules down and make sure everyone follows them.
This includes:
- Creating a policy: Write a clear policy that says what is and is not okay to do.
- Making it clear: Make sure the policy is easy to understand. Tell people what is expected of them.
- Following the rules: Have a plan for what to do if someone breaks the rules.
What the Rules Should Cover
Your rules should cover these topics:
- What people are allowed and not allowed to do with company data.
- What people can and cannot do with devices and systems.
- What the company will do to check how people use the information.
What an Auditor Checks
An auditor will check a few things:
- They will make sure you have a policy.
- They will see if you have told everyone about the policy.
- They will see if your policy covers the whole life of the information, from when it is made to when it is deleted.
Frequently Asked Questions
What is the purpose of this rule?
The purpose is to stop people from using information and assets in a wrong way. This helps protect the company.
How has this rule changed?
In the past, this was two rules. Now, it is one rule. The new rule also adds a point about how to get permission to throw away information and how to erase it.
What is an asset?
An asset is anything that has value to the company. This can be data, computers, or even a company’s good name.