ISO 27001 Annex A 5.10 – Acceptable Use Of Information And Other Associated Assets

ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets

ISO 27001 Annex A 5.10 is about making rules for how people can use a company’s information and other assets. The goal is to make sure that these items are used safely and correctly. This helps keep data private, correct, and available.

Table of contents

What is ISO 27001 Annex A 5.10?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Acceptable Use Of Information And Other Associated Assets”.

What is the ISO 27001 Annex A 5.10 control objective?

The formal definition and control objective in the standard is: “Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

What is the purpose of ISO 27001 Annex A 5.10?

The purpose of ISO 27001 Annex A 5.10 is “To ensures information and other associated assets are appropriately protected, used and handled.

Is ISO 27001 Annex A 5.10 Mandatory?

ISO 27001 Annex A control 5.10 (Acceptable Use Of Information And Other Associated Assets in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.

The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.10 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.

Key Parts of the Rule

The main rule is that you must have rules for how people use company information and things. You should write these rules down and make sure everyone follows them.

This includes:

  • Creating a policy: Write a clear policy that says what is and is not okay to do.
  • Making it clear: Make sure the policy is easy to understand. Tell people what is expected of them.
  • Following the rules: Have a plan for what to do if someone breaks the rules.

What the Rules Should Cover

Your rules should cover these topics:

  • What people are allowed and not allowed to do with company data.
  • What people can and cannot do with devices and systems.
  • What the company will do to check how people use the information.

What an Auditor Will Check

An auditor will want to see proof that you are following these rules. They will look for:

  • They will make sure you have a policy.
  • They will see if you have told everyone about the policy.
  • They will see if your policy covers the whole life of the information, from when it is made to when it is deleted.

Related Posts