What is ISO 27001 Annex A 5.10 in ISO 27001?
ISO 27001 Annex A 5.10 establishes rules for handling information and assets. It requires organisations to document acceptable use procedures within internal systems. This control ensures personnel understand their security responsibilities. Integration into daily workflows, such as SharePoint or internal wikis, provides the necessary structure for compliance.
Auditor’s Eye: The Shortcut Trap
Many organisations rely on automated SaaS platforms to manage compliance. These platforms often generate generic policies that sit outside daily operations. Auditors view this as a significant risk. If an employee never visits the “compliance portal,” the policy is ineffective. We prefer seeing your Acceptable Use Policy within your native document repositories. Using SharePoint version history proves manual oversight and active management. A green tick in a third-party app does not prove security culture. Human intent and internal documentation are the only valid evidence of compliance.
Transition Table (2013 vs 2022)
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Key Change |
|---|---|---|
| A.8.1.3 Acceptable Use of Assets | 5.10 Acceptable Use of Information and Other Associated Assets | Broadened scope to include “information” explicitly alongside assets. |
How to Implement ISO 27001 Annex A 5.10 (Step-by-Step)
The core requirement is to document handling rules within your existing business tools. Start by defining what constitutes acceptable use for your specific operational context. This must be a lived process, not a static document.
- Identify Assets: Use your existing Jira or SharePoint asset registers. List all digital and physical assets.
- Draft Policy: Create the Acceptable Use Policy within your internal Confluence or company wiki. Focus on practical rules.
- Assign Ownership: Designate asset owners in your internal directory. They must define specific handling requirements for their assets.
- Capture Acknowledgement: Use internal workflow tools to record employee agreement. Avoid external platforms that isolate this data.
- Regular Reviews: Schedule quarterly reviews of the policy. Use meeting minutes to document discussions and updates.
ISO 27001 Annex A 5.10 Audit Evidence Checklist
- Documented Acceptable Use Policy stored in the company document management system.
- Timestamped logs of employee sign-offs within HR or workflow tools.
- Asset register entries identifying owners and classification levels.
- Internal communication records showing policy updates sent to staff.
- Evidence of disciplinary processes for policy violations in HR files.
Relational Mapping
Annex A 5.10 does not operate in isolation. It relies on Clause 5.9 (Inventory of Information) to identify what needs protection. It connects to Clause 5.12 (Classification of Information) to determine handling rules. Finally, it supports Clause 6.3 (Information Security Awareness) by providing the content for staff training programmes.
Auditor Interview
Auditor: Where do your employees find the rules for using company laptops?
User: The rules are in our staff handbook on the internal SharePoint site.
Auditor: How do you prove that a new starter has read these rules?
User: We use a Jira onboarding ticket that requires a manual confirmation from the employee.
Auditor: When was the last time you updated the social media usage section?
User: We reviewed and updated it last October. The version history in SharePoint shows the changes.
Common Non-Conformities
| Failure Mode | Reason for Non-Conformity |
|---|---|
| Automated Complacency | Relying on a SaaS platform’s “ready-made” policy without internal customisation or staff access. |
| Lack of Ownership | Policies exist but asset owners have not defined specific handling rules for sensitive data. |
| Stale Documentation | The Acceptable Use Policy has not been reviewed or updated for several years. |
Frequently Asked Questions
What is the primary requirement of Annex A 5.10?
The core requirement is to define and communicate rules for the acceptable use of information and assets. Organisations must document these rules. Personnel and external parties must follow them. This process ensures assets remain protected from unauthorised access or damage.
Who is responsible for identifying asset use rules?
The information asset owner holds the primary responsibility for defining usage rules. They must identify appropriate handling procedures. These rules must align with the organisation’s classification scheme. Managers then ensure their teams understand and follow these specific requirements.
How should an organisation communicate the Acceptable Use Policy?
Organisations should publish the policy in a central, accessible location like a company intranet. Integration into induction programmes is necessary. Regular reminders via internal channels maintain awareness. Auditors look for evidence that employees can easily find and reference these rules.