Acceptable Use of Information and Other Associated Assets - ISO 27001 Annex A Control

ISO 27001 Annex A 5.10

Acceptable use turns vague expectations into specific rules people can follow.

ISO 27001 Annex A 5.10 - Acceptable Use of Information and Other Associated Assets

Acceptable use rules are about what staff can and cannot do with the information they have access to and the systems they use. The rules cover personal use of company systems, what kind of data can be stored where, what can be sent over email or shared externally, what software can be installed, and the security expectations that apply to anyone touching company information.

The rules need to be visible to everyone they apply to. That means they live in the policy framework, get communicated through induction and awareness training, and are referenced when a question or breach comes up. Staff should not have to guess what counts as acceptable - the rules have to be written down somewhere they can read them.

Acceptable use is one of the areas where the topic-specific policies from Annex A 5.1 do most of the work. Different topics have different rules - the access control policy sets one set of expectations, the email and messaging policy another, the BYOD policy another. Together they form the acceptable use rules for the organisation.

I will sometimes ask a member of staff what they would do if they wanted to share a confidential file with a customer. The answer tells me whether the acceptable use rules are real to them or just a document that exists somewhere. If they describe the approved file transfer route confidently, the rules are working. If they say they would just email it, there is a gap.

Practical Compliance Guidance

Acceptable use rules are described across the topic-specific policies in the IMS1 manual at section 8.5. The manual references specific policies including ICT Equipment, Clear Desk and Screen, Password, Mobile Device, Anti-Malware and Software policies, all of which contribute to the overall acceptable use framework.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the topic-specific policies that set the acceptable use rules - ICT equipment, BYOD, clear desk, password, remote working, mobile device, anti-malware, software, web content, internet messaging and information transfer.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need a single acceptable use policy?

Not necessarily. Some organisations have one policy that consolidates the rules for staff. Others spread them across topic-specific policies that each address part of the picture. Either approach works as long as staff can find the rules that apply to them.

How is this different from the policy framework under Annex A 5.1?

Annex A 5.1 is about having a policy framework in place. Annex A 5.10 is about what those policies say on acceptable use specifically - the rules for staff handling information and using systems. The two work together but address different aspects.

Do we need to record that staff have read the rules?

Some form of evidence helps. Most organisations record acceptable use acknowledgement at induction and at regular refresher training, either through signed forms or through training completion logs. The audit will look for evidence that staff are aware of the rules that apply to them.

Further Resources