ISO 27001 A.5.10: Acceptable use of information and other associated assets
What This Control Requires
Rules for the acceptable use of information and other associated assets shall be identified, documented and implemented.
In Plain Language
People need to know the rules of the road when it comes to using company resources. What can they do with their work laptop? Can they use personal USB drives? What about storing company files in their personal Dropbox? Without clear acceptable use rules, you are relying on people to guess - and they will guess wrong.
The rules should cover computers, networks, email, internet access, mobile devices, and how information at different classification levels should be handled. They also need to address the realities of modern work: personal use of work equipment, social media, removable media, remote working, and BYOD.
Everyone - including contractors and third parties - needs to see these rules and acknowledge them before getting access to anything. Review them regularly, because the way people work changes faster than most policies keep up with.
How to Implement
Write an acceptable use policy in clear, non-technical language. Structure it around the types of assets and activities it covers so people can find the section relevant to them.
Cover the key topics: acceptable and unacceptable use of computers and networks, personal use rules for work equipment, email and messaging guidelines, internet and social media usage, handling requirements for each classification level, removable storage media, BYOD rules, remote working security, software installation, and cloud storage and file sharing.
For each topic, state clearly what is permitted, what is prohibited, and any conditions. Use examples to illustrate the boundaries. Spell out the consequences of violations and reference your disciplinary process.
Back up the policy with technical controls where you can. Web filtering for prohibited site categories, data loss prevention to catch unauthorised data transfers, endpoint management to control software installation, and mandatory encryption for removable media all help enforce the rules.
Distribute the policy to everyone during onboarding and require formal acknowledgement. Include acceptable use topics in your security awareness training. Send periodic reminders, especially after updates. Keep records of every acknowledgement - auditors will check.
Evidence Your Auditor Will Request
- Documented acceptable use policy covering all relevant asset types
- Signed acknowledgment records from all personnel and relevant third parties
- Technical controls supporting policy enforcement such as web filtering or DLP
- Records of policy communication through training and awareness programs
- Evidence of policy review and updates with version history
Common Mistakes
- Acceptable use policy is outdated and does not cover current technologies like cloud services or BYOD
- Policy exists but personnel have not signed or acknowledged it
- Rules are too vague to be enforceable or too restrictive to be practical
- No technical controls support the policy and enforcement relies solely on trust
- Third-party personnel are not covered by the acceptable use rules
Related Controls Across Frameworks
Frequently Asked Questions
Should we allow personal use of work equipment?
How do we handle acceptable use for remote workers?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment