ISO 27001:2022 Annex A Control 5.10

Acceptable Use of Information and Other Associated Assets

Book a demo

john schnobrich flpc9 vocj4 unsplash

ISO 27001:2022 Annex A 5.10 outlines the rules for acceptable use and procedures for handling information and other assets.

These should be identified, documented and implemented.

The aim of these policies is to establish clear instructions on how personnel should act when dealing with information assets, guaranteeing confidentiality, reliability and accessibility of the organisation’s data security assets.

What is ISO 27001:2022 Annex A 5.10, Acceptable Use of Information and Other Associated Assets?

The Acceptable Use of Information Assets Policy (AUA) applies to all members of the organisation and all assets owned or operated by them. This policy is applicable for any use, including commercial purposes, of Information Assets.

Examples of information assets include:

  • Hardware encompasses computers, mobile devices, phones, and fax machines.
  • Software includes operating systems, applications (including web-based), utilities, firmware and programming languages.
  • This section deals with structured data in relational databases, flat files, NoSQL data, as well as unstructured data, for example text documents, spreadsheets, images, video, and audio files.
  • Networks encompass both wired and wireless systems, telecommunications, and Voice over Internet Protocol (VoIP) services.
  • Cloud services, email accounts and other hosted services.

Utilising information and other related assets requires applying them in ways that do not jeopardise the availability, dependability, or soundness of data, services, or resources. It also involves utilising them in ways that do not go against laws or the company’s policies.

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

What Is The Purpose of ISO 27001:2022 Annex A Control 5.10?

The main aim of this control is to make sure information and related assets are safeguarded, used, and managed correctly.

ISO 27001:2022 Annex A Control 5.10 ensures policies, procedures, and technical controls are in place to inhibit users from mishandling information assets.

This control seeks to set up a structure for organisations to guarantee that information and other resources are suitably safeguarded, employed and managed. It entails making sure that appropriate policies and procedures exist on all levels of the organisation, as well as implementing them regularly.

Implementing Control 5.10 forms part of your ISMS and ensures that your company has the necessary requirements in place to protect its IT assets, such as:

  • Ensuring the safety of data in storage, processing and transit is paramount.
  • The safeguarding and proper utilisation of IT equipment is essential. It is vital to ensure its security and use it appropriately.
  • Appropriate authentication services are essential to the regulation of access to information systems.
  • Processing of information within an organisation is limited to only those with the appropriate authorisation.
  • The assigning of data-related duties to certain persons or roles.
  • Educating and training users on their security obligations is essential. Making sure they understand their roles and responsibilities helps ensure the security of the system.

What Is Involved and How to Meet the Requirements

To fulfil ISO 27001:2022’s Control 5.10 needs, it is imperative that personnel, both internal and external, who use or have access to the organisation’s data and additional resources, are aware of the company’s information security prerequisites.

Those responsible should be held to account for any data-processing resources they use.

All personnel associated with the management of information and other related assets should be aware of the organisation’s policy on appropriate use. It is essential that everyone involved is informed of the guidelines.

All personnel who work with information and related assets should be made aware of the company’s policy on acceptable usage. As part of the specific usage policy, staff should understand precisely what is expected of them in regards to these resources.

Policy should make clear that:

  1. All employees must comply with the company’s policies and procedures.
  2. No employee may undertake any activity that is contrary to the company’s interests.
  3. Any employee who fails to comply with the company’s policies and procedures will be subject to disciplinary action.

Particular policy pertaining to the topic should state that all personnel must adhere to the firm’s directives and protocols:

  • Expectations and unacceptable actions regarding information security should be clarified for individuals.
  • Permitted and prohibited use of information and other assets.
  • Keeping an eye on the organisation’s operations.

Draw up acceptable use procedures throughout the full information life cycle, in line with its categorisation and identified risks. Think about the following:

  • Access restrictions to support the protection of each security level must be put in place.
  • Maintaining a register of authorised users of information and other associated assets.
  • Ensure the security of temporary or permanent copies of information is consistent with the requirements of the context.
  • Ensuring the preservation of the initial data is of utmost importance.
  • Storing assets related to information according to manufacturers’ standards is essential.
  • Mark all copies of electronic or physical storage media clearly for the attention of the recipient.
  • The company authorises the disposal of information and other assets, as well as the deletion method(s) that are supported.

Differences Between ISO 27001:2013 and ISO 27001:2022

The 2022 version of ISO 27001 was released in October 2022; it is an improved version of ISO 27001:2013.

Annex A 5.10 in ISO 27001:2022 is not new; it is a blend of controls 8.1.3 and 8.2.3 from ISO 27001:2013.

The essence and implementation guidelines of Annex A 5.10 are similar to those of controls 8.1.3 and 8.2.3, but Annex A 5.10 combines both acceptable use of and handling of assets into one control for user-friendliness.

Annex A 5.10 additionally added a further point to 8.2.3, which pertains to the approval of disposal of information and any related assets, as well as the recommended deletion method(s).

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is In Charge Of This Process?

This policy sets out the rules for the proper use of the company’s information and associated assets, such as computers, networks and systems, email, files and storage media. All employees and contractors must abide by it.

This policy serves to:

  1. Provide guidelines for appropriate behaviour at all times.
  2. Outline the consequences of any breach of conduct.
  3. Ensure a safe, respectful environment for all.

The aim of this policy is to set out directives for appropriate behaviour and to detail the ramifications for violating them, in order to create a secure, respectful atmosphere for everyone.

Ensuring that the company’s data and other related assets are solely used for valid business reasons. Ensuring staff members abide by all laws and regulations regarding information security and defending the firm’s information and other related assets from risks stemming from inside or outside the company.

The Information Security Officer (ISO) has the task of designing, executing and sustaining the Acceptable Use of Information resources.

The ISO will be in charge of overseeing the utilisation of information resources across the organisation to guarantee that data is employed in a way that safeguards security and data accuracy, preserves the confidentiality of private or delicate information, averts abuse and unauthorised access to computing resources, and eliminates any unnecessary exposure or liability to the organisation.

What Do These Changes Mean for You?

The new ISO 27001:2022 standard is a revision, so you won’t need to make many alterations to be compliant with it.

Refer to our guide on ISO 27001:2022 to learn more about the implications of Annex A 5.10 on your business and how to show compliance.

How ISMS.online Helps

ISMS.online makes ISO 27001 implementation straightforward, with a comprehensive step-by-step checklist. This guide takes you through the entire process, from defining your ISMS scope to identifying risks and deploying controls.

This model creates a framework for setting up, utilising, operating, observing, evaluating, sustaining, and developing an Information Security Management System (ISMS).

Implementing the ISO 27001 standard can be an extensive endeavour, however, ISMS.online provides a comprehensive, one-stop solution to make the process much easier.

Our top-notch information security management system software offers an uncomplicated way to comprehend what must be accomplished and how to proceed.

We make it easy to manage your compliance needs. We eliminate the hassle and stress of meeting your requirements.

Reach out today to reserve a demonstration.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

Explore ISMS.online's platform with a self-guided tour - Start Now