ISO 27001:2022 Annex A 5.10 outlines the rules for acceptable use and procedures for handling information and other assets.
These should be identified, documented and implemented.
The aim of these policies is to establish clear instructions on how personnel should act when dealing with information assets, guaranteeing confidentiality, reliability and accessibility of the organisation’s data security assets.
The Acceptable Use of Information Assets Policy (AUA) applies to all members of the organisation and all assets owned or operated by them. This policy is applicable for any use, including commercial purposes, of Information Assets.
Examples of information assets include:
Utilising information and other related assets requires applying them in ways that do not jeopardise the availability, dependability, or soundness of data, services, or resources. It also involves utilising them in ways that do not go against laws or the company’s policies.
The main aim of this control is to make sure information and related assets are safeguarded, used, and managed correctly.
ISO 27001:2022 Annex A Control 5.10 ensures policies, procedures, and technical controls are in place to inhibit users from mishandling information assets.
This control seeks to set up a structure for organisations to guarantee that information and other resources are suitably safeguarded, employed and managed. It entails making sure that appropriate policies and procedures exist on all levels of the organisation, as well as implementing them regularly.
Implementing Control 5.10 forms part of your ISMS and ensures that your company has the necessary requirements in place to protect its IT assets, such as:
To fulfil ISO 27001:2022’s Control 5.10 needs, it is imperative that personnel, both internal and external, who use or have access to the organisation’s data and additional resources, are aware of the company’s information security prerequisites.
Those responsible should be held to account for any data-processing resources they use.
All personnel associated with the management of information and other related assets should be aware of the organisation’s policy on appropriate use. It is essential that everyone involved is informed of the guidelines.
All personnel who work with information and related assets should be made aware of the company’s policy on acceptable usage. As part of the specific usage policy, staff should understand precisely what is expected of them in regards to these resources.
Policy should make clear that:
Particular policy pertaining to the topic should state that all personnel must adhere to the firm’s directives and protocols:
Draw up acceptable use procedures throughout the full information life cycle, in line with its categorisation and identified risks. Think about the following:
The 2022 version of ISO 27001 was released in October 2022; it is an improved version of ISO 27001:2013.
Annex A 5.10 in ISO 27001:2022 is not new; it is a blend of controls 8.1.3 and 8.2.3 from ISO 27001:2013.
The essence and implementation guidelines of Annex A 5.10 are similar to those of controls 8.1.3 and 8.2.3, but Annex A 5.10 combines both acceptable use of and handling of assets into one control for user-friendliness.
Annex A 5.10 additionally added a further point to 8.2.3, which pertains to the approval of disposal of information and any related assets, as well as the recommended deletion method(s).
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Organisational Controls | Annex A 5.1 | Annex A 5.1.1 Annex A 5.1.2 | Policies for Information Security |
Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
Organisational Controls | Annex A 5.8 | Annex A 6.1.5 Annex A 14.1.1 | Information Security in Project Management |
Organisational Controls | Annex A 5.9 | Annex A 8.1.1 Annex A 8.1.2 | Inventory of Information and Other Associated Assets |
Organisational Controls | Annex A 5.10 | Annex A 8.1.3 Annex A 8.2.3 | Acceptable Use of Information and Other Associated Assets |
Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
Organisational Controls | Annex A 5.14 | Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 | Information Transfer |
Organisational Controls | Annex A 5.15 | Annex A 9.1.1 Annex A 9.1.2 | Access Control |
Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
Organisational Controls | Annex A 5.17 | Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 | Authentication Information |
Organisational Controls | Annex A 5.18 | Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 | Access Rights |
Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
Organisational Controls | Annex A 5.22 | Annex A 15.2.1 Annex A 15.2.2 | Monitoring, Review and Change Management of Supplier Services |
Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
Organisational Controls | Annex A 5.29 | Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 | Information Security During Disruption |
Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
Organisational Controls | Annex A 5.31 | Annex A 18.1.1 Annex A 18.1.5 | Legal, Statutory, Regulatory and Contractual Requirements |
Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
Organisational Controls | Annex A 5.36 | Annex A 18.2.2 Annex A 18.2.3 | Compliance With Policies, Rules and Standards for Information Security |
Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
People Controls | Annex A 6.8 | Annex A 16.1.2 Annex A 16.1.3 | Information Security Event Reporting |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
Physical Controls | Annex A 7.2 | Annex A 11.1.2 Annex A 11.1.6 | Physical Entry |
Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
Physical Controls | Annex A 7.10 | Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 | Storage Media |
Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Technological Controls | Annex A 8.1 | Annex A 6.2.1 Annex A 11.2.8 | User Endpoint Devices |
Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
Technological Controls | Annex A 8.8 | Annex A 12.6.1 Annex A 18.2.3 | Management of Technical Vulnerabilities |
Technological Controls | Annex A 8.9 | NEW | Configuration Management |
Technological Controls | Annex A 8.10 | NEW | Information Deletion |
Technological Controls | Annex A 8.11 | NEW | Data Masking |
Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
Technological Controls | Annex A 8.15 | Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 | Logging |
Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility Programs |
Technological Controls | Annex A 8.19 | Annex A 12.5.1 Annex A 12.6.2 | Installation of Software on Operational Systems |
Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
Technological Controls | Annex A 8.23 | NEW | Web filtering |
Technological Controls | Annex A 8.24 | Annex A 10.1.1 Annex A 10.1.2 | Use of Cryptography |
Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
Technological Controls | Annex A 8.26 | Annex A 14.1.2 Annex A 14.1.3 | Application Security Requirements |
Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering Principles |
Technological Controls | Annex A 8.28 | NEW | Secure Coding |
Technological Controls | Annex A 8.29 | Annex A 14.2.8 Annex A 14.2.9 | Security Testing in Development and Acceptance |
Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
Technological Controls | Annex A 8.31 | Annex A 12.1.4 Annex A 14.2.6 | Separation of Development, Test and Production Environments |
Technological Controls | Annex A 8.32 | Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 | Change Management |
Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
This policy sets out the rules for the proper use of the company’s information and associated assets, such as computers, networks and systems, email, files and storage media. All employees and contractors must abide by it.
This policy serves to:
The aim of this policy is to set out directives for appropriate behaviour and to detail the ramifications for violating them, in order to create a secure, respectful atmosphere for everyone.
Ensuring that the company’s data and other related assets are solely used for valid business reasons. Ensuring staff members abide by all laws and regulations regarding information security and defending the firm’s information and other related assets from risks stemming from inside or outside the company.
The Information Security Officer (ISO) has the task of designing, executing and sustaining the Acceptable Use of Information resources.
The ISO will be in charge of overseeing the utilisation of information resources across the organisation to guarantee that data is employed in a way that safeguards security and data accuracy, preserves the confidentiality of private or delicate information, averts abuse and unauthorised access to computing resources, and eliminates any unnecessary exposure or liability to the organisation.
The new ISO 27001:2022 standard is a revision, so you won’t need to make many alterations to be compliant with it.
Refer to our guide on ISO 27001:2022 to learn more about the implications of Annex A 5.10 on your business and how to show compliance.
ISMS.online makes ISO 27001 implementation straightforward, with a comprehensive step-by-step checklist. This guide takes you through the entire process, from defining your ISMS scope to identifying risks and deploying controls.
This model creates a framework for setting up, utilising, operating, observing, evaluating, sustaining, and developing an Information Security Management System (ISMS).
Implementing the ISO 27001 standard can be an extensive endeavour, however, ISMS.online provides a comprehensive, one-stop solution to make the process much easier.
Our top-notch information security management system software offers an uncomplicated way to comprehend what must be accomplished and how to proceed.
We make it easy to manage your compliance needs. We eliminate the hassle and stress of meeting your requirements.
Reach out today to reserve a demonstration.
Book a tailored hands-on session
based on your needs and goals
Book your demo