Control 5.10 states that the rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
The goal of such policies is to set out clear guidelines of how users should behave when working with information assets, to ensure confidentiality, integrity and availability of the organisation’s information security assets.
The Acceptable Use of Information Assets Policy (AUA) applies to all members of an organisation and assets owned or operated by the organisation. The AUA applies to all uses of Information Assets for any purpose, including commercial.
The following are examples of Information Assets:
Acceptable use of information and other associated assets means using information assets in ways that do not put at risk the availability, reliability, or integrity of data, services or resources. It also means using them in ways that do not violate laws or the organisation’s policies.
The new ISO 27002:2022 standard comes with attribute tables which are not found in the 2013 version. Attributes are a way to classify controls.
They also allow you to match your control selection with commonly used industry terms and specifications. The following controls are available in control 5:10.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset management #Information protection | #Governance and Ecosystem #Protection |
The overarching objective of this control is to ensure information and other associated assets are appropriately protected, used and handled.
Control 5.10 was designed to ensure that policies, procedures and technical controls are in place to prevent users from inappropriately accessing, using or disclosing information assets.
This control aims to provide a framework for organisations to ensure that information and other assets are appropriately protected, used and handled. This includes ensuring that the policies and procedures exist at all levels within the organisation, as well as ensuring that those policies and procedures are consistently enforced.
Implementing control 5.10 as part of your ISMS means that you have put in place the various requirements related to how your company protects IT assets including:
It helps drive our behaviour in a positive way that works for us
& our culture.
We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
In order to meet the requirements for control 5.10 in ISO 27002:2022, it is important that employees and external parties who use or have access to the organisation’s information and other associated assets are aware of the organisation’s information security requirements.
These people should be held accountable for any information processing facilities that they use.
Everyone involved in the use or handling of information and other associated assets should be made aware of the organisation’s policy on acceptable use of information and other related assets.
Everyone involved in the use or handling of information and other associated assets should be made aware of the organisation’s policy on permissible use of information and other associated assets. As part of a topic-specific acceptable use policy, personnel should know exactly what they are expected to do with information and other assets.
In particular, topic-specific policy should state that:
a) expected and unacceptable behaviours of individuals from an information security perspective;
b) permitted and prohibited use of information and other associated assets;
c) monitoring activities being performed by the organisation.
Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification and determined risks. The following items should be considered:
a) access restrictions supporting the protection requirements for each level of classification;
b) maintenance of a record of the authorised users of information and other associated assets;
c) protection of temporary or permanent copies of information to a level consistent with the
protection of the original information;
d) storage of assets associated with information in accordance with manufacturers’ specifications;
e) clear marking of all copies of storage media (electronic or physical) for the attention of the
authorised recipient;
f) authorisation of disposal of information and other associated assets and supported deletion method(s).
The new 2022 revision of ISO 27002 was published on February 15, 2022, and is an upgrade of ISO 27002:2013.
The control 5.10 in ISO 27002:2022 is not a new control, rather, it is a combination of controls 8.1.3 – acceptable use of assets and 8.2.3 – handling of assets in ISO 27002:2013.
While the essence and implementation guidelines of control 5.10 is relatively the same with controls 8.1.3 and 8.2.3, control 5.10 merged both the acceptable use of assets and the handling of assets into one control to allow for improved user-friendliness.
However, control 5.10 also added an extra point to control 8.2.3. This covers authorisation of disposal of information and other associated assets and the supported deletion method(s).
We’ll give you an 81% headstart
from the moment you log in
Book your demo
The Acceptable Use of Information and other Associated Assets is a policy that establishes rules to ensure proper use of the company’s information and other associated assets, including computers, networks and systems, email, files and storage media. This policy is binding on all employees and contractors.
The purpose of this policy is to:
The Information Security Officer (ISO) is responsible for developing, implementing, and maintaining the Acceptable Use of Information assets.
The ISO shall be responsible for managing the use of information resources throughout the organisation to ensure that information is used in a manner that protects the security and integrity of data, preserves the confidentiality of proprietary or sensitive information, protects against abuse and unauthorised access to computing resources, and eliminates unnecessary exposure or liability to the organisation.
The new ISO 27002: 2022 standard is not a substantial upgrade. As a result, you may not need to make any significant changes in regards to compliance with the most recent version of ISO 27002.
However, please see our guide to ISO 27002:2022, where you can discover more about how these changes to control 5.10 will affect your business.
As you know, ISO 27002 is a widely-adopted and well-recognised standard for information security.
It provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).
Because the ISO 27002 standard is so comprehensive and detailed, implementing it can be a time-consuming process. But with ISMS.online, you have a one-stop solution that makes things much simpler.
Our world-class information security management system software platform makes it super easy to understand what needs to be done and how to do it.
We take the pain out of managing your compliance requirements.
With ISMS.online, ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
