ISO 27001:2022 Annex A Control 5.10: Acceptable Use of Information and Other Associated Assets

Annex 5.10 instructs organisations to identify, document, and implement the rules for the acceptable use and procedures for handling information and other associated assets. This is in order to provide a clear set of guidelines, ensuring confidentiality, integrity, and availability of information security assets.

Understanding the acceptable use of information and other associated assets

The Acceptable Use of Information Assets Policy (AUA) applies to all uses of information assets for any purpose, including commercial. It also applies to everyone within an organisation.

Acceptable use of information and other associated assets refers to using information assets in ways that do not risk the availability, reliability, and integrity of data, resources and services. It also means using them within the boundaries of the law or organisational policies.

Examples of information assets include:

• Hardware: mobile devices, computers, phones and fax machines.
• Software: applications (such as web-based apps), utilities, firmware, programming languages, and operating systems.
• Services: email accounts, cloud services, and other hosted services.
• Networks: telecommunications systems, voice over IP services, and wired and wireless networks.
• Data: structured data (relational databases, flat files, and NoSQL data), unstructured data (spreadsheets, text documents, images, video, and audio files), and records in any format.

The importance of Annex Control 5.10

The overarching purpose of Annex 5.10 is to make sure information and other associated assets are appropriately used, handled and protected. It ensures that policies, procedures, and technical controls are put in place to stop users from inappropriately accessing, using, or sharing information assets.

It provides a framework for organisations, detailing how to use and store assets. This includes making sure that procedures and policies exist at all levels within the organisation, and that they are enforced consistently.

Annex 5.10 calls for various requirements to be put in place, including:

• Protecting information in storage, processing, and transit.
• Protecting IT equipment, and ensuring its appropriate use.
• Ensuring the appropriate use of authentication services to control access to systems.
• Processing information within the organisation by ensuring users have appropriate authorisation.
• Allocating information responsibilities to specific roles or individuals.
• Training users regarding security responsibilities.

Meeting the requirements of Control 5.10

Employees and external parties who have access to an organisation’s information must be aware of the information security requirements in place, in order to meet the standards of control 5.10.

These people are accountable for any information processing facilities they use. Everyone involved in the use and handling of assets should be aware of the organisation’s policy regarding the acceptable use of information, and users should know exactly what they are expected to do with information and other assets.

When outlining the procedures for the full life cycle of information, the following factors must be taken into account:

• Access restrictions supporting the protection requirements for each classification level.
• Creating a record of authorised users of information and other associated assets.
• Protecting temporary or permanent copies of information in line with the protection of the original information.
• Storing assets associated with information in line with manufacturer specifications.
• Marking all copies of storage media (electronic or physical) for the authorised recipient’s attention.
• Authorising disposal of information and other associated assets and supported deletion methods.

How has Control 5.10 changed from ISO 27001:2013?

The guidelines listed in control 5.10 are similar to those found in ISO27001:2013 controls 8.1.3 and 8.2.3, but these controls have been merged to allow for better user-friendliness.

Control 5.10 also adds an extra point, covering the authorisation of the disposal of information and other associated assets and the supported deletion methods.

‍