1. Framework FAQs

ISO 27001: 2022 A.5.10 Acceptable use of information and other associated asset

This article provides additional information on how you can meet the requirement for the A.5.10 Acceptable use of information and other associated asset

ISO 27001: 2022 Control Description

Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented, and implemented.

Purpose

To ensure information and other associated assets are appropriately protected, used, and handled.

Guidance on implementation

Personnel and external party users using or having access to the organisation’s information and other associated assets should be made aware of the information security requirements for protecting and handling the organisation’s information and other associated assets. They should be responsible for their use of any information processing facilities.

The organisation should establish a topic-specific policy on the acceptable use of information and other associated assets and communicate it to anyone who uses or handles information and other associated assets. The topic-specific policy on acceptable use should provide clear direction on how individuals are expected to use information and other associated assets. The topic-specific policy should state:

a) Expected and unacceptable behaviours of individuals from an information security perspective;

b) Permitted and prohibited use of information and other associated assets;

c) Monitoring activities being performed by the organisation.

Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification (see A.5.12) and determined risks. The following items should be considered:

a) Access restrictions supporting the protection requirements for each level of classification;

b) Maintenance of a record of the authorised users of information and other associated assets;

c) Protection of temporary or permanent copies of information to a level consistent with the protection of the original information;

d) Storage of assets associated with information in accordance with manufacturers’ specifications (see A.7.8);

e) Clear marking of all copies of storage media (electronic or physical) for the attention of the authorised recipient (see A.7.10);

f) Authorisation of disposal of information and other associated assets and supported deletion method(s) (see A.8.10).

It may be the case that the assets concerned do not directly belong to the organisation, such as public cloud services. The use of such third-party assets and any assets of the organisation associated with such external assets (e.g., information, software) should be identified as applicable and controlled.