Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.10 — Acceptable Use of Information and Other Associated Assets

Updated on 5 min Reviewed by: Cenedril Editorial
A.5.10 ISO 27001ISO 27002BSI ISMS.1

An employee saves customer records to a personal USB drive to work from home over the weekend. Another forwards a confidential spreadsheet to a private email address for convenience. A contractor uses the company laptop to run a personal side business. None of them think they are doing anything wrong — because nobody told them the rules. A.5.10 closes this gap by requiring the organisation to define, communicate and enforce acceptable use rules for information and associated assets.

Acceptable use policies set the behavioural baseline for everyone who handles the organisation’s information. They translate abstract security principles into concrete, daily expectations.

What does the standard require?

  • Define acceptable use rules. The organisation must identify and document rules for the acceptable use of information and associated assets — covering equipment, software, data, networks and services.
  • Address the full lifecycle. Rules should cover how assets are used, stored, transmitted and disposed of. This includes return procedures when employment or a contract ends.
  • Communicate to all relevant personnel. Everyone who uses the organisation’s information assets must be aware of the rules — employees, contractors, temporary staff and, where applicable, external parties.
  • Obtain acknowledgement. Personnel should confirm that they have read and understood the acceptable use rules. This confirmation serves as evidence of awareness.
  • Enforce consistently. The organisation should define consequences for policy violations and apply them consistently. Selective enforcement undermines the credibility of the entire policy.

In practice

Cover the topics that matter most. Focus the policy on areas where violations are common and consequences are severe: handling of classified data, use of removable media, cloud storage, email forwarding, social media, mobile devices and personal use of company equipment. Prioritise clarity over comprehensiveness.

Integrate into onboarding and annual refreshers. The acceptable use policy should be part of the onboarding process for every new employee and contractor. Require annual re-acknowledgement to keep awareness current and to capture policy updates.

Align with technical controls. Acceptable use rules gain teeth when they are reinforced by technical measures. If the policy prohibits USB storage of confidential data, consider implementing USB device control. If personal cloud storage is not allowed for business data, block the relevant services. Technical enforcement reduces reliance on good behaviour alone.

Address remote and hybrid working. Modern work patterns mean that organisational data is accessed from home networks, personal devices and public spaces. The acceptable use policy must address these scenarios explicitly — including expectations for home network security, screen locking and physical document handling outside the office.

Typical audit evidence

Auditors typically expect the following evidence for A.5.10:

  • Acceptable use policy — the documented policy covering all relevant asset types
  • Acknowledgement records — signed or digitally confirmed acknowledgements from employees and contractors
  • Communication records — evidence that the policy was distributed during onboarding and annual refreshers
  • Disciplinary records — evidence that violations were handled consistently (anonymised)
  • Technical enforcement logs — showing that policy rules are supported by technical controls where applicable

KPI

% of employees who have acknowledged the acceptable use policy

This KPI measures how comprehensively the policy has been communicated and accepted. Target: 100% of active personnel. Track separately for employees, contractors and external parties. A high acknowledgement rate combined with low violation rates indicates effective policy communication.

Supplementary KPIs:

  • Percentage of new employees who acknowledged the policy within their first week
  • Number of acceptable use violations reported or detected per quarter
  • Percentage of policy acknowledgements that are current (renewed within the last 12 months)

BSI IT-Grundschutz

A.5.10 maps to the following BSI requirements:

  • ISMS.1.A2 (Definition of security objectives and strategy) — the acceptable use policy operationalises the organisation’s security objectives for daily behaviour.
  • ORP.3.A3 (Personnel briefing on security policies) — all employees must be briefed on the rules for handling information and IT systems.
  • CON.9 (Information exchange) — rules for how information may be shared and transferred.
  • CON.7.A2 (Security measures for mobile working) — specific acceptable use rules for mobile and remote work scenarios.

A.5.10 translates policy into daily behaviour:

Sources

Frequently asked questions

What should an acceptable use policy cover?

At minimum: permitted and prohibited uses of IT equipment and services, internet and email usage, mobile device and remote working rules, handling of classified information, personal use limits, monitoring disclosure and consequences of policy violations. The policy should be written in plain language that every employee can understand.

Must employees formally acknowledge the policy?

ISO 27002 recommends that all relevant personnel and external parties acknowledge the acceptable use rules. A signed or digitally confirmed acknowledgement creates evidence that the person was informed and understood their obligations.

How does acceptable use relate to BYOD?

When employees use personal devices for work (Bring Your Own Device), the acceptable use policy must cover what the organisation expects: minimum security settings, permitted data storage, remote wipe consent, separation of personal and business data. Without these rules, the organisation has limited control over how its information is handled on personal devices.