What Is ISO 27001 Annex A Control 5.10?
If you are working towards ISO 27001 certification, you will quickly realise that the standard is not just about firewalls and encryption. A significant portion of it is about people and how they behave with the information and assets your organisation holds. Control 5.10, titled Acceptable Use of Information and Other Associated Assets, sits right at the heart of that people-focused side of information security.
On this page
In plain terms, Control 5.10 requires your organisation to identify, document, and implement rules for how information and associated assets are to be used. It covers employees, contractors, and anyone else who touches your systems or data. If someone in your business is using a laptop, accessing a database, sending an email, or storing files in the cloud, this control applies to them.
This article breaks down exactly what Control 5.10 requires, what it looks like in practice, common mistakes organisations make, and how to implement it properly so that it actually works rather than sitting as a document nobody reads.
Where Does Control 5.10 Sit in the ISO 27001 Framework?
ISO 27001:2022 organises its Annex A controls into four themes: Organisational, People, Physical, and Technological. Control 5.10 falls under the Organisational controls category, which means it is about policies, rules, and governance rather than technical configurations.
It sits alongside other controls like 5.9 (Inventory of Information and Other Associated Assets) and 5.11 (Return of Assets). These three controls work closely together. You cannot enforce acceptable use rules on assets you have not inventoried, and you cannot return assets properly if you have not defined how they should be used in the first place.
For a broader understanding of what the standard covers before diving into individual controls, our beginner's guide to ISO 27001 is a good starting point.
What Does Control 5.10 Actually Require?
The control has a clear purpose statement in the standard: rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented, and implemented.
That sounds straightforward, but let us break it down into what it actually means in practice.
Identifying the Assets in Scope
Before you can write rules about how assets should be used, you need to know what those assets are. This includes:
- Information assets such as databases, contracts, customer records, financial data, and intellectual property
- Hardware assets such as laptops, mobile phones, servers, and USB drives
- Software assets such as licensed applications, cloud platforms, and internal systems
- Physical assets such as printed documents, filing cabinets, and physical access tokens
- Service assets such as internet connections, email systems, and cloud storage accounts
The key point here is that Control 5.10 covers associated assets, not just information itself. A laptop is an associated asset. So is a cloud storage subscription. The rules you create need to cover both the data and the tools used to handle it.
Defining Acceptable Use Rules
Once you know what assets exist, you need to define what acceptable use looks like for each category. This typically takes the form of an Acceptable Use Policy (AUP), which is one of the most common documents auditors look for during an ISO 27001 audit.
Your AUP should address questions like:
- Can employees use company laptops for personal use outside work hours?
- Are staff allowed to store work files on personal cloud storage accounts like Google Drive or Dropbox?
- What are the rules around printing confidential documents?
- How should sensitive emails be handled, labelled, or encrypted?
- What happens if an employee suspects a device has been lost or compromised?
- Are contractors allowed to connect their own devices to your network?
These are not hypothetical questions. These are the exact situations that lead to data breaches when there are no clear rules in place.
Communicating and Enforcing the Rules
Writing an AUP is only half the job. Control 5.10 requires that the rules are implemented, which means people need to know about them, understand them, and actually follow them. A policy buried in a shared drive that nobody has read does not satisfy this requirement.
In practice, implementation means:
- All staff and contractors acknowledge the AUP as part of onboarding
- The policy is reviewed and updated regularly
- Breaches of the policy are addressed through your disciplinary or incident management process
- The rules are proportionate to the classification of the information involved
Real World Examples of Control 5.10 in Action
Let us look at how different types of organisations might implement this control. These examples are based on common scenarios I have seen during audits and consulting engagements.
Example 1: A Professional Services Firm
A mid-sized accounting firm handles sensitive client financial data across a team of 40 staff, many of whom work remotely. Their acceptable use policy covers the following specific rules:
- Client files must only be stored on the firm's approved document management system, not on personal cloud accounts
- Laptops must be locked when unattended, even at home
- Printing of client documents is only permitted in the office, not on home printers
- Staff must not discuss client matters on personal messaging apps like WhatsApp
- USB drives are not permitted unless encrypted and pre-approved by the IT manager
Each new staff member signs the AUP on their first day. The policy is reviewed every 12 months and whenever there is a significant change to working arrangements.
Example 2: A Software Development Company
A SaaS company with 15 developers has a more technically focused acceptable use policy. Their key rules include:
- Source code must not be pushed to public repositories without explicit approval
- Development environments must not contain real customer data
- Personal laptops may not be used for development work without prior approval and enrolment in the device management system
- API keys and credentials must be stored in the approved secrets management tool, not in code comments or emails
- Access to production systems is restricted to named individuals and requires multi-factor authentication
This is a good example of how the AUP needs to reflect the specific risks and asset types relevant to your industry. A software company's acceptable use risks are quite different from those of a retail business.
If your business is in the software space and considering certification, our guide on how to get ISO certification for a software company covers the broader process in detail.
Example 3: A Healthcare Provider
A private medical clinic handles patient records under both ISO 27001 and Australian Privacy Act obligations. Their acceptable use policy is tightly integrated with their privacy framework and includes:
- Patient records must only be accessed by staff with a direct care relationship with the patient
- Records must not be accessed from personal devices unless the device is enrolled in the clinic's mobile device management system
- Paper records must be stored in locked filing cabinets and disposed of through secure shredding
- Staff must not photograph or screenshot patient information
- Any suspected breach must be reported to the Privacy Officer within two hours of discovery
For organisations in healthcare or any sector handling personal information, the connection between ISO 27001 and privacy obligations is worth understanding. Our article on ISO 27001 and Australian Notifiable Data Breach obligations explains this relationship clearly.
Common Mistakes Organisations Make With Control 5.10
After reviewing dozens of information security management systems, the same mistakes come up repeatedly when it comes to this control.
Writing a Generic Policy That Does Not Reflect Your Business
Many organisations download a template AUP from the internet and submit it with minimal changes. Auditors can spot this immediately. A generic policy that talks about asset categories that do not exist in your business, or fails to address the specific risks you actually face, will not satisfy the control. Your AUP needs to reflect your actual assets, your actual risks, and the way your people actually work.
Treating It as a One-Off Document
Your AUP is not a document you write once and forget. Business environments change. Remote working arrangements, new software tools, cloud migrations, and staff turnover all create new risks. If your AUP has not been reviewed in three years, it is almost certainly out of date.
No Evidence of Staff Acknowledgement
During an audit, you will be asked to demonstrate that staff have read and understood the acceptable use policy. If you cannot produce signed acknowledgement records or equivalent evidence, this becomes a finding. A simple acknowledgement form, whether paper or digital, is all you need. The important thing is that you keep the records.
Failing to Cover Third Parties
Control 5.10 applies to everyone who uses your assets, not just permanent employees. Contractors, consultants, and third-party service providers who access your systems or data need to be covered by acceptable use rules. This is often missed, particularly in organisations that rely heavily on outsourced services.
No Consequences for Breaches
A policy without consequences is just a suggestion. Your AUP should reference what happens when the rules are broken. This does not need to be a long disciplinary procedure within the document itself, but there should be a clear reference to your HR policies or incident management process so that staff understand there are real consequences for misuse.
How to Write an Effective Acceptable Use Policy
Here is a practical approach to building an AUP that will satisfy Control 5.10 and actually add value to your organisation.
Step 1: Start With Your Asset Inventory
Pull your asset register and group assets into logical categories. For each category, ask: what are the realistic ways this asset could be misused, and what rules would prevent that? This exercise will give you the content for your policy rather than having to guess at what to include.
Step 2: Match Rules to Information Classification
ISO 27001 expects your acceptable use rules to be proportionate to the sensitivity of the information involved. ISO/IEC 27001:2022 links acceptable use directly to information classification. If you have a classification scheme with categories like Public, Internal, Confidential, and Restricted, your AUP should specify different handling rules for each level. For example, confidential documents may require encryption when emailed, while public documents do not.
Step 3: Write in Plain Language
Your AUP will be read by people who are not information security professionals. Write it in plain, direct language. Avoid legal jargon. Use examples where helpful. The goal is for every person in your organisation to understand exactly what they can and cannot do.
Step 4: Get Legal and HR Input
Your AUP touches on employment conditions, privacy obligations, and potentially legal liability. Before finalising it, have it reviewed by your legal counsel and HR team. This is particularly important in Australia, where the Privacy Act 1988 and the Notifiable Data Breaches scheme create specific obligations around personal information handling.
Step 5: Build in a Review Cycle
Set a review date for the policy, typically annual, and assign ownership to a named role. Tie the review to your management review process so it does not get overlooked. Document when reviews occur and what changes were made.
How Control 5.10 Connects to Other Parts of ISO 27001
Control 5.10 does not operate in isolation. It connects to several other parts of the standard in ways that are worth understanding.
The risk assessment process (Clause 6.1) should inform what rules you include in your AUP. If your risk assessment identifies that personal device use is a significant threat, your AUP needs to address it specifically. If the risk assessment has not identified a particular scenario, your policy may have gaps.
The human resource security controls (5.7 through 5.10) work as a group. Control 5.7 covers screening, 5.8 covers terms and conditions of employment, and 5.9 covers the asset inventory. Control 5.10 builds on all of these. You cannot implement acceptable use rules effectively if you have not defined what assets exist and what terms your staff have agreed to.
The incident management controls (5.24 through 5.28) are also closely connected. When someone breaches the acceptable use policy, it typically generates an information security event that needs to be managed through your incident process. Your AUP should make this connection explicit.
For those working through the risk management side of ISO 27001, our plain English guide to ISO 27001 risk assessment covers that process in accessible detail.
What Auditors Look for During an ISO 27001 Audit
When an auditor reviews your compliance with Control 5.10, they are typically looking for the following evidence:
- A documented Acceptable Use Policy that is current and approved
- Evidence that the policy covers all relevant asset types
- Signed acknowledgements or equivalent evidence that staff have read and understood the policy
- Evidence that the policy applies to contractors and third parties where relevant
- A defined review cycle and evidence of previous reviews
- Links between the AUP and your information classification scheme
- Evidence that breaches are handled through a defined process
One thing auditors pay close attention to is whether the policy is actually being followed. They may interview staff and ask questions like: where do you store your work files? What do you do if you lose your laptop? Can you use your personal phone to access work email? If the answers do not align with what your AUP says, that is a finding regardless of how well the document is written.
Understanding what auditors check more broadly is useful preparation. Our article on what documents ISO auditors check during an audit gives a useful overview of the evidence gathering process.
The Relationship Between Control 5.10 and the Australian Privacy Act
For Australian businesses, Control 5.10 has a natural connection to privacy compliance. The Australian Privacy Act 1988, administered by the Office of the Australian Information Commissioner, requires organisations handling personal information to take reasonable steps to protect it. An Acceptable Use Policy that governs how staff handle personal information is one of those reasonable steps.
If your organisation is subject to the Notifiable Data Breaches scheme, your AUP should include clear rules about how personal information is handled and what staff must do if they suspect a breach. This creates a direct link between your ISO 27001 controls and your privacy obligations, which is efficient from both a compliance and an operational perspective.
Getting Help With ISO 27001 Implementation
Implementing Control 5.10 properly is not complicated, but it does require time, attention to detail, and a clear understanding of your organisation's specific risks and assets. Many businesses find it useful to work with an experienced ISO 27001 consultant, particularly when building the ISMS from scratch.
If you are at the stage of looking for implementation support or certification body quotes, CertBetter can help. The platform connects businesses seeking ISO 27001 certification with verified consultants and accredited certification bodies. You submit one form and receive up to three competing quotes from vetted providers, at no cost to your business. It is a straightforward way to understand your options and make an informed decision without spending hours researching providers individually.
