- See ISO 27002:2022 Control 5.10 for more information.
- See ISO 27001:2013 Annex A 8.1.3 for more information.
- See ISO 27001:2013 Annex A 8.2.3 for more information.
Annex A 5.10 ISO 27001: Ensuring Proper Use of Information and Assets
ISO 27001:2022 Annex A 5.10 outlines the rules for acceptable use and procedures for handling information and other assets.
These should be identified, documented and implemented.
The aim of these policies is to establish clear instructions on how personnel should act when dealing with information assets, guaranteeing confidentiality, reliability and accessibility of the organisation’s data security assets.
What is ISO 27001:2022 Annex A 5.10, Acceptable Use of Information and Other Associated Assets?
The Acceptable Use of Information Assets Policy (AUA) applies to all members of the organisation and all assets owned or operated by them. This policy is applicable for any use, including commercial purposes, of Information Assets.
Examples of information assets include:
- Hardware encompasses computers, mobile devices, phones, and fax machines.
- Software includes operating systems, applications (including web-based), utilities, firmware and programming languages.
- This section deals with structured data in relational databases, flat files, NoSQL data, as well as unstructured data, for example text documents, spreadsheets, images, video, and audio files.
- Networks encompass both wired and wireless systems, telecommunications, and Voice over Internet Protocol (VoIP) services.
- Cloud services, email accounts and other hosted services.
Utilising information and other related assets requires applying them in ways that do not jeopardise the availability, dependability, or soundness of data, services, or resources. It also involves utilising them in ways that do not go against laws or the company’s policies.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is The Purpose of ISO 27001:2022 Annex A Control 5.10?
The main aim of this control is to make sure information and related assets are safeguarded, used, and managed correctly.
ISO 27001:2022 Annex A Control 5.10 ensures policies, procedures, and technical controls are in place to inhibit users from mishandling information assets.
This control seeks to set up a structure for organisations to guarantee that information and other resources are suitably safeguarded, employed and managed. It entails making sure that appropriate policies and procedures exist on all levels of the organisation, as well as implementing them regularly.
Implementing Control 5.10 forms part of your ISMS and ensures that your company has the necessary requirements in place to protect its IT assets, such as:
- Ensuring the safety of data in storage, processing and transit is paramount.
- The safeguarding and proper utilisation of IT equipment is essential. It is vital to ensure its security and use it appropriately.
- Appropriate authentication services are essential to the regulation of access to information systems.
- Processing of information within an organisation is limited to only those with the appropriate authorisation.
- The assigning of data-related duties to certain persons or roles.
- Educating and training users on their security obligations is essential. Making sure they understand their roles and responsibilities helps ensure the security of the system.
What Is Involved and How to Meet the Requirements
To fulfil ISO 27001:2022’s Control 5.10 needs, it is imperative that personnel, both internal and external, who use or have access to the organisation’s data and additional resources, are aware of the company’s information security prerequisites.
Those responsible should be held to account for any data-processing resources they use.
All personnel associated with the management of information and other related assets should be aware of the organisation’s policy on appropriate use. It is essential that everyone involved is informed of the guidelines.
All personnel who work with information and related assets should be made aware of the company’s policy on acceptable usage. As part of the specific usage policy, staff should understand precisely what is expected of them in regards to these resources.
Policy should make clear that:
- All employees must comply with the company’s policies and procedures.
- No employee may undertake any activity that is contrary to the company’s interests.
- Any employee who fails to comply with the company’s policies and procedures will be subject to disciplinary action.
Particular policy pertaining to the topic should state that all personnel must adhere to the firm’s directives and protocols:
- Expectations and unacceptable actions regarding information security should be clarified for individuals.
- Permitted and prohibited use of information and other assets.
- Keeping an eye on the organisation’s operations.
Draw up acceptable use procedures throughout the full information life cycle, in line with its categorisation and identified risks. Think about the following:
- Access restrictions to support the protection of each security level must be put in place.
- Maintaining a register of authorised users of information and other associated assets.
- Ensure the security of temporary or permanent copies of information is consistent with the requirements of the context.
- Ensuring the preservation of the initial data is of utmost importance.
- Storing assets related to information according to manufacturers’ standards is essential.
- Mark all copies of electronic or physical storage media clearly for the attention of the recipient.
- The company authorises the disposal of information and other assets, as well as the deletion method(s) that are supported.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Differences Between ISO 27001:2013 and ISO 27001:2022
The 2022 version of ISO 27001 was released in October 2022; it is an improved version of ISO 27001:2013.
Annex A 5.10 in ISO 27001:2022 is not new; it is a blend of controls 8.1.3 and 8.2.3 from ISO 27001:2013.
The essence and implementation guidelines of Annex A 5.10 are similar to those of controls 8.1.3 and 8.2.3, but Annex A 5.10 combines both acceptable use of and handling of assets into one control for user-friendliness.
Annex A 5.10 additionally added a further point to 8.2.3, which pertains to the approval of disposal of information and any related assets, as well as the recommended deletion method(s).
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Who Is In Charge Of This Process?
This policy sets out the rules for the proper use of the company’s information and associated assets, such as computers, networks and systems, email, files and storage media. All employees and contractors must abide by it.
This policy serves to:
- Provide guidelines for appropriate behaviour at all times.
- Outline the consequences of any breach of conduct.
- Ensure a safe, respectful environment for all.
The aim of this policy is to set out directives for appropriate behaviour and to detail the ramifications for violating them, in order to create a secure, respectful atmosphere for everyone.
Ensuring that the company’s data and other related assets are solely used for valid business reasons. Ensuring staff members abide by all laws and regulations regarding information security and defending the firm’s information and other related assets from risks stemming from inside or outside the company.
The Information Security Officer (ISO) has the task of designing, executing and sustaining the Acceptable Use of Information resources.
The ISO will be in charge of overseeing the utilisation of information resources across the organisation to guarantee that data is employed in a way that safeguards security and data accuracy, preserves the confidentiality of private or delicate information, averts abuse and unauthorised access to computing resources, and eliminates any unnecessary exposure or liability to the organisation.
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
What Do These Changes Mean for You?
The new ISO 27001:2022 standard is a revision, so you won’t need to make many alterations to be compliant with it.
Refer to our guide on ISO 27001:2022 to learn more about the implications of Annex A 5.10 on your business and how to show compliance.
How ISMS.online Helps
ISMS.online makes ISO 27001 implementation straightforward, with a comprehensive step-by-step checklist. This guide takes you through the entire process, from defining your ISMS scope to identifying risks and deploying controls.
This model creates a framework for setting up, utilising, operating, observing, evaluating, sustaining, and developing an Information Security Management System (ISMS).
Implementing the ISO 27001 standard can be an extensive endeavour, however, ISMS.online provides a comprehensive, one-stop solution to make the process much easier.
Our top-notch information security management system software offers an uncomplicated way to comprehend what must be accomplished and how to proceed.
We make it easy to manage your compliance needs. We eliminate the hassle and stress of meeting your requirements.
Reach out today to reserve a demonstration.
