What is Control 5.10, Acceptable Use of Information and Other Associated Assets?
The Acceptable Use of Information Assets Policy (AUA) applies to all members of an organisation and assets owned or operated by the organisation. The AUA applies to all uses of Information Assets for any purpose, including commercial.
The following are examples of Information Assets:
- Hardware: computers, mobile devices, phones and fax machines.
- Software: operating systems, applications (including Web-based apps), utilities, firmware and programming languages.
- Data: structured data in relational databases, flat files and NoSQL data; unstructured data such as text documents, spreadsheets, images, video and audio files; records in any format.
- Networks: wired and wireless networks; telecommunications systems; voice over IP services.
- Services: cloud services, email accounts and other hosted services.
Acceptable use of information and other associated assets means using information assets in ways that do not put at risk the availability, reliability, or integrity of data, services or resources. It also means using them in ways that do not violate laws or the organisation’s policies.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Attributes of Control 5.10
The new ISO 27002:2022 standard comes with attribute tables which are not found in the 2013 version. Attributes are a way to classify controls.
They also allow you to match your control selection with commonly used industry terms and specifications. The following controls are available in control 5:10.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #Asset management | #Governance and Ecosystem |
| #Integrity | #Information protection | #Protection | ||
| #Availability |
What Is The Purpose of Control 5.10?
The overarching objective of this control is to ensure information and other associated assets are appropriately protected, used and handled.
Control 5.10 was designed to ensure that policies, procedures and technical controls are in place to prevent users from inappropriately accessing, using or disclosing information assets.
This control aims to provide a framework for organisations to ensure that information and other assets are appropriately protected, used and handled. This includes ensuring that the policies and procedures exist at all levels within the organisation, as well as ensuring that those policies and procedures are consistently enforced.
Implementing control 5.10 as part of your ISMS means that you have put in place the various requirements related to how your company protects IT assets including:
- The protection of information in storage, processing and transit.
- The protection and appropriate use of IT equipment.
- The use of appropriate authentication services to control access to information systems.
- The processing of information within an organisation only by users with appropriate authorisation.
- The allocation of information-related responsibilities to specific individuals or roles.
- The education and training of users regarding their security responsibilities.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What Is Involved and How to Meet the Requirements
In order to meet the requirements for control 5.10 in ISO 27002:2022, it is important that employees and external parties who use or have access to the organisation’s information and other associated assets are aware of the organisation’s information security requirements.
These people should be held accountable for any information processing facilities that they use.
Everyone involved in the use or handling of information and other associated assets should be made aware of the organisation’s policy on acceptable use of information and other related assets.
Everyone involved in the use or handling of information and other associated assets should be made aware of the organisation’s policy on permissible use of information and other associated assets. As part of a topic-specific acceptable use policy, personnel should know exactly what they are expected to do with information and other assets.
In particular, topic-specific policy should state that:
a) expected and unacceptable behaviours of individuals from an information security perspective;
b) permitted and prohibited use of information and other associated assets;
c) monitoring activities being performed by the organisation.
Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification and determined risks. The following items should be considered:
a) access restrictions supporting the protection requirements for each level of classification;
b) maintenance of a record of the authorised users of information and other associated assets;
c) protection of temporary or permanent copies of information to a level consistent with the
protection of the original information;
d) storage of assets associated with information in accordance with manufacturers’ specifications;
e) clear marking of all copies of storage media (electronic or physical) for the attention of the
authorised recipient;
f) authorisation of disposal of information and other associated assets and supported deletion method(s).
Differences Between ISO 27002:2013 and ISO 27002:2022
The new 2022 revision of ISO 27002 was published on February 15, 2022, and is an upgrade of ISO 27002:2013.
The control 5.10 in ISO 27002:2022 is not a new control, rather, it is a combination of controls 8.1.3 – acceptable use of assets and 8.2.3 – handling of assets in ISO 27002:2013.
While the essence and implementation guidelines of control 5.10 is relatively the same with controls 8.1.3 and 8.2.3, control 5.10 merged both the acceptable use of assets and the handling of assets into one control to allow for improved user-friendliness.
However, control 5.10 also added an extra point to control 8.2.3. This covers authorisation of disposal of information and other associated assets and the supported deletion method(s).
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Who Is In Charge Of This Process?
The Acceptable Use of Information and other Associated Assets is a policy that establishes rules to ensure proper use of the company’s information and other associated assets, including computers, networks and systems, email, files and storage media. This policy is binding on all employees and contractors.
The purpose of this policy is to:
- Ensure that the company’s information and other associated assets are used only for legitimate business purposes.
- Ensure that employees comply with all laws and regulations relating to information security.
- Protect the company’s information and other associated assets from threats originating from inside or outside the company.
The Information Security Officer (ISO) is responsible for developing, implementing, and maintaining the Acceptable Use of Information assets.
The ISO shall be responsible for managing the use of information resources throughout the organisation to ensure that information is used in a manner that protects the security and integrity of data, preserves the confidentiality of proprietary or sensitive information, protects against abuse and unauthorised access to computing resources, and eliminates unnecessary exposure or liability to the organisation.
What Do These Changes Mean for You?
The new ISO 27002: 2022 standard is not a substantial upgrade. As a result, you may not need to make any significant changes in regards to compliance with the most recent version of ISO 27002.
However, please see our guide to ISO 27002:2022, where you can discover more about how these changes to control 5.10 will affect your business.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
As you know, ISO 27002 is a widely-adopted and well-recognised standard for information security.
It provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).
Because the ISO 27002 standard is so comprehensive and detailed, implementing it can be a time-consuming process. But with ISMS.online, you have a one-stop solution that makes things much simpler.
Our world-class information security management system software platform makes it super easy to understand what needs to be done and how to do it.
We take the pain out of managing your compliance requirements.
With ISMS.online, ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
