Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.”
Plain-language meaning
People must know how they are allowed to use organizational information and assets, and how they must handle information based on sensitivity and classification.
This is not just an IT acceptable use policy. It covers information and associated assets in any form: systems, devices, networks, software, printers, copiers, paper records, removable media, cloud services, and sensitive information shared with third parties.
Why this matters
Assets are often misused because rules are vague, unread, or not enforced. Misuse can be accidental or deliberate, but the result can still be data leakage, system compromise, service disruption, legal exposure, or harm to other organizations.
Examples:
- browsing risky websites from corporate devices;
- using company systems for unauthorized activity;
- sending confidential files to personal email;
- printing sensitive records and leaving them unattended;
- copying data to unmanaged USB drives;
- sharing credentials;
- using cloud tools not approved for sensitive data;
- letting couriers or unknown parties collect sensitive material without checks.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define acceptable use rules
Rules should explain what use is allowed, restricted, and prohibited.
Typical areas:
| Area | Rule examples |
|---|---|
| Internet and email | Business use, prohibited activity, phishing reporting |
| Devices | Approved use, personal use limits, screen lock, storage rules |
| Software and cloud services | Approved tools only, no unauthorized installs |
| Credentials | No sharing, MFA use, password manager expectations |
| Printers and copiers | Secure printing, prompt collection, restricted output |
| Removable media | Approval, encryption, scanning, return or destruction |
| Sensitive information | Classification-based handling, need-to-know sharing |
| Third-party access | Contractual rules, NDA, monitoring, return obligations |
Rules should be readable. A 40-page policy nobody understands is weak control design.
2. Link handling rules to classification
Handling procedures should match the sensitivity of the information.
| Classification | Handling expectation |
|---|---|
| Public | Approved for public release |
| Internal | Share inside the organization on a need-to-know basis |
| Confidential | Restrict access, encrypt transmission, control printing and storage |
| Highly confidential / regulated | Strong access controls, formal approval for release, logging, secure transfer, strict retention and disposal |
If the organization uses different labels, use those labels. The point is that users need practical instructions for processing, storing, transmitting, printing, releasing, and disposing of information.
3. Get acknowledgement before access
Users should acknowledge acceptable use rules before receiving access to relevant assets.
This should apply to:
- employees;
- contractors;
- temporary workers;
- third-party users;
- administrators;
- privileged support providers;
- anyone else using organizational assets.
Acknowledgement is not magic. It is useful evidence only if the rules are clear, communicated, and enforced.
4. Detect and respond to misuse
Controls should support detection and response.
Examples:
- security monitoring;
- web filtering;
- DLP alerts;
- logon warning banners;
- print monitoring for sensitive areas;
- incident reporting;
- disciplinary procedures;
- corrective action tracking;
- awareness refreshers after incidents.
Misuse handling should distinguish deliberate abuse from inadvertent non-compliance, but both need response.
5. Cover external parties and sensitive handling
External parties should follow equivalent handling rules where they access or receive organizational information.
Check:
- contracts;
- confidentiality agreements;
- non-disclosure agreements;
- data processing agreements;
- supplier security requirements;
- classification interpretation for external parties;
- return or disposal requirements.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that acceptable use rules and handling procedures are defined, documented, implemented, communicated, acknowledged, and enforced.
Audit testing should include:
- policy and procedure review;
- user acknowledgement records;
- interviews to test awareness;
- incident records involving misuse;
- monitoring and detection controls;
- disciplinary or corrective action records;
- observation of sensitive information handling;
- external-party agreements;
- classification-specific handling procedures.
The audit should not stop at “policy exists.” The real test is whether users understand and follow the rules.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Acceptable use policy | Rules are documented |
| Information handling procedure | Classification-based handling exists |
| User acknowledgement records | Users accepted the rules |
| Onboarding records | Rules are communicated before access |
| Logon warning banner | Users are warned against unauthorized use |
| Monitoring alerts | Misuse can be detected |
| Incident reports | Misuse is recorded and investigated |
| Disciplinary or corrective action records | Violations have consequences |
| Supplier or third-party agreements | External users are bound by rules |
| Staff interviews | Users understand unacceptable use |
| Observation evidence | Sensitive information is handled appropriately |
Strong evidence
- Acceptable use rules are clear, current, readable, and mapped to asset types.
- Classification labels have practical handling procedures.
- Users acknowledge rules before access is granted.
- Contractors and third-party users are covered.
- Misuse is monitored, investigated, and corrected.
- Incident reports lead to rule or awareness improvements.
- Sensitive information handling is observable in daily work.
- External agreements support internal handling expectations.
Weak evidence
- Generic policy copied from the internet.
- Users acknowledge rules after access is already granted.
- No classification-based handling instructions.
- Rules cover laptops but ignore printers, paper, removable media, or cloud services.
- Contractors and third parties are not covered.
- No monitoring or response for misuse.
- Staff cannot explain what is inappropriate use.
- Sensitive documents are left unattended or shared broadly.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Policy exists but users do not understand it | Control does not change behavior |
| Hardware-only view of assets | Information handling gaps remain |
| Classification labels without handling rules | Users do not know what labels mean |
| No acknowledgement before access | Evidence of acceptance is weak |
| No detection of misuse | Violations remain invisible |
| External parties not bound by rules | Sensitive data leaves control boundary |
| No incident feedback loop | Rules do not improve after misuse |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Acceptable use is broader than internet browsing.
- Procedures must cover handling of information, not only use of devices.
- Rules should apply to contractors and third-party users where they use organizational assets.
- Classification labels are not enough; handling rules must explain what to do.
- User acknowledgement is useful evidence, but it does not prove implementation by itself.
- Misuse can be unintentional or deliberate; both matter.
Related controls and concepts
- A.5.1 Policies for Information Security
- A.5.2 Information Security Roles and Responsibilities
- A.5.4 Management Responsibilities
- A.5.9 Inventory of Information and Other Associated Assets
- Information and Associated Asset Inventory
- Internal Audit
- Risk Assessment
- Statement of Applicability
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.10 requires documented and implemented rules for acceptable use and handling of information and associated assets. The rules should define permitted and prohibited use, classification-based handling, acknowledgement before access, detection of misuse, response to violations, and coverage for contractors and third parties.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Acceptable use
- Asset management
- Information handling
- Audit
Note Metadata
Aliases: A.5.10, Acceptable Use of Information and Other Associated Assets
Source: 02 Annex A Organizational Controls/A.5.10 Acceptable Use of Information and Other Associated Assets.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Internal Audit
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.5.10 Audit Evidence Pack
- AQ-ISO27001-A.5.10 Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.3 - Information Access Restriction
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.5.10 Audit Checklist
- Acceptable Use and Information Handling Rules
- Template - Evidence Request List
- Information and Associated Asset Inventory
- Information Classification and Handling Matrix
- Personnel Security Responsibility Acknowledgement
- Template - Policy Communication and Acknowledgement Tracker
- Web Filtering Policy and Category Matrix
- Annex A Controls MOC