ISO 27001 Control 5.10: Acceptable Use of Information and Other Associated Assets
Control 5.10 requires organizations to establish, document, and enforce clear rules governing how employees and authorized users can access and handle information assets. Without defined acceptable use policies, organizations face data misuse, insider threats, and compliance violations. This control is foundational to protecting sensitive data and ensuring consistent security practices across your organization.
What this means
This control mandates that you create and implement formal policies defining acceptable and unacceptable uses of information and associated assets (systems, networks, devices, cloud services). The policies must be documented, communicated to all users, and actively enforced through technical controls and governance procedures. This ensures users understand their responsibilities and reduces the risk of intentional or negligent misuse.
How to comply
- 1.Develop a comprehensive acceptable use policy covering email, internet access, cloud storage, mobile devices, and physical assets
- 2.Document specific prohibited activities (unauthorized data sharing, personal use beyond scope, circumventing security controls, unauthorized software installation)
- 3.Define consequences for policy violations and enforcement mechanisms
- 4.Require signed acknowledgment from all employees and contractors before system access
- 5.Implement monitoring and logging to detect policy violations
- 6.Review and update policies annually or when business needs change
- 7.Provide training to ensure all users understand acceptable use requirements
Evidence auditors look for
- Signed acceptable use policy documents from all personnel with date and acknowledgment
- Access control logs showing policy enforcement and user restrictions
- Email and web usage monitoring reports demonstrating detection of violations
- Training completion records showing all users received acceptable use training
- Incident reports documenting policy violations and disciplinary actions taken
- Policy version history with approval dates from leadership
- Device inventory showing asset ownership and authorized use assignments
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates acceptable use policy documentation, tracks employee acknowledgments, and centralizes evidence of enforcement through integrated monitoring dashboards—eliminating spreadsheet tracking and reducing audit preparation time by weeks.
See how GRCWatch handles this control automatically
Start free trial