Description:
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets. The podcast explores what it is, why it is important and the path to compliance.
✅ *The Ultimate ISO 27001 Toolkit* - https://hightable.io/iso-27001-toolkit-pricing/
The auditor-approved toolkit for guaranteed ISO 27001 compliance.
Read the full article: ISO 27001 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets Ultimate Guide - https://hightable.io/iso-27001-annex-a-5-10-acceptable-use-of-information-and-other-associated-assets/
Here we look at the most human part of security. It is ISO 27001 Annex A 5.10.
The official name is "Acceptable use of information and other associated assets."
We want to go past the simple checkboxes. You need to know the steps to satisfy an auditor. You also need to know how to protect your assets. If you are building your security system, this is the key to accountability.
*Setting the Ground Rules*
Let’s get into it. This rule forces a key talk inside your business. What are the ground rules?
It is all about consent. You cannot blame someone for breaking a rule if they did not know it existed. They can just say, "I didn't know."
So, rule A 5.10 makes sure everyone knows the limits. This includes staff and contractors. It is your best defence.
*What the Standard Says*
What does the rule actually say? It is very clear. You must identify, write down, and use rules for handling assets.
You have to define the rules. You need steps people can follow. And you must prove you are using them. Having a policy on a shelf is not enough. The goal is to stop bad things before they happen. We trust people, but we cannot just rely on common sense.
This rule mixes two old ideas: "using" assets and "handling" assets. The standard says these are the same thing. You do not just use a file. You handle it, store it, share it, and delete it. Your rules must cover all of these steps.
*The Four Must-Dos*
To pass this check, you must do four main things:
Tell Everyone: Make sure all staff and contractors know your security rules. No exceptions.
Assign Jobs: Make people responsible for how they use company items.
Write a Policy: You need a solid "Acceptable Use Policy" (AUP).
Write the Steps: Make sure the steps to follow the policy are written down and used.
*Writing Your Policy*
Your policy is the main document. It must be clear. It needs to cover three areas:
Expected Behaviour: What should people do? For example, "Use work email for work."
Unacceptable Behaviour: Be clear on what is bad. No bad software. No bad websites. No sharing secrets on personal chat apps.
Monitoring: This is the big one. You must tell people you might watch their activity. This builds trust because you are honest. It also protects you legally. It removes the expectation of privacy on work computers.
*The Full Life Cycle*
You need procedures for every stage of a file's life.
Creation and Storage: Do people know how to label a new file? Is it public or secret? Your rules must say where to save it. For example, "Do not put secret data on your personal cloud drive."
Transfer: How do you move data? Do not use personal WhatsApp for work. If you email a report, you must protect the copy just like the original. You may need to use encryption.
Disposal: This is the stage people forget. You cannot just drag a file to the trash. You need a real method. Shred paper. Use wipe software for digital files. If the data is secret, you need proof it was destroyed.
The Cloud and Shadow IT
What about tools you use but do not own? This includes cloud tools. Auditors look at this closely.
You must list these tools in your inventory. Then, you must enforce your rules through contracts. For example, if your policy says "No data leaves the country," your cloud contract must promise that too.
Also, watch out for "Shadow IT." This is when a worker signs up for a free tool on their own. This breaks the rules. Your policy must say how to get approval for new tools.
*How to Pass the Audit*
How do you prove you did this? The auditor wants three things:
The Policy: It must be current and approved.
The Procedures: The written steps.
Proof of Acceptance: This is the most important part. You need proof that every single person read and accepted the rules.
Auditors will check if the policy is current. But then, they will ask for proof. They might pick 20 random people. They will say, "Show me proof that these 20 people accepted the policy."
If you cannot show this, you fail. An email or a link is not enough. You need a log, a digital signature, or a certificate.
#iso27001 #iso27001certification
Share this link via
Or copy link