The basics
ISO 27001 control A.5.10 Acceptable use of information and other associated assets requires companies to define, document, and implement rules for the proper use of information and related assets. This is important because it enables all personnel to understand their security responsibilities and how to fulfill them.
Documentation
ISO 27001 control A.5.10 Acceptable use of information and other associated assets can be documented through Acceptable Use Policy or IT Security Policy.
This control must be documented.
Implementation
In order to comply with control A.5.10 Acceptable use of information and other associated assets you might implement the following:
- Technology — the technology to enforce acceptable use of information and related assets may include access control lists in software, monitoring applications, and physical or logical segregation of networks. Small companies may use features available in each device to enforce acceptable use, while bigger companies may use network software to manage rules in a centralized way.
- Organization/processes — you should set up a process for defining what users can and can’t do about information and assets they are allowed to access. You can document those processes through an Acceptable Use Policy or an IT Security Policy.
- People — make employees aware of what they can and cannot do regarding information and assets they are allowed to access and train them on how to perform required activities.
Audit evidence
During the audit, the auditor might look for the following evidence regarding control A.5.10 Acceptable use of information and other associated assets: if rules for the proper use of information and related assets are defined, documented, and implemented.
These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.
