ISO27001 – Control 5.10 – Acceptable use of information and other associated assets


Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

What this means

This is all about ensuring that information and associated assets are appropriately protected, used and handled. You should have a procedure which documents the rules for acceptable use and the protection of assets.

The organisation should identify the staff and external party users using or having access to the organization’s information and other
associated assets and make them aware of the requirements for protecting and handling the organisation’s information and other assets (think devices, Intellectual property etc). Any information processing facilities should also have appropriate controls in place.

The Acceptable Use Policy should be communicated to anyone who uses or handles information and other organisational assets and it should provide clarity on how individuals are expected to use and protect business assets. The Acceptable Use Policy should include guidance on:
a) expected and unacceptable behaviours of individuals from an information security perspective;
b) permitted and prohibited use of information and other associated assets;
c) monitoring activities being performed by the organization.

The Acceptable Use Policy should cover the life cycle of information assets in accordance with its classification and any identified risks. Consideration should be given to:
a) restrictions being put in place to only allow access to assets for each level of classification;
b) maintenance of a record of the authorized users of information and other associated assets;
c) protection of temporary or permanent copies of information to a level consistent with the protection of the original information;
d) storage of assets associated with information in accordance with manufacturers’ specifications;
e) clear marking of all copies of storage media (electronic or physical) for the attention of the authorized recipient;
f) authorization of disposal of information and other associated assets and an identified deletion method.

Other Considerations

It is sometimes the case that assets may not belong to the organisation such as the use of cloud services. Any use of third party assets should be identified and appropriate controls implemented, usually through written agreements with the third party provider.  Care also needs to be taken when working in shared office environments.

If you want to talk about information security in your organisation then please book a free call here or email us here