Establishing what is considered acceptable use of your information and assets is a crucial step in securing your organisation.
Mia Davis
Threats to your organisation’s privacy and security are continuously on the rise, and it's more vital than ever to ensure your organisation implements measures to combat these threats. ISO27001 as a standard lays out the requirements to implement an efficient information security system within your organisation and with the introduction of the 2022 version of the ISO27001 standard, these requirements have been recategorised and further clarified. Annex A 5.10 is Acceptable Use of Information and Other Associated Assets.
Acceptable use dictates how information, systems, and other assets should be used in your organisation. This is achieved by implementing guidelines and policies that outline these requirements. Typically, these will list what a user is permitted and not permitted to do when accessing and using your organisation’s resources, encompassing areas such as devices, applications, and information. Acceptable use policies are designed to protect the confidentiality, integrity, and availability of your assets while ensuring that every user understands their responsibilities when handling these.
Establishing an acceptable use policy is a key component in your information compliance. It’s a method to aid in mitigating risks such as data breaches, cyber attacks, and other security threats by setting clear expectations and boundaries for users and their behaviour. Your organisation can reduce the likelihood of any actions, accidental or intentional, that could compromise your security by educating users on safe and appropriate practices when engaging with your systems. One example of this is prohibiting personal devices from being used for work-related tasks. Since personal devices are not as likely to have proper security measures implemented, this can help prevent incidents of unauthorised access or data leaks.
Defining the acceptable usage of information and assets is crucial for your organisation and its legal and regulatory compliance, such as GDPR (General Data Protection Regulation) in Europe or HIPAA (Health Insurance Portability and Accountability Act) in the US. Measures such as acceptable use policies can help ensure that your organisation’s practices are aligned with these legal requirements, avoiding any potential fines, legal action, and reputational damage. By clearly defining what is classed as acceptable and unacceptable usage of assets and information, your organisation can demonstrate due diligence in protecting sensitive information and its compliance with applicable laws, regulations, and standards.
Acceptable usage of assets as a control is a common feature of many standards. One such example of this requirement features in the NHS DSP (Data Security and Protection Toolkit), a self-assessment tool that must be completed by any organisation that wishes to access NHS data or systems. This is explicitly stated in evidence 4.3.1, which requires your organisations' system administrators to have signed an enhanced acceptable use policy statement.
Annex A 5.10 is all about the Acceptable Use of Information and Other Associated Assets. This control expects you to establish an acceptable use policy which covers information and other assets in your organisation, and that employees are aware and trained so they know what their responsibilities are and what is required of them. This policy should outline:
Your organisation should establish procedures for acceptable use that cover the entire information lifecycle, with consideration to its classification and risks. These should include procedures covering:
ISO27002 is a standard closely aligned to ISO27001, and is essentially guidance on how to effectively implement an ISMS to ISO27001 standards. We can compare the changes in ISO27002 guidelines for each control to concretely ascertain what has changed with the ISO27001 version of the control. In terms of the 2013 standard, this control is a merging of Annex A 8.1.3, acceptable use of assets, and 8.2.3, handling of assets. This aims to make the control more concise and user-friendly.
The requirements for this control have ultimately not changed, except for the addition of one point. This addition addresses authorisation for disposing of information and other related assets, along with specifying supported deletion methods.
Our security professionals have developed Harpe, a revolutionary tool to cover all your organisation’s security needs. Harpe is the best tool on the market to make compliance with important standards like Cyber Essentials and ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.
Harpe has a robust documentation system, allowing you to track your policies and procedures simply and efficiently. We’ll remind you when these are due for review, so you can keep on top of your acceptable use policy and its status.
Keep your employees up-to-date with your policies and procedures easily with our built-in training feature, guiding your employees through your uploaded policies and procedures. Harpe will track their completion status and send out reminders annually to refresh training, making it simple to inform your employees on what is acceptable usage of systems in your organisation.
With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.
Image designed by Freepik
Our goal is to make security and compliance easy and accessible to all businesses.
Book a demoFree 14-day trial
No credit-card required
Sign up for the latest news, company insights, and Harpe updates.
![[PRODUCT RELEASE] - V1.3.4 AI-Operated Wiki, New Compliance Assessments, and Enhanced User Experience](https://cdn.prod.website-files.com/62e3b8a91117bb109adbcff3/6728eb40107fd77f2afbf44e_Screenshot%202024-11-04%20at%2015.41.39.png)
