Introduction

If your organization’s data and devices were your house, would you let guests walk in, rearrange your furniture, and leave the door unlocked?
Probably not.
That’s exactly why ISO 27001 Control 5.10 exists  to set clear, enforceable rules on how information and associated assets can be used.

This control ensures everyone in your organization knows what’s allowed, what’s not, and why it matters when it comes to handling company data and resources.

Summary of Control 5.10: Acceptable Use of Information and Other Associated Assets

🔒 Control Title: Acceptable Use of Information and Other Associated Assets
📘 Source: ISO/IEC 27002:2022, Section 5.10
🧩 Control Category: Organizational
🔍 Attributes:

• Control Type: #Preventive
• Security Properties: #Confidentiality, #Integrity, #Availability
• Cybersecurity Concepts: #Protect
• Operational Capabilities: #Policy_Enforcement, #User_Awareness
• Security Domain: #Protection_and_Defense

Control Objective

To ensure all employees, contractors, and third parties use organizational information and assets responsibly, in a way that safeguards security and aligns with business policies.

Implementation Guidance

1) Develop an Acceptable Use Policy (AUP):

• Cover all types of assets: laptops, mobile devices, email systems, cloud accounts, and physical documents
• Include rules for data handling, access, sharing, storage, and disposal

2) Specify Prohibited Activities:

• Examples:
  • Installing unauthorized software
  • Sharing confidential files without approval
  • Using company devices for illegal activities
  • Connecting personal devices to corporate networks without authorization

3) Educate and Acknowledge:

• Provide training on acceptable use at onboarding and refresher sessions
• Require employees to sign an acknowledgment of the policy

4) Link to Consequences:

• Define disciplinary actions for violations from warnings to termination, depending on severity

5) Review and Update Regularly:

• Update the policy when new technologies, threats, or regulations emerge

Why This Control Matters

Without clear rules:

• Employees may unintentionally expose sensitive data
• Shadow IT and unsafe practices can grow unnoticed
• Legal and regulatory violations become more likely

With a strong acceptable use policy:

• Users understand boundaries and responsibilities
• Security culture improves through shared accountability
• Risk of insider threats and accidental breaches decreases

Common Pitfalls to Avoid

• Writing a policy that’s too vague or too technical for employees to follow
• Failing to provide training, leaving rules unread and forgotten
• Ignoring enforcement making the policy a “paper tiger”
• Applying rules inconsistently across departments or teams

Canadian Cyber’s Take

At Canadian Cyber, we help organizations craft clear, practical acceptable use policies that employees actually follow.
We combine security expertise with real-world usability so your policies protect your data without slowing your business down.

Ready to Set the House Rules for Your Organization’s Assets?

We can help you design, implement, and enforce acceptable use policies that keep your people informed and your business secure.
👉 Click here to get started.

• Share the blog on: