Acceptable Use of Information and Other Associated Assets

It is an organizational control requiring documented rules and procedures for the acceptable use and handling of information and associated assets to ensure personnel understand their security obligations.

In the 2013 version, this was control A.8.1.3 (Acceptable use of assets); the 2022 update renumbers it to A.5.10 and places it under Organizational controls, but the core requirement to identify, document, and implement rules remains consistent.

It should include rules on password protection, clear desk/screen, internet and email usage, mobile devices, social media, software installation, and reporting security incidents.

It applies to all employees, contractors, temporary staff, and any third parties who have access to the organization's information assets.

It covers information assets (databases, files), physical assets (laptops, phones), software assets, and intangible assets like internet access and company reputation.

First, identify relevant assets; second, draft specific usage rules for each; third, publish the Acceptable Use Policy; fourth, train employees; and finally, enforce the rules and log acknowledgments.

Auditors look for the documented Acceptable Use Policy, evidence that it is available to staff, and logs (signed agreements or digital acknowledgments) showing that employees have accepted it. WatchDog Security's Policy Management can help centralize the policy, maintain version control, and provide an acknowledgement trail that maps cleanly to A.5.10 audit requests.

Yes, if personal devices or external cloud services are used to process company data, rules regarding their acceptable use must be defined and documented.

The policy should be reviewed at planned intervals (typically annually) or whenever significant changes occur, such as the adoption of new technologies like AI or remote work tools.

Non-compliance can lead to security incidents, data breaches, and legal liability; internally, it typically triggers the Disciplinary Process (A.6.4) for the individuals involved.

A.5.10 is often written but hard to evidence because audits typically require proof that people received, understood, and accepted the rules, not just that the policy exists. WatchDog Security's Policy Management helps by managing versions of the AUP and tracking acknowledgements over time, so you can show who accepted which version and when during onboarding and annual re-certification.

Many AUP breaches happen when staff don't recognize risky behavior (e.g., unsafe sharing, shadow IT, or mishandling data on personal devices) rather than intentionally ignoring rules. WatchDog Security's Security Awareness Training helps reinforce acceptable-use expectations with role-based micro-courses and completion tracking, so the policy is supported by ongoing education and measurable participation.