Control 5.10 states that the rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
The goal of such policies is to set out clear guidelines of how users should behave when working with information assets, to ensure confidentiality, integrity and availability of the organisation’s information security assets.
The Acceptable Use of Information Assets Policy (AUA) applies to all members of an organisation and assets owned or operated by the organisation. The AUA applies to all uses of Information Assets for any purpose, including commercial.
The following are examples of Information Assets:
Acceptable use of information and other associated assets means using information assets in ways that do not put at risk the availability, reliability, or integrity of data, services or resources. It also means using them in ways that do not violate laws or the organisation’s policies.
Jump to Topic 
The new ISO 27002:2022 standard comes with attribute tables which are not found in the 2013 version. Attributes are a way to classify controls.
They also allow you to match your control selection with commonly used industry terms and specifications. The following controls are available in control 5:10.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset management #Information protection | #Governance and Ecosystem #Protection |
The overarching objective of this control is to ensure information and other associated assets are appropriately protected, used and handled.
Control 5.10 was designed to ensure that policies, procedures and technical controls are in place to prevent users from inappropriately accessing, using or disclosing information assets.
This control aims to provide a framework for organisations to ensure that information and other assets are appropriately protected, used and handled. This includes ensuring that the policies and procedures exist at all levels within the organisation, as well as ensuring that those policies and procedures are consistently enforced.
Implementing control 5.10 as part of your ISMS means that you have put in place the various requirements related to how your company protects IT assets including:
Emmie Cooney Operations Manager, AmigoIt helps drive our behaviour in a positive way that works for us
& our culture.
We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.Perry Bowles Technical Director ZIPTECH 100% of our users pass certification first time
In order to meet the requirements for control 5.10 in ISO 27002:2022, it is important that employees and external parties who use or have access to the organisation’s information and other associated assets are aware of the organisation’s information security requirements.
These people should be held accountable for any information processing facilities that they use.
Everyone involved in the use or handling of information and other associated assets should be made aware of the organisation’s policy on acceptable use of information and other related assets.
Everyone involved in the use or handling of information and other associated assets should be made aware of the organisation’s policy on permissible use of information and other associated assets. As part of a topic-specific acceptable use policy, personnel should know exactly what they are expected to do with information and other assets.
In particular, topic-specific policy should state that:
a) expected and unacceptable behaviours of individuals from an information security perspective;
b) permitted and prohibited use of information and other associated assets;
c) monitoring activities being performed by the organisation.
Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification and determined risks. The following items should be considered:
a) access restrictions supporting the protection requirements for each level of classification;
b) maintenance of a record of the authorised users of information and other associated assets;
c) protection of temporary or permanent copies of information to a level consistent with the
protection of the original information;
d) storage of assets associated with information in accordance with manufacturers’ specifications;
e) clear marking of all copies of storage media (electronic or physical) for the attention of the
authorised recipient;
f) authorisation of disposal of information and other associated assets and supported deletion method(s).
The new 2022 revision of ISO 27002 was published on February 15, 2022, and is an upgrade of ISO 27002:2013.
The control 5.10 in ISO 27002:2022 is not a new control, rather, it is a combination of controls 8.1.3 – acceptable use of assets and 8.2.3 – handling of assets in ISO 27002:2013.
While the essence and implementation guidelines of control 5.10 is relatively the same with controls 8.1.3 and 8.2.3, control 5.10 merged both the acceptable use of assets and the handling of assets into one control to allow for improved user-friendliness.
However, control 5.10 also added an extra point to control 8.2.3. This covers authorisation of disposal of information and other associated assets and the supported deletion method(s).
