A single employee forwarding sensitive data to a personal email, or a contractor spinning up an unapproved cloud tool, can trigger a data breach that no firewall would have caught. These are human-layer failures — and they happen because organizations assume people know the rules without ever writing them down. Control 5.10 exists to close that gap by requiring explicit, documented boundaries for how personnel interact with information and associated assets.
What 5.10 Requires
ISO 27001 Control 5.10 requires organizations to define, document, and communicate rules governing how personnel use information and the assets that store, process, or transmit it. As part of the broader ISO 27001 standard, this control addresses one of the most commonly overlooked risk areas: the behavior of the people who interact with your data every day. The control covers the full asset lifecycle — from creation and storage through transmission and disposal — and applies to every person who touches organizational data: employees, contractors, and third parties. The official ISO/IEC 27001:2022 specification places this control within Annex A’s organizational controls category, signaling that acceptable use is a governance issue, not a purely technical one.
The objective is straightforward. Organizations must make acceptable behavior explicit rather than assumed. That means documenting what people can and cannot do with data, how they should handle different classification levels, and what happens when someone crosses the line.
Without these rules, people default to their own judgment. Some will be cautious; many will take shortcuts. The resulting inconsistency is where security gaps form — not from malice, but from ambiguity. Control 5.10 eliminates that ambiguity by requiring a written, acknowledged, and enforced acceptable use policy.
Why 5.10 Matters
Consider an organization that operates without a documented acceptable use policy. Employees routinely sync work files to personal cloud storage for convenience. A departing contractor copies client data to an external drive because no one told them they couldn’t. A remote worker’s child accesses an unlocked laptop containing sensitive project files.
None of these scenarios involve sophisticated attackers or zero-day exploits. They are routine behaviors that become security incidents because the organization never established clear boundaries. The Verizon 2025 Data Breach Investigations Report found that nearly 60% of breaches involve a human element — reinforcing that policy gaps around acceptable use represent one of the largest attack surfaces most organizations leave unaddressed.
The risk classification for 5.10 failures spans insider threat, data leakage, and regulatory non-compliance. Severity ranges from moderate to high depending on the data classification involved. An employee syncing marketing collateral to a personal Dropbox is a policy violation; an employee syncing client health records to that same Dropbox is a reportable breach under HIPAA.
The consequences extend beyond data loss. Without a documented AUP, you have no grounds for disciplinary action when someone violates a rule that was never written. Auditors will flag a non-conformity during certification or surveillance audits, potentially blocking your ISO 27001 certification timeline. Regulators in GDPR, HIPAA, and PCI DSS jurisdictions expect documented acceptable use controls, and their absence creates regulatory exposure alongside the security risk. In practice, the absence of an AUP means your organization is accepting unquantified risk from the people who have the most access to your data — your own workforce. This risk extends to your supply chain as well, where vendor risk management programs depend on vendors maintaining their own acceptable use controls.
What Attackers Exploit
When acceptable use policies are absent or poorly enforced, attackers and insiders exploit predictable failure modes:
- Absent or outdated policies that personnel never signed — Without acknowledgment, employees can credibly claim ignorance of any restriction.
- No rules for personal device usage (BYOD) — Shadow IT proliferates as employees adopt unapproved apps and services outside security team visibility.
- Uncontrolled data transfers — Personal email accounts and consumer-grade cloud services become unmonitored exfiltration channels. Without data loss prevention tools referenced in the policy, these transfers are invisible to security teams.
- Missing disposal procedures — Sensitive data persists on decommissioned hardware, old laptops, and retired storage media.
- No monitoring disclosure — When employees don’t know monitoring exists, violations go undetected. When they do know, the deterrence effect disappears if the policy doesn’t mention it.
- Lack of consequences for violations — If the AUP isn’t linked to a formal disciplinary process, policy violations carry no weight.
How to Implement 5.10
Implementing Control 5.10 requires more than writing a policy document. It demands a lifecycle approach: draft, approve, distribute, train, monitor, and review. Most organizations treat acceptable use as a one-time HR checkbox — sign a form during onboarding and never revisit it. That approach fails because the threat landscape, technology stack, and working patterns change faster than a static document can reflect.
The implementation differs depending on whether you’re building controls for your own organization or assessing them at a vendor.
For Your Organization (First-Party)
1. Draft the acceptable use policy. Cover permitted and prohibited behaviors, personal use boundaries, data handling rules by classification level, monitoring disclosure, and consequences for violations. Be specific — a policy that says “use assets responsibly” is unenforceable. Define what “acceptable” means for each asset class: email, cloud storage, removable media, mobile devices, and network resources. Specify what personal use (if any) is permitted and under what conditions.
2. Secure management approval and link to the disciplinary process. The AUP needs executive sign-off and a direct connection to HR’s disciplinary framework. Without this link, the policy is guidance, not governance.
3. Distribute and require signed acknowledgment. Every person who accesses organizational systems — employees, contractors, third parties — must acknowledge the AUP before receiving access. This creates both awareness and accountability.
4. Address BYOD, cloud services, and remote work. These scenarios generate the most policy gaps. Specify which personal devices are permitted, which cloud services are approved, and what restrictions apply when working outside the office.
5. Train personnel during onboarding and annually. Reading and signing the policy is the baseline. Training reinforces the rules and provides an opportunity to address questions and edge cases.
6. Review and update at least annually. Technology, threats, and working patterns change. An AUP written before widespread remote work is already outdated. Trigger reviews after significant organizational or technology changes — new cloud platforms, acquisitions, shifts to hybrid work — as well as after security incidents that reveal policy gaps.
7. Produce and retain evidence. Auditors will request signed acknowledgments, training completion records, and policy version history. Build these into your document management and HR systems from the start. For a complete view of what certification requires, use an ISO 27001 implementation checklist to track progress across all controls.
Tooling categories that support 5.10 implementation: document management systems for policy distribution and version control, identity providers (Okta, Microsoft Entra ID) for access gating behind acknowledgment, endpoint management (MDM) for BYOD enforcement, and DLP solutions for monitoring data handling compliance.
Common mistakes to avoid:
- Writing a policy too vague to enforce
- Not requiring acknowledgment before granting system access
- Ignoring BYOD and personal cloud services in the policy
- No link between the AUP and the disciplinary process
- Set-and-forget — never reviewing or updating the policy
For Your Vendors (Third-Party Assessment)
When assessing vendor compliance with 5.10, move beyond self-attestation with targeted questions and evidence requests. Understanding the full scope of third-party risk requirements under ISO 27001 helps contextualize where 5.10 fits within vendor due diligence.
Questions to ask:
- Does the vendor maintain a documented acceptable use policy?
- Is the AUP acknowledged by all personnel with access to your data?
- Does the policy extend to third-party subcontractors?
- When was the AUP last reviewed and updated?
Evidence to request:
- The AUP document itself
- Sample acknowledgment records (redacted for privacy)
- Training completion records showing AUP coverage
Red flags that signal weak implementation:
- No formal AUP exists
- The policy hasn’t been updated in more than two years
- No signed acknowledgments on file
- No link between the AUP and a disciplinary process
- The policy doesn’t address cloud services or BYOD
Verification beyond self-attestation: Request a sample of recent acknowledgment logs to confirm the process is active, not historical. Check whether the AUP is referenced in onboarding documentation, which indicates it’s embedded in the vendor’s operational workflow rather than filed away. If the vendor provides SOC 2 Type II reports, look for controls related to acceptable use and verify that no exceptions or qualifications were noted by the auditor. A vendor whose AUP exists only as a document — with no evidence of distribution, acknowledgment, or enforcement — presents a higher risk than one with a simpler policy that’s actively managed. A structured vendor questionnaire template can standardize these assessments across your vendor portfolio.
Audit Evidence for 5.10
Auditors evaluating Control 5.10 look for documented proof that acceptable use rules exist, are communicated, and are enforced. The following evidence types cover the typical audit scope:
| Evidence Type | Example Artifact |
|---|---|
| Acceptable Use Policy | Documented AUP defining permitted/prohibited behaviors, data handling rules, monitoring disclosure, and consequences for violations |
| Signed Acknowledgments | Employee and contractor sign-off records confirming AUP receipt and understanding, collected before system access is granted |
| Training Records | Onboarding and annual refresher training completion logs showing AUP coverage |
| Policy Review History | Version control log demonstrating annual review and management approval of AUP updates |
| Monitoring Configuration | Screenshots or configuration exports from DLP, web filtering, or email monitoring tools referenced in the AUP |
| Disciplinary Process Link | HR policy or procedure document showing the AUP is connected to formal disciplinary actions |
| BYOD/Cloud Use Rules | Supplementary policy or AUP section addressing personal devices and approved cloud services |
Maintain these artifacts in a centralized document management system with clear version control. Auditors value evidence that demonstrates an active, maintained process — not a one-time documentation exercise. For detailed guidance on what auditors expect across all controls, see this guide on ISO 27001 audit preparation.
Cross-Framework Mapping
Organizations operating under multiple compliance frameworks can map Control 5.10 to equivalent controls elsewhere, reducing duplicate effort and demonstrating unified governance. The table below maps 5.10 to its closest equivalents across major frameworks.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | MP-02 (Media Access) | Partial — covers access restrictions on media containing information |
| NIST 800-53 | MP-04 (Media Storage) | Partial — addresses secure storage of media |
| NIST 800-53 | MP-05 (Media Transport) | Partial — covers protection of media during transport |
| NIST 800-53 | MP-06 (Media Sanitization) | Partial — addresses disposal and sanitization of media |
| NIST 800-53 | MP-07 (Media Use) | Direct — governs restrictions on media types and usage |
| NIST 800-53 | PE-16 (Delivery and Removal) | Partial — controls physical asset movement |
| NIST 800-53 | PE-18 (Location of Information System Components) | Partial — addresses physical placement of assets |
| NIST 800-53 | PE-20 (Asset Monitoring and Tracking) | Partial — covers tracking of physical assets |
| NIST 800-53 | PL-04 (Rules of Behavior) | Direct — requires documented rules of behavior for system users |
| NIST 800-53 | SC-08 (Transmission Confidentiality and Integrity) | Partial — covers protection of transmitted information |
| NIST 800-53 | SC-28 (Protection of Information at Rest) | Partial — addresses protection of stored information |
| SOC 2 | CC6.1 (Logical and Physical Access Controls) | Partial — overlaps on access restrictions and usage policies |
| CIS Controls v8.1 | Control 3 (Data Protection) | Partial — covers data handling practices and classification |
| NIST CSF 2.0 | PR.DS (Data Security) | Partial — addresses data security practices across the lifecycle |
The NIST SP 800-53 Rev. 5 mapping is particularly relevant for organizations pursuing FedRAMP authorization or operating in U.S. federal supply chains. PL-04 (Rules of Behavior) is the closest direct equivalent — it requires the same type of documented, acknowledged usage rules that 5.10 mandates. The MP-series controls collectively address the media-handling dimensions of acceptable use, while SC-08 and SC-28 cover the transmission and storage protections that an AUP should reference.
For organizations managing SOC 2 and ISO 27001 simultaneously, CC6.1’s overlap with 5.10 means a well-structured AUP can serve both frameworks. The CIS Controls v8.1 mapping to Control 3 (Data Protection) is broader — it encompasses data protection practices that go beyond acceptable use — but the policy foundation required by 5.10 directly supports CIS Control 3’s implementation. Recognizing these overlaps lets you build one policy artifact that satisfies multiple audit requirements rather than maintaining parallel documents.
Related ISO 27001 Controls
Control 5.10 does not operate in isolation. It connects to a network of controls that collectively govern how assets are identified, classified, handled, and ultimately returned or disposed of.
| Control ID | Control Name | Relationship |
|---|---|---|
| 5.9 | Inventory of information and other associated assets | AUP applies to assets identified in inventory |
| 5.11 | Return of assets | AUP governs use until return; return process enforces end-of-use rules |
| 5.12 | Classification of information | AUP handling rules depend on classification levels |
| 5.13 | Labelling of information | Labelling supports AUP enforcement by making classification visible |
| 5.14 | Information transfer | AUP defines permitted transfer methods and channels |
| 6.2 | Terms and conditions of employment | Employment contracts reference AUP obligations |
| 6.4 | Disciplinary process | AUP violations trigger the disciplinary process |
| 6.5 | Responsibilities after termination | Post-employment obligations extend AUP commitments |
| 7.10 | Storage media | AUP disposal rules align with media handling controls |
| 8.1 | User endpoint devices | AUP covers acceptable use of endpoints including BYOD |
The strongest dependencies are with 5.9 (you cannot write acceptable use rules for assets you haven’t inventoried), 5.12 (handling rules must align with classification levels), and 6.4 (the AUP needs enforcement teeth through the disciplinary process). When building your implementation plan, address 5.9 and 5.12 before 5.10 — the asset inventory and classification scheme inform what the AUP needs to cover. Similarly, coordinate with HR on 6.2 and 6.4 early, since the employment contract language and disciplinary framework need to reference the AUP before it can function as an enforceable control.
Frequently Asked Questions
What is ISO 27001 5.10?
ISO 27001 Control 5.10 requires organizations to document and communicate rules for how personnel use information and associated assets across their entire lifecycle. For a broader overview, see the ISO/IEC 27001 glossary entry. The control ensures everyone — employees, contractors, and third parties — understands what constitutes acceptable and prohibited behavior when handling organizational data.
What happens if 5.10 is not implemented?
Without a documented acceptable use policy, personnel default to ad-hoc behavior that creates unpredictable security gaps — shadow IT proliferates, data transfers go unmonitored, and the organization has no formal grounds for disciplinary action. Auditors will flag a non-conformity, and regulatory exposure increases in jurisdictions that require documented usage controls.
How do you audit 5.10?
Auditors verify that a documented acceptable use policy exists, has been acknowledged by all personnel before system access, and is actively maintained. Key evidence includes signed acknowledgments, training completion records, policy version history showing regular reviews, and a documented link between the AUP and the organization’s disciplinary process.
How UpGuard Helps
Connect acceptable use controls to continuous vendor monitoring. UpGuard’s platform lets you verify that vendors maintain and enforce acceptable use policies as part of a broader third-party risk management program — giving you visibility into vendor compliance posture without relying on point-in-time assessments alone. Learn more about UpGuard.