Acceptable Use Policies for Information and Assets
Create and communicate rules for how information and assets should be used to ensure security.
Plain language
This control is about setting clear rules on how everyone in the organisation should use information and company resources, like computers and data. It's important because if people misuse these resources, it can lead to data breaches or loss, which can be costly and damaging to the organisation's reputation.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
Why it matters
Without acceptable use rules, staff may mishandle information or assets, causing data leakage, malware infection, and regulatory or reputational damage.
Operational notes
Review and train on acceptable use for email, internet, cloud apps, BYOD and remote work; define prohibited actions, monitoring, and sanctions.
Implementation tips
- The IT manager should develop an acceptable use policy that clearly outlines what is considered appropriate and inappropriate use of information and equipment. This can be done by listing specific do's and don'ts and aligning them with security guidelines from ISO 27002:2022.
- HR should ensure that all employees and external partners are aware of the acceptable use policy. This involves including these guidelines in the onboarding process and having employees sign off that they understand the policy.
- The IT department should set up monitoring systems to track adherence to the acceptable use policy. This can be done by using log files and alerts that indicate unusual access or misuse of assets to help identify potential security threats.
- Management should regularly review and update the acceptable use policy to ensure it remains relevant. This might involve consulting with IT and compliance specialists to incorporate changes in the regulatory landscape like updates from the Privacy Act 1988.
- The IT manager should implement a clear procedure for handling violations of the acceptable use policy. This could include disciplinary actions or additional training sessions to prevent future breaches.
Audit / evidence tips
-
AskRequest a copy of the acceptable use policy document.
GoodThe policy is comprehensive, clearly communicated, signed by employees, and includes regular updates that align with current regulations.
-
AskAsk to see records of employee acknowledgements of the acceptable use policy.
GoodAll employees and relevant partners have signed acknowledgments within an appropriate timeframe after policy updates.
-
AskRequest evidence of monitoring activities related to policy compliance.
GoodThere are consistent and thorough monitoring processes in place, with incidents being recorded and dealt with promptly.
-
AskInquire about the training materials or sessions that cover the acceptable use policy.
GoodTraining is comprehensive, up-to-date, and participation is well-documented.
-
AskAsk for records of any incidents and how they were addressed with respect to the acceptable use policy.
GoodIncidents are documented clearly with actions taken, showing a proactive approach to handling breaches and policy reinforcement.
Cross-framework mappings
How Annex A 5.10 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (7) expand_less | ||
| ISM-0240 | ISM-0240 requires that paging, MMS, SMS and messaging apps are not used to communicate sensitive or classified data | |
| ISM-0824 | ISM-0824 advises personnel not to send or receive files via unauthorised online file services to reduce security risk | |
| ISM-1146 | ISM-1146 advises personnel to keep separate work and personal online accounts to reduce cross-contamination and account compromise risks | |
| ISM-1359 | ISM-1359 requires an organisation to develop, implement and maintain a removable media usage policy to manage the risks of using removabl... | |
| ISM-1599 | ISM-1599 requires IT equipment to be handled in a manner suitable for its sensitivity or classification | |
| ISM-1644 | ISM-1644 requires that sensitive or classified phone calls and conversations are not conducted in public locations unless precautions are... | |
| ISM-2075 | ISM-2075 prohibits organisations from using fax machines or online fax services to send or receive fax messages | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0348 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| ISM-1083 | Annex A 5.10 requires organisations to document and implement acceptable use rules and handling procedures for information and assets | |
| ISM-1549 | Annex A 5.10 requires acceptable use rules and handling procedures for information and associated assets to be documented and implemented | |
| ISM-1551 | ISM-1551 requires an organisation to maintain an IT equipment management policy to govern how IT equipment is handled and controlled | |
| handshake Supports (15) expand_less | ||
| ISM-0039 | ISM-0039 requires the organisation to develop, implement and maintain a cyber security strategy to guide and coordinate cyber security ou... | |
| ISM-0047 | Annex A 5.10 requires acceptable use rules and handling procedures to be identified, documented and implemented | |
| ISM-0161 | ISM-0161 requires organisations to ensure IT equipment and media are secured whenever they are not in use | |
| ISM-0337 | ISM-0337 requires media to only be used with systems authorised to process, store or communicate the media’s sensitivity or classification | |
| ISM-0358 | ISM-0358 requires that sanitised SECRET/TOP SECRET EPROM/EEPROM media continues to be handled as classified, affecting how staff may stor... | |
| ISM-0610 | ISM-0610 requires users to be trained on the secure use of CDSs before access is granted | |
| ISM-0661 | ISM-0661 requires user accountability for data transfers across systems | |
| ISM-0870 | ISM-0870 requires that mobile devices are carried or stored in a secured state when not being actively used, setting an operational secur... | |
| ISM-1187 | ISM-1187 requires a procedural check during manual export to ensure data does not have unsuitable protective markings | |
| ISM-1314 | ISM-1314 requires that only Wi‑Fi Alliance certified wireless devices are permitted for use | |
| ISM-1400 | ISM-1400 requires enforced separation of OFFICIAL: Sensitive or PROTECTED work data from personal data on privately-owned devices | |
| ISM-1418 | ISM-1418 requires organisations to technically block removable media access when it is not needed for business | |
| ISM-1478 | ISM-1478 requires CISO oversight of the cyber security program and ensuring compliance with cyber security policy and other obligations | |
| ISM-1602 | Annex A 5.10 requires organisations to identify, document and implement rules for acceptable use and handling of information and associat... | |
| ISM-1625 | ISM-1625 requires an insider threat mitigation program that sets expectations and reduces opportunities for misuse by insiders | |
| extension Depends on (2) expand_less | ||
| ISM-1865 | ISM-1865 requires personnel to agree to abide by system usage policies before they are granted access to systems and resources | |
| ISM-1868 | ISM-1868 requires that removable media is not used on SECRET and TOP SECRET mobile devices unless ASD approval is obtained beforehand | |
| link Related (6) expand_less | ||
| ISM-0258 | Annex A 5.10 requires organisations to identify, document and implement rules for acceptable use and handling of information and associat... | |
| ISM-0264 | Annex A 5.10 requires organisations to document and implement rules for acceptable use and handling of information and assets | |
| ISM-0588 | Annex A 5.10 requires documented and implemented rules for acceptable use and handling of information and other assets | |
| ISM-1078 | Annex A 5.10 requires documented and implemented acceptable use rules for information and associated assets | |
| ISM-1864 | Annex A 5.10 requires organisations to define and implement acceptable-use rules and handling procedures for information and other assets | |
| ISM-2074 | Annex A 5.10 requires organisations to set and implement acceptable use rules for information and assets | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.