Acceptable Use Policies for Information and Assets
Create and communicate rules for how information and assets should be used to ensure security.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
Source: ISO/IEC 27001:2022
Plain language
This control is about setting clear rules on how everyone in the organisation should use information and company resources, like computers and data. It's important because if people misuse these resources, it can lead to data breaches or loss, which can be costly and damaging to the organisation's reputation.
Why it matters
Without acceptable use rules, staff may mishandle information or assets, causing data leakage, malware infection, and regulatory or reputational damage.
Operational notes
Review and train on acceptable use for email, internet, cloud apps, BYOD and remote work; define prohibited actions, monitoring, and sanctions.
Implementation tips
- The IT manager should develop an acceptable use policy that clearly outlines what is considered appropriate and inappropriate use of information and equipment. This can be done by listing specific do's and don'ts and aligning them with security guidelines from ISO 27002:2022.
- HR should ensure that all employees and external partners are aware of the acceptable use policy. This involves including these guidelines in the onboarding process and having employees sign off that they understand the policy.
- The IT department should set up monitoring systems to track adherence to the acceptable use policy. This can be done by using log files and alerts that indicate unusual access or misuse of assets to help identify potential security threats.
- Management should regularly review and update the acceptable use policy to ensure it remains relevant. This might involve consulting with IT and compliance specialists to incorporate changes in the regulatory landscape like updates from the Privacy Act 1988.
- The IT manager should implement a clear procedure for handling violations of the acceptable use policy. This could include disciplinary actions or additional training sessions to prevent future breaches.
Audit / evidence tips
-
Ask: Request a copy of the acceptable use policy document.
Good: The policy is comprehensive, clearly communicated, signed by employees, and includes regular updates that align with current regulations.
-
Ask: Ask to see records of employee acknowledgements of the acceptable use policy.
Good: All employees and relevant partners have signed acknowledgments within an appropriate timeframe after policy updates.
-
Ask: Request evidence of monitoring activities related to policy compliance.
Good: There are consistent and thorough monitoring processes in place, with incidents being recorded and dealt with promptly.
-
Ask: Inquire about the training materials or sessions that cover the acceptable use policy.
Good: Training is comprehensive, up-to-date, and participation is well-documented.
-
Ask: Ask for records of any incidents and how they were addressed with respect to the acceptable use policy.
Good: Incidents are documented clearly with actions taken, showing a proactive approach to handling breaches and policy reinforcement.
Cross-framework mappings
How Annex A 5.10 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (9) | ||
| ISM-0240 | ISM-0240 requires that paging, MMS, SMS and messaging apps are not used to communicate sensitive or classified data | |
| ISM-0588 | ISM-0588 requires an organisation to develop, implement and maintain an MFD usage policy to guide correct and secure use of multifunction... | |
| ISM-0824 | ISM-0824 advises personnel not to send or receive files via unauthorised online file services to reduce security risk | |
| ISM-1078 | ISM-1078 requires an organisation to develop, implement, and maintain a telephone system usage policy | |
| ISM-1146 | ISM-1146 advises personnel to keep separate work and personal online accounts to reduce cross-contamination and account compromise risks | |
| ISM-1359 | ISM-1359 requires an organisation to develop, implement and maintain a removable media usage policy to manage the risks of using removabl... | |
| ISM-1599 | ISM-1599 requires IT equipment to be handled in a manner suitable for its sensitivity or classification | |
| ISM-1644 | ISM-1644 requires that sensitive or classified phone calls and conversations are not conducted in public locations unless precautions are... | |
| ISM-2075 | ISM-2075 prohibits organisations from using fax machines or online fax services to send or receive fax messages | |
| Partially overlaps (3) | ||
| ISM-0348 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| ISM-1549 | ISM-1549 requires an organisation to develop, implement, and maintain a media management policy governing the handling of media across it... | |
| ISM-1551 | ISM-1551 requires an organisation to maintain an IT equipment management policy to govern how IT equipment is handled and controlled | |
| Supports (15) | ||
| ISM-0039 | ISM-0039 requires the organisation to develop, implement and maintain a cyber security strategy to guide and coordinate cyber security ou... | |
| ISM-0161 | ISM-0161 requires organisations to ensure IT equipment and media are secured whenever they are not in use | |
| ISM-0337 | ISM-0337 requires media to only be used with systems authorised to process, store or communicate the media’s sensitivity or classification | |
| ISM-0358 | ISM-0358 requires that sanitised SECRET/TOP SECRET EPROM/EEPROM media continues to be handled as classified, affecting how staff may stor... | |
| ISM-0610 | ISM-0610 requires users to be trained on the secure use of CDSs before access is granted | |
| ISM-0661 | ISM-0661 requires user accountability for data transfers across systems | |
| ISM-0870 | ISM-0870 requires that mobile devices are carried or stored in a secured state when not being actively used, setting an operational secur... | |
| ISM-1083 | ISM-1083 requires personnel to be told what levels of classified voice and data communication are allowed when using mobile devices | |
| ISM-1187 | ISM-1187 requires a procedural check during manual export to ensure data does not have unsuitable protective markings | |
| ISM-1314 | ISM-1314 requires that only Wi‑Fi Alliance certified wireless devices are permitted for use | |
| ISM-1400 | ISM-1400 requires enforced separation of OFFICIAL: Sensitive or PROTECTED work data from personal data on privately-owned devices | |
| ISM-1418 | ISM-1418 requires organisations to technically block removable media access when it is not needed for business | |
| ISM-1478 | ISM-1478 requires CISO oversight of the cyber security program and ensuring compliance with cyber security policy and other obligations | |
| ISM-1602 | Annex A 5.10 requires organisations to identify, document and implement rules for acceptable use and handling of information and associat... | |
| ISM-1625 | ISM-1625 requires an insider threat mitigation program that sets expectations and reduces opportunities for misuse by insiders | |
| Depends on (2) | ||
| ISM-1865 | ISM-1865 requires personnel to agree to abide by system usage policies before they are granted access to systems and resources | |
| ISM-1868 | ISM-1868 requires that removable media is not used on SECRET and TOP SECRET mobile devices unless ASD approval is obtained beforehand | |
| Related (3) | ||
| ISM-0264 | Annex A 5.10 requires documented and implemented rules for acceptable use and handling of information and associated assets | |
| ISM-1864 | ISM-1864 requires the organisation to develop, implement, and maintain a system usage policy governing how systems are used | |
| ISM-2074 | Annex A 5.10 requires organisations to document and implement rules for acceptable use and handling of information and assets | |