Control 5.10 : Acceptable Use of Information and Other Associated Assets

Summary

Rules for the acceptable use of information and other associated assets must be identified, documented, and implemented. This ensures that employees and contractors understand their responsibilities regarding how they interact with company technology and data.

Applicability

In-Scope: Mandatory for all organizations. It provides the legal and policy basis for monitoring user activity and taking disciplinary action if necessary.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Policy Enforcement: Deploy an Acceptable Use Policy (AUP) via Entra ID Terms of Use, requiring users to accept the rules before accessing the Microsoft 365 environment.

• Monitoring: Configure Microsoft Purview Insider Risk Management to identify patterns of non-compliant behavior that violate acceptable use standards.

• Communication: Use Microsoft SharePoint to host the AUP in a location that is permanently accessible to all staff.

Evidence Checklist

• Acceptable Use Policy (AUP): A documented set of rules covering email, internet, and device usage.

• Acknowledgment Records: Signed logs or digital accept timestamps showing that all users have agreed to the AUP.

• Awareness Training: Training records showing that staff have been educated on what constitutes acceptable and unacceptable behavior.

Practical Audit Advice

Here are some questions the auditor might ask:

• Are the rules for acceptable use specific enough to cover modern working practices like Bring Your Own Device (BYOD) or remote work?

• How are employees notified when the Acceptable Use Policy is updated?

• What are the consequences for an employee who is found to be in violation of the acceptable use rules?

• Can you show evidence that users are reminded of these rules at regular intervals, not just during onboarding?