We all have own view on what is and is not ‘acceptable’ in our personal lives, right? You might not feel it’s acceptable to have pets on the sofa, but in our house, that’s just fine. You might think it’s acceptable to use your mobile phone during a conversation, but I don’t find that acceptable.
These are unwritten rules that we’ve developed ourselves.
In business there are accepted ‘norms’, such as people feel it’s acceptable to email on a Friday evening and expect a response. Some cultures accept it, while others don’t.
When it comes to Information security and data protection, this kind of ambiguity is leaving you at risk.
That’s why the A5.10 control is so important.
This control requires you to establish clear rules around what you deem to be acceptable in relation to data and informational assets, for those inside your organisation, and those that work with you (such as vendors and contractors).
What does the standard require?
The standard states that “Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.” (A5.10 Acceptable use of information and other associated assets)
Why is this required?
As detailed above, if you don’t set clear rules on what you deem to be acceptable (or not), then it leaves it down to individuals to apply their own rules. In life, there are accept norms, but in business this isn’t so clear.
For example, is it acceptable to send an email which contains personal data in it to an external source? What about one that contains bank details? What about one that contains customer bank details?
It’s difficult to answer this question because there are a number of other factors to consider. But if you clear state that all emails containing financial data must be encrypted, then there is a clear rule being applied. If someone breaks this rule, then you can take appropriate action. If they repeatedly break this rule, then you have a decision to make about that individual.
But if they didn’t know about the rule, then would it be fair to take any action at all?
This is also true of how data should be shared, but also how your systems should be used too.
For example, are you happy for people to access adult material while in the workplace? Adult material could be inferred as pornography, but it could also include gambling sites. What about TV? Spotify? Facebook?
Is it ok for people to use AI tools such as ChatGPT to test code, develop documentation? You might deem it acceptable to use it in one function (e.g Marketing), but deem it unacceptable in another (e.g. Software Development).
You might have a relaxed attitude to these sites and applications, or you may not. It depends on your organisation, and what you expect. It depends on what you deem to be ‘acceptable’.
To understand this, you need to have the discussion.
What the auditor is looking for
The standard is relatively clear in what is expected, so the auditor will be looking for evidence that you have a set of rules (aka, a Policy), and have also defined procedures for how data shall be handled.
Therefore the auditor is specifically looking for;
· An Acceptable Use Policy
· Employee Contracts
· Contractor/Consultant Contracts
· Data Processing Agreements (in supplier contracts)
· Standard Operating Procedures (e.g. how you handle destruction of data)
Remember that the control is asking you to consider information and other associated assets, so your “Acceptable Use Policy” should outline what you deem acceptable (or not) in relation to the use of topics such as email, internet, AI, mobile phones, laptops etc.
Your contracts with third-parties should also include clear expectations around data and informational assets. This might include removal of any data from their systems once a contract is ended, or could be related to access to your systems at certain times.
Finally, think about the procedures in your organisation and how data is handled. For example, is it acceptable to sell old equipment or donate it to charity without it first being electronically wiped? What is acceptable in terms of sharing data? Should it be encrypted? If so, how? This should be detailed within you Standard Operating Procedures.
Once all of this is in place, make sure you communicate your rules and procedures and then audit against them.
Q & A
Should these rules include use of personal devices?
Yes it should. Do you think it’s acceptable to have personal mobile phones at the desk? Possibly. But in some organisations this is certainly not acceptable due to security and privacy concerns. You may also deem it unacceptable for users to access your corporate data on their mobile phones (e.g. emails).
Is it possible to get this wrong?
Absolutely. If you’re too heavy handed, it will simply frustrate people. This is something we discuss in other blogs and articles about the art of writing policies. We cover it in our book, book “The Real Easy Guide to ISO27001” because it’s an important topic.
Treat people with respect, but be clear about what you expect of them and what you deem to be acceptable.
This control is about being clear on your intentions and promoting responsible behaviour. That’s what a clear, well written policy does. It educates users on what is acceptable and unacceptable in your organisation, and fosters a culture of information security awareness.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement. This control requires you to work with your management review team, or those helping to implement ISO27001 and determine what is and is not acceptable. Use the list provided above as a starting point.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.