A.5.10 Acceptable Use of Information and Other Associated Assets
What is this control?
ISO 27001 control A.5.10 Acceptable Use of Information and Other Associated Assets ensures information and assets are appropriately protected, used, and handled with special attention to privacy and personally identifiable information. This control defines rules for responsible asset use, data classification, and protection mechanisms across all personnel and device types through Microsoft Entra Terms of Use for policy acceptance and Microsoft Purview Sensitivity Labels for data classification.
How to implement in Microsoft 365
Implement A.5.10 by configuring Microsoft Entra Terms of Use for Acceptable Use Policy with mandatory acceptance as an access condition via Conditional Access. Enforce Intune compliance policies requiring disk encryption with BitLocker or FileVault, idle-timeout screen lock, Microsoft Defender for Endpoint active, and rooted or jailbroken device blocking. Implement Microsoft Purview Sensitivity Label scheme from Non-Business through Highly Confidential classifications.
Enforce data isolation on BYOD devices using Intune-managed application containers. Restrict mobile app installation to approved stores only. Enable Microsoft Defender for Office 365 with Safe Links and Safe Attachments.
What an auditor looks for
Auditors will verify that an AUP Terms of Use policy is configured and active in Entra ID with acceptance enforced via Conditional Access. They will check that the AUP acceptance rate from member users meets or exceeds 95%. Auditors will review Intune compliance policies showing AV, encryption, idle timeout, and rooted device checks are enforced.
They will verify that Purview sensitivity labels are configured and published. Auditors will examine device enrolment evidence showing BYOD devices are enrolled in Intune with appropriate data protection policies applied.