Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Protect High Priority

A.5.10 Acceptable Use of Information and Other Associated Assets

M365 Admin Path: Microsoft Entra admin centre > Identity Governance > Terms of use

Evidence Source: Multiple Sources

What is A.5.10 Acceptable Use of Information and Other Associated Assets?

ISO 27001 control A.5.10 Acceptable Use of Information and Other Associated Assets ensures information and assets are appropriately protected, used, and handled with special attention to privacy and personally identifiable information. This control defines rules for responsible asset use, data classification, and protection mechanisms across all personnel and device types through Microsoft Entra Terms of Use for policy acceptance and Microsoft Purview Sensitivity Labels for data classification.

How to implement A.5.10 in Microsoft 365

Implement A.5.10 by configuring Microsoft Entra Terms of

Implement A.5.10 by configuring Microsoft Entra Terms of Use for Acceptable Use Policy with mandatory acceptance as an access condition via Conditional Access. Enforce Intune compliance policies requiring disk encryption with BitLocker or FileVault, idle-timeout screen lock, Microsoft Defender for Endpoint active, and rooted or jailbroken device blocking.

Implement Microsoft Purview Sensitivity Label scheme from Non-Business

Implement Microsoft Purview Sensitivity Label scheme from Non-Business through Highly Confidential classifications. Enforce data isolation on BYOD devices using Intune-managed application containers.

Restrict mobile app installation to approved stores only

Restrict mobile app installation to approved stores only. Enable Microsoft Defender for Office 365 with Safe Links and Safe Attachments.

What an auditor checks for A.5.10

  • Auditors will verify that an AUP Terms of Use policy is configured and active in Entra ID with acceptance enforced via Conditional Access.
  • They will check that the AUP acceptance rate from member users meets or exceeds 95%.
  • Auditors will review Intune compliance policies showing AV, encryption, idle timeout, and rooted device checks are enforced.
  • They will verify that Purview sensitivity labels are configured and published.
  • Auditors will examine device enrolment evidence showing BYOD devices are enrolled in Intune with appropriate data protection policies applied.

See how your organisation scores against A.5.10 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

CyberAware Security Awareness Platform Foundation

Branded CyberAware platform with 80+ animated videos dramatising real-world cyber events, 100+ phishing templates updated for current threats, auto-enrolment across all tenants, branded 'You've Been Phished' contextual training pages, human risk scoring with visual graphs, gamified leaderboards, and exportable branded PDF reports. Average 80% risk reduction from baseline within 8 months.