Compliance

    ISO 27001 Acceptable Use Policy Template: Free Download + Writing Guide

    An acceptable use policy defines how employees can use organizational IT resources. This guide covers what your AUP must include for ISO 27001 compliance, how to make it enforceable, and provides a complete template structure you can customize.

    ISO27001KIT|April 8, 2026|13 min read
    ISO 27001 Acceptable Use Policy Template: Free Download + Writing Guide

    What Is an Acceptable Use Policy?

    An Acceptable Use Policy (AUP) defines the rules and guidelines for how employees, contractors, and third parties may use your organization's information systems, networks, and data. It is one of the foundational policies required for ISO 27001 compliance.

    Under ISO 27001:2022, the AUP supports several Annex A controls:

    • A.5.10 - Acceptable Use of Information and Other Associated Assets
    • A.5.9 - Inventory of Information and Other Associated Assets (by defining how assets may be used)
    • A.8.1 - User Endpoint Devices
    • A.8.20 - Networks Security
    • A.8.22 - Web Filtering (related to acceptable internet use)

    Without a clear AUP, employees make their own decisions about what is acceptable - and those decisions often introduce significant security risks.

    Why Your AUP Matters Beyond Compliance

    An AUP is not just an audit checkbox. It serves critical operational purposes:

    Legal protection. If an employee misuses company systems, your ability to take disciplinary action depends on having a clear, communicated policy that they acknowledged.

    Risk reduction. Shadow IT, personal device usage, unauthorized cloud storage, and risky browsing behavior are all addressed by a well-written AUP.

    Consistent expectations. New employees need to know the rules from day one. An AUP sets clear boundaries without relying on tribal knowledge.

    Incident response support. When investigating a security incident, your AUP defines what constitutes normal versus abnormal behavior.

    What to Include in Your AUP

    1. Scope and Applicability

    Define who the policy applies to and what assets it covers:

    • All employees (full-time, part-time, temporary)
    • Contractors and consultants with access to organizational systems
    • Third-party vendors working on-site or remotely
    • All company-owned devices, networks, and information systems
    • Personal devices used for work purposes (BYOD)

    2. General Use Principles

    Establish overarching principles:

    • Company IT resources are provided primarily for business purposes
    • Limited personal use may be permitted provided it does not interfere with work, consume excessive resources, or create security risks
    • All use is subject to monitoring in accordance with the organization's monitoring policy
    • Users are responsible for the security of their credentials and the data they access

    3. Email and Communication

    AllowedNot Allowed
    Business communications via approved emailSending sensitive data via personal email
    Using approved messaging platformsInstalling unauthorized communication tools
    Reasonable personal email during breaksMass emailing or chain letters
    Encrypted email for sensitive dataSharing credentials via email

    4. Internet and Web Usage

    • Internet access is provided for business purposes
    • Reasonable personal browsing is permitted during breaks
    • Prohibited categories: malware distribution sites, hacking tools, illegal content, gambling, excessive streaming
    • Downloads must be from approved and trusted sources
    • Web-based cloud storage is restricted to approved services only

    5. Software and Application Usage

    • Only authorized and licensed software may be installed
    • All software must be approved by IT before installation
    • Browser extensions and plugins require IT approval
    • SaaS applications must be vetted and approved through the procurement process
    • Shadow IT (unauthorized tools) is prohibited

    6. Data Handling

    • Classify data according to the organization's data classification scheme
    • Store sensitive data only in approved locations
    • Do not copy sensitive data to personal devices or personal cloud storage
    • Follow data retention and destruction procedures
    • Report suspected data breaches immediately

    7. Device Usage

    Company-owned devices:

    • Keep devices physically secure (locked when unattended)
    • Do not disable security software (antivirus, encryption, MDM)
    • Report lost or stolen devices immediately
    • Do not connect to untrusted networks without VPN

    Personal devices (BYOD):

    • Must be enrolled in the organization's MDM solution
    • Must meet minimum security requirements (encryption, screen lock, current OS)
    • Organization may remotely wipe company data from personal devices
    • Separate personal and business data using containerization

    8. Password and Authentication

    • Follow the organization's password policy
    • Never share passwords or authentication tokens
    • Use multi-factor authentication where available
    • Report suspected credential compromise immediately
    • Do not write passwords on sticky notes or store them in plain text

    9. Social Media

    • Do not disclose confidential company information on social media
    • Do not represent personal opinions as company positions
    • Do not use company email addresses for personal social media accounts
    • Follow brand guidelines when posting about the company
    • Report social engineering attempts via social media

    10. Consequences of Violation

    Your AUP must clearly state consequences:

    • First violation: Verbal warning and mandatory security awareness refresher
    • Second violation: Written warning placed in personnel file
    • Serious violation: Suspension of access privileges pending investigation
    • Severe violation: Disciplinary action up to and including termination

    For violations involving illegal activity, the organization may report to law enforcement.

    Making Your AUP Enforceable

    Get Written Acknowledgment

    Every user must sign (physically or digitally) that they have read, understood, and agree to comply with the AUP. This acknowledgment should be:

    • Part of the onboarding process for new employees
    • Renewed annually for all users
    • Updated and re-signed whenever the policy changes materially

    Keep It Readable

    A 30-page policy full of legal jargon will not be read by anyone. Keep your AUP:

    • Under 10 pages
    • Written in clear, non-technical language
    • Organized with clear headings and bullet points
    • Available in the employee handbook and on the intranet

    Include in Security Awareness Training

    Reference the AUP in your security awareness program. Use real examples to illustrate why each rule exists.

    Enforce Consistently

    The fastest way to make your AUP worthless is to enforce it selectively. If executives are exempt from the rules, the entire policy loses credibility and legal standing.

    Common Audit Findings

    No evidence of acknowledgment. Auditors will ask to see signed acknowledgments. Digital signatures with timestamps are preferred over paper records.

    Policy not reviewed annually. Your AUP should have a review date and version history. Update it when technology or working practices change.

    No coverage of remote/hybrid work. Post-2020, auditors expect your AUP to address home working, personal device usage, and remote access.

    No consequences defined. A policy without enforcement mechanisms is a suggestion, not a policy.

    Download a Professional Template

    The ISO 27001 Document Pack includes a complete Acceptable Use Policy template that covers all the sections above, formatted for immediate customization and auditor review. No watermarks, fully editable Word format.

    Get the Document Pack - $99

    Tags:
    iso 27001
    acceptable use policy
    policy template
    employee security
    annex a

    Found this article helpful?

    Share it with your colleagues.