What Is an Acceptable Use Policy?
An Acceptable Use Policy (AUP) defines the rules and guidelines for how employees, contractors, and third parties may use your organization's information systems, networks, and data. It is one of the foundational policies required for ISO 27001 compliance.
Under ISO 27001:2022, the AUP supports several Annex A controls:
- A.5.10 - Acceptable Use of Information and Other Associated Assets
- A.5.9 - Inventory of Information and Other Associated Assets (by defining how assets may be used)
- A.8.1 - User Endpoint Devices
- A.8.20 - Networks Security
- A.8.22 - Web Filtering (related to acceptable internet use)
Without a clear AUP, employees make their own decisions about what is acceptable - and those decisions often introduce significant security risks.
Why Your AUP Matters Beyond Compliance
An AUP is not just an audit checkbox. It serves critical operational purposes:
Legal protection. If an employee misuses company systems, your ability to take disciplinary action depends on having a clear, communicated policy that they acknowledged.
Risk reduction. Shadow IT, personal device usage, unauthorized cloud storage, and risky browsing behavior are all addressed by a well-written AUP.
Consistent expectations. New employees need to know the rules from day one. An AUP sets clear boundaries without relying on tribal knowledge.
Incident response support. When investigating a security incident, your AUP defines what constitutes normal versus abnormal behavior.
What to Include in Your AUP
1. Scope and Applicability
Define who the policy applies to and what assets it covers:
- All employees (full-time, part-time, temporary)
- Contractors and consultants with access to organizational systems
- Third-party vendors working on-site or remotely
- All company-owned devices, networks, and information systems
- Personal devices used for work purposes (BYOD)
2. General Use Principles
Establish overarching principles:
- Company IT resources are provided primarily for business purposes
- Limited personal use may be permitted provided it does not interfere with work, consume excessive resources, or create security risks
- All use is subject to monitoring in accordance with the organization's monitoring policy
- Users are responsible for the security of their credentials and the data they access
3. Email and Communication
| Allowed | Not Allowed |
|---|---|
| Business communications via approved email | Sending sensitive data via personal email |
| Using approved messaging platforms | Installing unauthorized communication tools |
| Reasonable personal email during breaks | Mass emailing or chain letters |
| Encrypted email for sensitive data | Sharing credentials via email |
4. Internet and Web Usage
- Internet access is provided for business purposes
- Reasonable personal browsing is permitted during breaks
- Prohibited categories: malware distribution sites, hacking tools, illegal content, gambling, excessive streaming
- Downloads must be from approved and trusted sources
- Web-based cloud storage is restricted to approved services only
5. Software and Application Usage
- Only authorized and licensed software may be installed
- All software must be approved by IT before installation
- Browser extensions and plugins require IT approval
- SaaS applications must be vetted and approved through the procurement process
- Shadow IT (unauthorized tools) is prohibited
6. Data Handling
- Classify data according to the organization's data classification scheme
- Store sensitive data only in approved locations
- Do not copy sensitive data to personal devices or personal cloud storage
- Follow data retention and destruction procedures
- Report suspected data breaches immediately
7. Device Usage
Company-owned devices:
- Keep devices physically secure (locked when unattended)
- Do not disable security software (antivirus, encryption, MDM)
- Report lost or stolen devices immediately
- Do not connect to untrusted networks without VPN
Personal devices (BYOD):
- Must be enrolled in the organization's MDM solution
- Must meet minimum security requirements (encryption, screen lock, current OS)
- Organization may remotely wipe company data from personal devices
- Separate personal and business data using containerization
8. Password and Authentication
- Follow the organization's password policy
- Never share passwords or authentication tokens
- Use multi-factor authentication where available
- Report suspected credential compromise immediately
- Do not write passwords on sticky notes or store them in plain text
9. Social Media
- Do not disclose confidential company information on social media
- Do not represent personal opinions as company positions
- Do not use company email addresses for personal social media accounts
- Follow brand guidelines when posting about the company
- Report social engineering attempts via social media
10. Consequences of Violation
Your AUP must clearly state consequences:
- First violation: Verbal warning and mandatory security awareness refresher
- Second violation: Written warning placed in personnel file
- Serious violation: Suspension of access privileges pending investigation
- Severe violation: Disciplinary action up to and including termination
For violations involving illegal activity, the organization may report to law enforcement.
Making Your AUP Enforceable
Get Written Acknowledgment
Every user must sign (physically or digitally) that they have read, understood, and agree to comply with the AUP. This acknowledgment should be:
- Part of the onboarding process for new employees
- Renewed annually for all users
- Updated and re-signed whenever the policy changes materially
Keep It Readable
A 30-page policy full of legal jargon will not be read by anyone. Keep your AUP:
- Under 10 pages
- Written in clear, non-technical language
- Organized with clear headings and bullet points
- Available in the employee handbook and on the intranet
Include in Security Awareness Training
Reference the AUP in your security awareness program. Use real examples to illustrate why each rule exists.
Enforce Consistently
The fastest way to make your AUP worthless is to enforce it selectively. If executives are exempt from the rules, the entire policy loses credibility and legal standing.
Common Audit Findings
No evidence of acknowledgment. Auditors will ask to see signed acknowledgments. Digital signatures with timestamps are preferred over paper records.
Policy not reviewed annually. Your AUP should have a review date and version history. Update it when technology or working practices change.
No coverage of remote/hybrid work. Post-2020, auditors expect your AUP to address home working, personal device usage, and remote access.
No consequences defined. A policy without enforcement mechanisms is a suggestion, not a policy.
Download a Professional Template
The ISO 27001 Document Pack includes a complete Acceptable Use Policy template that covers all the sections above, formatted for immediate customization and auditor review. No watermarks, fully editable Word format.
Found this article helpful?
Share it with your colleagues.
