Back to all documents
    Annex A & Operational Policies
    policy
    HR
    user-behavior

    Acceptable Use Policy

    Rules for acceptable use of information and assets (Annex A 5.10).

    Failed to load preview.

    About this Acceptable Use Policy

    The Acceptable Use Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.10 of the ISO 27001 Annex A control set.

    Rules for acceptable use of information and assets (Annex A 5.10). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to Annex A 5.10
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Supports Annex A 5.10 of ISO 27001:2022
    • Contributes to the documented information required by clause 7.5

    How to customise

    • - Insert your organisation name, scope, and document owner.
    • - Adapt scope statements and definitions to your environment.
    • - Align responsibilities with your actual roles and team structure.
    • - Approve, version, and publish via your document control process.

    Evidence auditors may expect

    • - Approved and dated version of the document
    • - Evidence the document is communicated to relevant staff
    • - Records showing the controls described are actually performed
    • - Review history demonstrating the document is kept current

    Auditor may ask

    Q.Who owns the acceptable use policy, and when was it last reviewed?
    Q.How is this document communicated to the people who need it?
    Q.What evidence shows the controls described are operating?
    Q.How is the document updated when scope or risk changes?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Frequently asked questions

    Which ISO 27001:2022 control does the acceptable use policy support?

    Annex A 5.10 - Acceptable use of information and other associated assets. It defines the rules and responsibilities for everyone who uses or handles company information.

    Should employees sign the acceptable use policy?

    Yes. Signed acknowledgement (or an equivalent attestation captured in a training platform) is the simplest evidence auditors accept that staff have read and accepted the rules.

    What should the acceptable use policy cover?

    Acceptable use of information, email, internet, removable media, company devices and personal devices, plus rules on copyright, social media and reporting security events.

    How is the acceptable use policy enforced?

    Via HR disciplinary process for breaches, supported by technical monitoring (DLP, web filtering, endpoint controls) that is itself referenced from the policy.

    Get the editable Acceptable Use Policy

    Buy this template on its own for $24, or unlock the full Document Pack for $99 (one-time).