ISO 27001 Acceptable Use Policy
In this guide, you will learn what an ISO 27001 Acceptable Use Policy is, how to write it yourself and I give you a template you can download and use right away.
Table of contents
- ISO 27001 Acceptable Use Policy
- What is an ISO 27001 Acceptable Use Policy?
- How to write an ISO 27001 Acceptable Use Policy
- ISO 27001 Acceptable Use Policy Walkthrough Video
- ISO 27001 Acceptable Use Policy Template
- How the ISO 27001 toolkit can help
- Applicability of an ISO 27001 Acceptable Use Policy to Small Businesses, Tech Startups, and AI Companies
- Information security standards that need an ISO 27001 Acceptable Use Policy
- List of relevant ISO 27001:2022 controls
- ISO 27001 Acceptable Use Policy Example
- Is an AUP legally binding?
- Acceptable Use Policy vs. Procedure
- Can an AUP prevent ransomware?
- ISO 27001 Acceptable Use Policy FAQ
What is an ISO 27001 Acceptable Use Policy?
There are things that we do and do not want people to do with company computers, systems and data. The acceptable use policy set’s out what we expect and explains it in simple terms.
An Acceptable Use Policy (AUP) is a set of rules that tells you how you can and can’t use your company’s technology and information systems. Think of it as a rulebook for using computers, the internet, email, and other digital tools at work. It’s all about keeping your company’s data safe and secure. It’s part of a bigger picture called information security, and it helps you meet the requirements of a standard called ISO 27001, which is like a gold star for keeping information safe.
| Requirement Category | Strategic Application and ISO 27001 Context |
|---|---|
| Why You Need an AUP | To mitigate security risks such as viruses, data leaks, and unauthorised access while ensuring employees understand their technical responsibilities. |
| When to Implement | Immediately upon business inception or prior to onboarding the first employee; it is a foundational prerequisite for ISO 27001 certification. |
| Who is Included | Mandatory for all personnel with access to company systems, including full-time staff, part-time employees, contractors, and temporary workers. |
| Where to Distribute | Must be easily accessible via the employee handbook, new hire onboarding packets, company intranet, or central shared compliance drives. |
| How to Implement | Execution via a four-stage process: 1. Formal communication, 2. Mandatory signature/acknowledgement, 3. Security training, and 4. Regular annual reviews. |
How to write an ISO 27001 Acceptable Use Policy
To implement an ISO 27001 Acceptable Use Policy, you must define the rules for asset interaction, obtain formal employee sign-off, and establish enforcement mechanisms. This ensures that all personnel understand their security responsibilities regarding corporate hardware, software, and data handling to mitigate insider threats and legal liabilities.
Step 1: Define the Asset and User Scope
Identify all information assets, including hardware, software, and cloud services, that fall under the policy’s jurisdiction. Explicitly list the groups of users (employees, contractors, third parties) required to adhere to these standards to ensure Clause 5.2 compliance.
Step 2: Formalise Prohibited and Permitted Actions
Document specific “Rules of Engagement” (ROE) regarding corporate resource usage. This must include:
- Strict prohibitions on illegal activities and unauthorised software installations.
- Guidelines for personal use of company equipment.
- Requirements for MFA (Multi-Factor Authentication) and password complexity.
Step 3: Provision Security Awareness Training
Distribute the policy via your Learning Management System (LMS) or internal portal. Ensure every user completes a mandatory training module that explains the technical risks associated with data mishandling and social engineering.
Step 4: Capture Formal Acknowledgement
Obtain a verifiable, time-stamped digital signature or physical sign-off from every user. This creates a legally defensible audit trail required for ISO 27001 Annex A.5.10 and human resource security audits.
Step 5: Establish Monitoring and Enforcement
Implement technical controls (such as IAM roles and DLP software) to monitor compliance. Define and communicate the disciplinary process for policy violations to ensure the policy remains enforceable and credible.
ISO 27001 Acceptable Use Policy Walkthrough Video
ISO 27001 Acceptable Use Policy Template
The ISO 27001:2022 Acceptable Use Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
| Feature / Argument | HighTable ISO 27001 Toolkit | Online SaaS Platforms |
|---|---|---|
| Data Ownership | Permanent ownership. You keep your policy files forever on your own secure infrastructure. | Rental model. Access to your documentation often expires if your subscription is cancelled. |
| Ease of Use | Zero learning curve. Fully customisable Word and Excel templates that your team already knows how to use. | High complexity. Requires extensive team training to navigate proprietary software interfaces. |
| Total Cost of Ownership | One-off investment. No hidden fees or recurring monthly costs for implementing your AUP. | Expensive recurring fees. Monthly or annual subscriptions that increase your long-term OPEX. |
| Operational Freedom | No vendor lock-in. You have the freedom to manage your ISMS your way without software constraints. | Total vendor lock-in. Moving your data out of a proprietary SaaS ecosystem is difficult and costly. |
Applicability of an ISO 27001 Acceptable Use Policy to Small Businesses, Tech Startups, and AI Companies
| Organisation Type | Strategic Benefit & Primary Focus | Practical Implementation Example |
|---|---|---|
| Small Businesses | Protects sensitive customer data and manages risk without requiring a substantial IT budget. | Restrictions on personal browsing and unapproved app downloads on payroll or ordering systems. |
| Tech Startups | Secures Intellectual Property (IP) and source code; prevents accidental or malicious data leaks. | Strict “Rules of Engagement” regarding code sharing and company ownership of developed resources. |
| AI Companies | Maintains data integrity for training models and ensures rigorous privacy for customer datasets. | Mandatory use of approved datasets for model training and total prohibition on sharing raw customer data. |
Information security standards that need an ISO 27001 Acceptable Use Policy
This acceptable use policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
| Information Security Standard / Regulation | Compliance Context |
|---|---|
| ISO 27001 | The primary international standard for Information Security Management Systems (ISMS), specifically addressing Annex A.5.10. |
| GDPR (General Data Protection Regulation) | Mandatory for ensuring data privacy and evidence of technical and organisational measures for data protection. |
| CCPA (California Consumer Privacy Act) | Required for establishing consumer data safety protocols and mitigating liability in the event of a breach. |
| DORA (Digital Operational Resilience Act) | Essential for financial sector operational resilience and ICT risk management frameworks. |
| NIS2 (Network and Information Security Directive) | Critical for essential and important entities to demonstrate robust cyber hygiene and risk management. |
| SOC 2 (Service Organisation Control 2) | A prerequisite for the Common Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). |
| NIST (National Institute of Standards and Technology) | Core to the Cybersecurity Framework (CSF) for managing and reducing cybersecurity risk. |
| HIPAA (Health Insurance Portability and Accountability Act) | Required for safeguarding Protected Health Information (PHI) through strict administrative safeguards. |
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls that relate to acceptable use. Some of the most important ones include:
| Control Reference | Control Name and Requirement Link |
|---|---|
| Annex A 5.10 | Acceptable Use of Information and Other Associated Assets |
| Annex A 5.1 | Policies for Information Security |
| Annex A 5.36 | Compliance with Policies, Rules and Standards for Information Security |
ISO 27001 Acceptable Use Policy Example
This is an example ISO 27001 Acceptable Use Policy:
Is an AUP legally binding?
ISO 27001 AUP: Sanctions and Disciplinary Examples
Enforcement is a mandatory requirement under ISO 27001 Clause 5.36 to ensure the Acceptable Use Policy remains credible and effective. Without defined sanctions, a policy is legally unenforceable and will likely be flagged as a non-conformity during a certification audit. Below are standard technical violations and their corresponding disciplinary actions.
| Violation Category | Example Action | Typical Sanction Level |
|---|---|---|
| Minor Negligence | Leaving a workstation unlocked in a public area or sharing a non-sensitive file externally without encryption. | Verbal warning and mandatory re-enrolment in Security Awareness Training. |
| Serious Misconduct | Intentional sharing of corporate passwords, installing unauthorised software (Shadow IT), or bypassing MFA controls. | Written warning, temporary suspension of system access, and formal HR review. |
| Gross Misconduct | Theft of intellectual property, intentional introduction of malware, or using company assets for illegal activities. | Immediate revocation of all access rights and potential summary dismissal or legal prosecution. |
Acceptable Use Policy vs. Procedure
ISO 27001: Acceptable Use Policy vs. Operating Procedures
The primary difference is that a Policy defines the mandatory ‘Rules of Engagement,’ while a Procedure documents the technical ‘Step-by-Step’ execution. Under ISO 27001, auditors look for alignment between these two: your AUP might state that ‘complex passwords are required’ (Policy), while your Access Management Procedure details the specific character length and rotation settings in Active Directory (Procedure).
| Feature | Acceptable Use Policy (AUP) | Operating Procedures (SOPs) |
|---|---|---|
| Core Objective | Defines ‘What’ is expected of the user. | Defines ‘How’ the task is performed. |
| Target Audience | All employees, contractors, and guests. | IT Admins, Security Teams, or specific roles. |
| Level of Detail | High-level principles and rules. | Low-level technical steps or workflows. |
| ISO 27001 Link | Clause 5.1 & Annex A 5.10 | Annex A 5.37 (Documented Operating Procs) |
Can an AUP prevent ransomware?
| Attack Vector | AUP Policy Requirement | Technical ISO 27001 Alignment |
|---|---|---|
| Phishing Links | Prohibition of clicking unknown links and mandatory reporting of suspicious emails. | Annex A 5.7 (Threat Intelligence) |
| Malicious Attachments | Strict rules on downloading files from non-trusted external sources. | Annex A 8.7 (Protection against Malware) |
| Shadow IT / Unauthorised Apps | Total ban on installing software without IT department approval and verification. | Annex A 8.19 (Installation of Software) |
| Removable Media (USB) | Mandatory encryption and scanning requirements for all external storage devices. | Annex A 7.10 (Storage Media) |
ISO 27001 Acceptable Use Policy FAQ
Who does the acceptable use policy apply to?
The acceptable use policy applies to all staff, contractors, and third parties that access or use company assets. Compliance is mandatory for anyone interacting with the organisation’s information processing systems to ensure 100% accountability and reduce the risk of unauthorised data exposure through human error.
What is the purpose of the ISO 27001 Acceptable Use Policy?
The purpose of this policy is to make employees and external users aware of the rules for the acceptable use of assets associated with information processing. Your primary goal is to communicate exactly what is, and what is not, acceptable use. It establishes guiding principles for intellectual property, personal equipment usage, social media, and working off-site.
Why is the acceptable use policy important?
An AUP is vital because people cannot follow rules unless you tell them what they are. It informs people of expectations and helps mitigate misuse of equipment, which accounts for nearly 20% of security incidents. Failure to implement a clear AUP can result in severe legal, regulatory, and reputational consequences for the organisation.
Should people sign that they accept the acceptable use policy?
Yes, obtaining a formal signature is a key document in the protection of the organisation. This process is typically integrated into HR onboarding. To maintain ISO 27001 compliance, the policy should be embedded in the company culture and re-signed by every employee at least annually.
Does the acceptable use policy allow personal use?
Personal use is permitted only if the organisation specifically authorises it within set limits and rules. While limited personal use of hardware is common, there is rarely, if ever, a valid case for the personal use of corporate information and data. Boundaries must be clearly explained to prevent “shadow IT” risks.
What does the acceptable use policy cover?
The acceptable use policy covers all rules regarding the use of company software, hardware, and physical premises. It serves as a comprehensive boundary for how personnel interact with any asset owned or managed by the business to ensure security integrity is maintained across all environments.
What should an acceptable use policy contain?
An acceptable use policy must contain specific document markup including version control, an owner, and an information security classification. A standardised Table of Contents for a compliant AUP should include:
- Document Version Control and Contents Page
- Purpose and Scope
- Individual Responsibility and Principles
- Internet, Email, and Social Media Usage
- Working Off-Site and Mobile Storage Devices
- Monitoring, Filtering, and Reporting
- Compliance Measurement and Non-Compliance
What happens if you break the acceptable use policy?
Breaking the AUP triggers an internal investigation and the raising of an incident or corrective action. If the investigation confirms a breach, the organisation will engage with HR to activate the internal disciplinary process. Consistent enforcement is required to meet ISO 27001 Clause 5.36 requirements.
How do you implement an acceptable use policy?
Implementation requires writing the policy, obtaining senior management approval, and communicating it to all staff with evidence of acceptance. The policy should be included in your annual communication plan and your mandatory annual information security training and awareness sessions to ensure continuous compliance.
How do I create an acceptable use policy?
You create the acceptable use policy in a standard word processor such as Microsoft Word or Google Docs. Using a template can save over 80% of drafting time, ensuring that all mandatory ISO 27001:2022 clauses are addressed without needing to hire an expensive external consultant.
Is a computer and email acceptable use policy template different to a standard AUP?
No, computer use and email use form part of the normal, comprehensive acceptable use policy. There is no need for separate documents; including these as sections within a single AUP ensures a “single source of truth” for all employee security expectations.
What is an AUP Policy?
An AUP policy stands for an Acceptable Use Policy. It is simply an alternative name for the same governance document used to control how technology and information are used within a business environment.
Where can I get an acceptable use policy example for small business?
An acceptable use policy example for small business can be found at HighTable: The ISO 27001 Company. Their templates are specifically tailored to meet international standards while remaining accessible and practical for smaller, agile organisations.
Where can I find a computer acceptable use policy template?
A computer acceptable use policy template is available for download at HighTable: The ISO 27001 Company. This template provides the exact structure and wording required to satisfy ISO 27001 auditors while protecting your hardware assets.
Do I need a separate policy for remote workers?
No, the AUP should apply to everyone regardless of their physical work location. Whether an employee is in the office or working remotely, the rules for asset handling and information security remain identical to ensure a consistent security posture.
Does an AUP cover personal devices?
Yes, the AUP must cover how personal devices access company information if you have a Bring Your Own Device (BYOD) policy. With approximately 67% of employees using personal devices for work, the AUP is the primary tool for defining data segregation and access limits.
Can I use my AUP to monitor employees’ internet use?
Yes, the policy must explicitly state that the company reserves the right to monitor internet and email usage. Transparency is key; stating this in the AUP ensures legal compliance with privacy laws while deterring the misuse of corporate bandwidth and systems.
Does the AUP apply to guests on our Wi-Fi?
Yes, you can include a section in your main AUP for guests or maintain a separate guest Wi-Fi policy. Ensuring guests are aware of acceptable usage prevents your network from being used for illegal activities that could be traced back to your organisation.
What’s the difference between an AUP and an IT security policy?
The AUP is a user-facing part of the larger IT security policy that focuses on human behaviour. While the AUP tells people what to do, the broader IT security policy details the specific technology, procedures, and technical configurations used to secure the environment.
About the author
