ISO 27001 Acceptable Use Policy Beginner’s Guide

The acceptable use policy applies to all staff, contracts and third parties that access or use company assets.

The purpose of this policy is to make employees and external party users aware of the rules for the acceptable use of assets associated with information and information processing. Guiding principles, individually responsibility, intellectual property, use of personal equipment, internet and email usage, instant messaging, social media, working offsite and mobile storage devices as well as monitoring and filtering and reporting are covered in this policy.
Your primary purpose is to communicate exactly what is, and what is not, acceptable use of company assets.

People cannot be expected to follow guidelines and rules unless you tell them what they are. The acceptable use policy is used to inform people of what is, and what is not, expected of them. The misuse of computer equipment and information can have legal, regulatory and repetitional consequences for the organisation.

Yes. It is a key document in the protection of the organisation. Often part of the HR processes of onboarding it is also embedded in the culture of the organisation and resigned up to annually.

It can. It depends on the organisation. The use of computer equipment for personal use can be included with the rules and limits set and clearly explained. There is rarely if ever a case for the personal use of information and data.

The acceptable use policy covers what is and what is not allowed by employees when it comes to using the companies asset such as software, hardware, premises.

The acceptable use policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example acceptable use policy table of contents would look something like this:
Document Version Control
Document Contents Page
Purpose
Scope
Acceptable Use of Assets Policy
Principle
Individual Responsibility
Internet and Email Usage
Working Off Site
Mobile Storage Devices
Monitoring and Filtering
Reporting
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement

If you break the acceptable use policy first you would investigate why it happened. You would raise and incident and corrective action and follow the process. It maybe that the outcome of that process is to engage with HR to activate your internal disciplinary process.

You write the policy based on the needs of the business and the employee. Then you review and approve the policy by senior management and HR. Then you communicate the policy to all staff and get evidence that they have accepted the policy. You would include the policy in your annual communication plan and your annual information security training and awareness.

You create the acceptable use policy in a word processor such as Microsoft Word or Google Docs.

No. Computer use and email use form part of the normal acceptable use policy

An AUP policy is an acceptable use policy. It is another name for the same thing.

An acceptable use policy example for small business can be found at High Table: The ISO 27001 Company.

A computer acceptable use policy template can be found at High Table: The ISO 27001 Company.