In this article we lay bare the ISO 27001 Acceptable Use Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is the ISO 27001 Acceptable Use Policy
Table of contents
- What is an Acceptable Use Policy?
- The purpose of the Acceptable Use Policy
- Importance of Acceptable Use Policy
- What should an acceptable use policy contain?
- Acceptable Use Policy Template
- How to write and implement an acceptable use policy
- Acceptable Use Policy Example
- Acceptable Use Policy for Employees
- Acceptable Use Policy for Business
- Acceptable Use Policy FAQ
What is an Acceptable Use Policy?
There are things that we do and do not want people to do with company computers, systems and data. The acceptable use policy set’s out what we expect and explains it in simple terms.
An acceptable use policy would be read by everyone that uses the company systems and a signed acceptance of the policy would be kept.
It is about accountability, responsibility and respect.
The acceptable use policy ensures people understand what is expected of them when using company resources.
The ISO 27001 requirement for acceptable use is covered in ISO 27001:2022 Annex A Control 5.10 Acceptable Use of Information and Other Associated Asset.
The purpose of the Acceptable Use Policy
The purpose of this policy is to make employees and external party users aware of the rules for the acceptable use of assets associated with information and information processing. Guiding principles, individually responsibility, intellectual property, use of personal equipment, internet and email usage, instant messaging, social media, working offsite and mobile storage devices as well as monitoring and filtering and reporting are covered in this policy.
Your primary purpose is to communicate exactly what is, and what is not, acceptable use of company assets.
Importance of Acceptable Use Policy
The acceptable use policy is important as it sets out clearly and in written form what you expect to happen. If you don’t tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked. The ISO 27001 standard wants you to have the acceptable use policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.
What should an acceptable use policy contain?
The acceptable use policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example acceptable use policy table of contents would look something like this:
Document Version Control
Document Contents Page
Purpose
Scope
Acceptable Use of Assets Policy
Principle
Individual Responsibility
Internet and Email Usage
Working Off Site
Mobile Storage Devices
Monitoring and Filtering
Reporting
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
Acceptable Use Policy Template
Having an ISO 27001 template can save you hours of time in working out what you should include and writing it. This ISO 27001 Acceptable Use Template is pre written with what good looks like and comes with a free guide on how to implement policies into your organisation quickly and painlessly.
You don’t have to be an expert to deploy the policy and it is designed for organisation of all sizes and sectors.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to write and implement an acceptable use policy
Time needed: 1 day
How to write an acceptable use policy
- Identify your company assets
Identify what assets your company has. This will be both software and hardware. It can include premises. What are the assets that your business uses to conduct its business.
- Prioritise your company assets
Once you identify what assets you rely on to conduct business priorities them based on the importance to the business, the classification of the data that is stored, processed or transmitted through them and the risk they pose to you. An example would be email that would be classed as high importance to the company and probably classed as confidential.
- Set rules for the assets based on the priority
With the list of assets and the prioritisation set about writing the rules of what people can and cannot do with those assets. If you rely on email for critical client communication you are unlikely to want people to use their email to sign up to newsletters, conduct on line shopping and other personal business that increases the risk of spam and phishing attacks that would then compromise your organisation. The rules are to reduce risks. Being respectful to the needs of the employee find the right balance and set the rules of acceptable use.
- Review and approve the acceptable use policy
The policy should be formally reviewed and formally approved. It would normally be approved at the management review meeting but you want to ensure that it has the sign off of the HR department and of senior management as a minimum. This gets the agreement that these are the rules that we are going to operate by.
- Communicate the acceptable use policy to all staff
Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the acceptable use policy. Make sure it is store somewhere that people can easily access it at any time and that they can, indeed, access it.
- Get evidence that the staff have accepted the acceptable use policy
Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.
Acceptable Use Policy Example
An acceptable use policy example would look like this extract:
You can download the free ISO 27001 Acceptable Use Policy PDF.
Acceptable Use Policy for Employees
The acceptable use policy for employees balances the needs of the business with the needs of the employees. It is not wrong to allow certain things to happen. It just might not be best practice. Take for example using company assets to run a side hustle. That is probably something you don’t want to allow and want to write into policy. But it maybe that you are ok with it in your business. Take the time to balance what is right for the business and what is right for the employee.
Acceptable Use Policy for Business
The acceptable use policy for business is about protecting the business. It is easy to take it too far to the point the employee cannot do their job. As above you want to find the right balance between protecting the business and respecting the employees.
Acceptable Use Policy FAQ
The acceptable use policy applies to all staff, contracts and third parties that access or use company assets.
People cannot be expected to follow guidelines and rules unless you tell them what they are. The acceptable use policy is used to inform people of what is, and what is not, expected of them. The misuse of computer equipment and information can have legal, regulatory and repetitional consequences for the organisation.
Yes. It is a key document in the protection of the organisation. Often part of the HR processes of onboarding it is also embedded in the culture of the organisation and resigned up to annually.
A free example ISO 27001 acceptable use policy PDF can be found at High Table: The ISO 27001 Company.
It can. It depends on the organisation. The use of computer equipment for personal use can be included with the rules and limits set and clearly explained. There is rarely if ever a case for the personal use of information and data.
The acceptable use policy covers what is and what is not allowed by employees when it comes to using the companies asset such as software, hardware, premises.
If you break the acceptable use policy first you would investigate why it happened. You would raise and incident and corrective action and follow the process. It maybe that the outcome of that process is to engage with HR to activate your internal disciplinary process.
You write the policy based on the needs of the business and the employee. Then you review and approve the policy by senior management and HR. Then you communicate the policy to all staff and get evidence that they have accepted the policy. You would include the policy in your annual communication plan and your annual information security training and awareness.
You create the acceptable use policy in a word processor such as Microsoft Word or Google Docs.
No. Computer use and email use form part of the normal acceptable use policy
An AUP policy is an acceptable use policy. It is another name for the same thing.
An acceptable use policy example for small business can be found at High Table: The ISO 27001 Company.
A computer acceptable use policy template can be found at High Table: The ISO 27001 Company.