There are things that we do and do not want people to do with company computers, systems and data. The acceptable use policy set’s out what we expect and explains it in simple terms.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Acceptable Use Policy Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Acceptable Use Policy Example
- ISO 27001 Acceptable Use Policy FAQ
What is it?
An Acceptable Use Policy (AUP) is a set of rules that tells you how you can and can’t use your company’s technology and information systems. Think of it as a rulebook for using computers, the internet, email, and other digital tools at work. It’s all about keeping your company’s data safe and secure. It’s part of a bigger picture called information security, and it helps you meet the requirements of a standard called ISO 27001, which is like a gold star for keeping information safe.
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- For Small Businesses: An AUP helps you set clear expectations and protect your sensitive customer data without needing a huge IT budget. It’s a simple way to start your security journey.
- For Tech Startups: Since you’re often handling intellectual property and new code, an AUP is vital for protecting your ideas. It keeps your developers focused on work and helps prevent data leaks.
- For AI Companies: Your data is your most valuable asset. An AUP helps you manage how data is accessed and used, which is critical for preventing misuse and maintaining the integrity of your AI models.
ISO 27001 Acceptable Use Policy Template
The ISO 27001:2022 Acceptable Use Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why you need it
You need an AUP to protect your company. It helps you prevent security risks like viruses, data leaks, and unauthorised access. It also makes sure your employees understand their responsibilities when it comes to using company tech. This simple document helps you avoid big problems down the road.
When you need it
You need an AUP as soon as you start a business and have employees using your technology. It’s a foundational document. If you’re aiming for an ISO 27001 certification, it’s one of the first things you’ll need to create and implement. The policy should be in place before you onboard your first employee.
Who needs it?
Everyone in the company needs to follow the AUP. This includes full-time employees, part-time staff, contractors, and even temporary workers. Basically, anyone who uses your company’s computers, network, or data needs to know and follow the rules.
Where you need it
You need the AUP to be easily accessible to everyone. It should be part of your new hire packet or employee handbook. You can also post it on your company’s intranet or a shared drive. The key is to make sure it’s not hidden away and that everyone can find it easily.
How to write it
Writing an AUP is pretty simple. You should:
- Define what’s covered: List all the company assets, like laptops, phones, email, and network.
- State the rules: Explain what is and isn’t allowed, such as no illegal activities or sharing of sensitive data.
- Explain the consequences: Clearly state what happens if someone breaks the rules, from a warning to termination.
- Review it: Make sure a lawyer or an information security expert reviews it to ensure it’s legally sound and covers all your needs.
Time needed: 1 day
How to write an acceptable use policy
- Identify your company assets
Identify what assets your company has. This will be both software and hardware. It can include premises. What are the assets that your business uses to conduct its business.
- Prioritise your company assets
Once you identify what assets you rely on to conduct business priorities them based on the importance to the business, the classification of the data that is stored, processed or transmitted through them and the risk they pose to you. An example would be email that would be classed as high importance to the company and probably classed as confidential.
- Set rules for the assets based on the priority
With the list of assets and the prioritisation set about writing the rules of what people can and cannot do with those assets. If you rely on email for critical client communication you are unlikely to want people to use their email to sign up to newsletters, conduct on line shopping and other personal business that increases the risk of spam and phishing attacks that would then compromise your organisation. The rules are to reduce risks. Being respectful to the needs of the employee find the right balance and set the rules of acceptable use.
- Review and approve the acceptable use policy
The policy should be formally reviewed and formally approved. It would normally be approved at the management review meeting but you want to ensure that it has the sign off of the HR department and of senior management as a minimum. This gets the agreement that these are the rules that we are going to operate by.
- Communicate the acceptable use policy to all staff
Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the acceptable use policy. Make sure it is store somewhere that people can easily access it at any time and that they can, indeed, access it.
- Get evidence that the staff have accepted the acceptable use policy
Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.
How to implement it
Implementing the AUP is as important as writing it.
- Communicate it: Hold a meeting or send an email to everyone explaining the new policy.
- Get a signature: Have every employee sign a document confirming they’ve read and understood the policy.
- Train everyone: Provide a quick training session on the key points.
- Review it regularly: Update the policy every year or whenever your technology or business changes.
Examples of using it for small businesses
Imagine you run a small bakery and use a computer for orders and payroll. Your AUP would say things like, “Don’t use the company computer for personal online shopping,” and “Don’t download games or other apps that aren’t approved.” It keeps your business info safe from viruses and other digital threats.
Examples of using it for tech startups
A tech startup creating a new app would have an AUP that includes rules about intellectual property. It would say things like, “Don’t share code with anyone outside the company,” or “All work created using company resources belongs to the company.” This protects your new ideas.
Examples of using it for AI companies
For an AI company, your AUP would focus on data handling. It would have rules like, “Only use approved data sets for training models,” and “Don’t copy or share customer data.” This is critical for privacy and security.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information security standards that need it
This acceptable use policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls that relate to acceptable use. Some of the most important ones include:
- ISO 27001:2022 Annex A Control 5.10 Acceptable Use of Information and Other Associated Asset.
- ISO 27001:2022 Annex A 5.1 Policies for Information Security: Annex A 5.1
- ISO 27001:2022 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security: Annex A 5.36
ISO 27001 Acceptable Use Policy Example
This is an example ISO 27001 Acceptable Use Policy:
ISO 27001 Acceptable Use Policy FAQ
The acceptable use policy applies to all staff, contracts and third parties that access or use company assets.
The purpose of this policy is to make employees and external party users aware of the rules for the acceptable use of assets associated with information and information processing. Guiding principles, individually responsibility, intellectual property, use of personal equipment, internet and email usage, instant messaging, social media, working offsite and mobile storage devices as well as monitoring and filtering and reporting are covered in this policy.
Your primary purpose is to communicate exactly what is, and what is not, acceptable use of company assets.
People cannot be expected to follow guidelines and rules unless you tell them what they are. The acceptable use policy is used to inform people of what is, and what is not, expected of them. The misuse of computer equipment and information can have legal, regulatory and repetitional consequences for the organisation.
Yes. It is a key document in the protection of the organisation. Often part of the HR processes of onboarding it is also embedded in the culture of the organisation and resigned up to annually.
It can. It depends on the organisation. The use of computer equipment for personal use can be included with the rules and limits set and clearly explained. There is rarely if ever a case for the personal use of information and data.
The acceptable use policy covers what is and what is not allowed by employees when it comes to using the companies asset such as software, hardware, premises.
The acceptable use policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example acceptable use policy table of contents would look something like this:
Document Version Control
Document Contents Page
Purpose
Scope
Acceptable Use of Assets Policy
Principle
Individual Responsibility
Internet and Email Usage
Working Off Site
Mobile Storage Devices
Monitoring and Filtering
Reporting
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
If you break the acceptable use policy first you would investigate why it happened. You would raise and incident and corrective action and follow the process. It maybe that the outcome of that process is to engage with HR to activate your internal disciplinary process.
You write the policy based on the needs of the business and the employee. Then you review and approve the policy by senior management and HR. Then you communicate the policy to all staff and get evidence that they have accepted the policy. You would include the policy in your annual communication plan and your annual information security training and awareness.
You create the acceptable use policy in a word processor such as Microsoft Word or Google Docs.
No. Computer use and email use form part of the normal acceptable use policy
An AUP policy is an acceptable use policy. It is another name for the same thing.
An acceptable use policy example for small business can be found at High Table: The ISO 27001 Company.
A computer acceptable use policy template can be found at High Table: The ISO 27001 Company.
No, the AUP should apply to everyone, regardless of where they work.
Yes, if you have a Bring Your Own Device (BYOD) policy, the AUP should cover how those devices can access company information.
Yes, the policy should state that the company has the right to monitor internet and email usage.
Yes, you can have a separate guest Wi-Fi policy or include a section in your main AUP for guests.
An AUP is a part of the bigger IT security policy. The AUP tells people what to do, while the IT security policy details the technology and procedures used to secure things.
