Acceptable Use

13/09/2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

Acceptable use refers to the rules and guidelines that define how people are allowed to use an organisation’s resources, such as computers, networks, and data. Think of it like a set of digital manners. These rules are in place to keep the organisation’s information safe and to ensure resources are used for their intended purpose.

Examples

  • Email: An acceptable use policy would typically state that company email should be used for business purposes only, and not for sending personal jokes, political chain letters, or spam.
  • Internet Browsing: It might limit access to certain websites, like those that are illegal, dangerous, or not related to work, to prevent malware infections and wasted time.
  • Software: The policy would require employees to use only approved, licensed software and prohibit them from downloading or installing unapproved programs that could create security risks.

Context

An acceptable use policy is a crucial part of a company’s overall security strategy. It helps protect against threats from the inside, like employees accidentally introducing viruses, and ensures that everyone understands their responsibilities. By clearly defining what is and isn’t allowed, it helps prevent misuse and keeps the organisation’s valuable information secure. It’s essentially a straightforward agreement between an organisation and its users.

Relevant ISO 27001 Controls

The following controls from the ISO/IEC 27001:2022 standard are related to acceptable use:

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.