Acceptable use refers to the rules and guidelines that define how people are allowed to use an organisation’s resources, such as computers, networks, and data. Think of it like a set of digital manners. These rules are in place to keep the organisation’s information safe and to ensure resources are used for their intended purpose.
Examples
- Email: An acceptable use policy would typically state that company email should be used for business purposes only, and not for sending personal jokes, political chain letters, or spam.
- Internet Browsing: It might limit access to certain websites, like those that are illegal, dangerous, or not related to work, to prevent malware infections and wasted time.
- Software: The policy would require employees to use only approved, licensed software and prohibit them from downloading or installing unapproved programs that could create security risks.
Context
An acceptable use policy is a crucial part of a company’s overall security strategy. It helps protect against threats from the inside, like employees accidentally introducing viruses, and ensures that everyone understands their responsibilities. By clearly defining what is and isn’t allowed, it helps prevent misuse and keeps the organisation’s valuable information secure. It’s essentially a straightforward agreement between an organisation and its users.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to acceptable use:
- ISO 27001:2022 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets: This controls requires rules for acceptable use to be put in place.
- ISO 27001:2022 Annex A 5.1: Policies for Information Security: Organisations should establish policies and procedures to ensure the security of their information.
- ISO 27001:2022 Annex A 6.7: Remote Working: This control applies specifically to remote work, ensuring that acceptable use rules are followed even when employees aren’t in the office.