What Is an Acceptable Use Policy (AUP)?

Do your users know what they can and can’t do while using your company data?

An Acceptable Use Policy (AUP) is more than a set of guidelines – it’s a critical line of defence in protecting your organisation from intentional or accidental misuse. It sets the standard for how IT resources should and shouldn’t be used, helping to safeguard against security risks, legal issues, and reputational damage. 

Why Does an AUP Matter?

Let’s face it: not everyone uses company resources responsibly. Without clear and concise guidance, people will operate how they believe they should. This can lead to mishandling of data, use of unlicensed software, and even a major data breach.

An AUP helps you: 

• Reduce risks – Misuse of IT systems can lead to data breaches, fines, or worse. A robust AUP can help prevent this. 
• Stay compliant – Standards like ISO27001 and regulations like GDPR require policies to help meet their expectations. 
• Educate employees – It’s not just about what they CAN’T do; a good AUP also highlights best practices for secure and responsible IT use. 
• Due Diligence and Due Care – Having a clear, signed AUP can protect your business if things go wrong.

What Should an Acceptable Use Policy (AUP)  Include?

Writing a strong AUP isn’t about creating a list of “don’ts.” It’s about clarity, consistency, and covering all the bases.

Here’s what you need to include: 

1. Purpose and Scope: Why does this policy exist, and to whom does it apply (e.g., employees, contractors)?
2. Permitted Uses: Examples of acceptable behaviours, like using work email for business purposes only.
3. Prohibited Activities: Be clear about what’s not allowed, such as accessing inappropriate content or sharing credentials.
4. Data Protection: Highlight the importance of secure passwords, encryption, and how to handle sensitive information.
5. Monitoring and Enforcement: Clarify that user activity may be monitored and explain what happens if someone breaks the rules.
6. Acknowledgement: Ensure all users formally acknowledge they’ve read and understood the policy.

ISO27001 Requires an AUP?

ISO27001 auditors love a good policy, and the AUP is no exception. Annex A.5.10 specifically expects an AUP to be documented and implemented. Additionally, this also aligns with Annex A.6.3, which requires organisations to educate employees on information security responsibilities.

Put simply, a solid AUP ticks compliance boxes and supports the wider goal of building a security-aware culture – the cornerstone of any effective ISO27001 implementation. 

Top Tips for Crafting an Effective AUP

• Keep it simple: Avoid over-complicating things. The clearer your policy, the more likely it will be understood and followed. 
• Collaborate: Work with HR, IT, and legal teams to ensure it's comprehensive and enforceable. 
• Update regularly: Technology and threats evolve – your policy should too. 
• Train your team: A piece of paper (or PDF) isn’t enough. Educate your users on how to put the AUP into practice.

Final Thoughts

An Acceptable Use Policy is more than a compliance requirement – it’s a practical tool for protecting your business, data, and people. Done right, it’s the backbone of your information security controls and a big tick in the ISO27001 compliance box. 

Example of an AUP

We have created a base AUP for you, although we have detailed some of the key contents of an AUP, we thought we would get you started. Ensure you review the content and align it to how your business operates.

But here it is - Free AUP Example

Still looking for answers? You might find what you are looking for on our FAQ page

Alternatively, feel free to get in touch so we can discuss your organisations specific requirements.

‍