Skip to main content
Have a Question?
< All Topics
Print

Acceptable Use Policy Template

Posted
Updated
ByCyber Ready

Purpose and Use

This Acceptable Use Policy sets out how your organisationโ€™s information systems and equipment may be used by employees, contractors and other authorised users. It clarifies what is acceptable, what is prohibited, and the responsibilities of all users when handling company systems and data.

An Acceptable Use Policy (AUP) is a foundational requirement for demonstrating compliance with frameworks such as Cyber Essentials, ISO/IEC 27001 and UK GDPR. Customers, suppliers and insurers frequently request sight of the organisationโ€™s AUP during dueโ€‘diligence. By defining clear rules and responsibilities, the policy helps prevent misuse of systems, protects the confidentiality, integrity and availability of information, and ensures legal and regulatory obligations are met.

Who This Template For

This template is intended for UK organisations that need a proportionate and practical Acceptable Use Policy to support Cyber Essentials, ISO/IEC 27001 or customer/supplier assurance exercises. It provides baseline rules for the use of company computers, networks and information, and can be tailored to reflect your organisationโ€™s specific systems and culture.

Alternative names you may see

Organisations and standards do not always use identical terminology. Depending on context you may see this document referred to by other names, such as:

  • Acceptable Use of IT Policy
  • IT Acceptable Use Policy
  • Acceptable Use and Network Access Policy
  • IT Equipment and Systems Usage Policy
  • Systems Acceptable Use Policy
  • Email, Internet and Computer Use Policy

Feel free to adapt the title to suit your organisation.

Acceptable Use Policy

Organisation:\ [Organisation Name]
Document Owner:\ [Role โ€“ e.g. Head of IT / Information Security Manager]
Version:\ [X.Y]
Classification:\ [Public / Internal / Confidential]
Effective Date:\ [DD/MM/YYYY]
Next Review Date:\ [DD/MM/YYYY]

1. Document Management

1.1 Ownership

This policy is owned by [Role / Function], who is responsible for its maintenance, review and enforcement.

1.2 Review and Approval

This policy shall be reviewed at least annually, or sooner if there are significant changes to:

  • Technology platforms or services
  • Legal or regulatory requirements
  • Information security risks

Approval authority: [Role / Governance Body]

1.3 Change History

VersionDateAuthorDescription
1.0[DD/MM/YYYY][Name/Role]Initial issue

2. Purpose

The purpose of this policy is to define the organisationโ€™s expectations, principles and minimum requirements for the acceptable use of its information systems, devices, networks and data. It protects the organisation and individuals by ensuring that systems are used in a lawful, respectful and secure manner that upholds:

  • Confidentiality of sensitive information
  • Integrity of systems and data
  • Availability of critical services

3. Scope

This policy applies to:

  • All employees, contractors, agency staff and third parties who access or use organisational systems
  • All information assets, systems, networks, applications and data
  • All devices and locations, including onโ€‘site, remote and home working, personal devices permitted for business use, and cloud services

4. Roles and Responsibilities

4.1 Senior Management

Senior management is responsible for:

  • Endorsing this policy and leading by example
  • Providing adequate resources for information security and user training
  • Promoting a culture of responsible and ethical system use

4.2 IT / Information Security Function

[Role / Team] is responsible for:

  • Implementing and maintaining technical controls (e.g. access controls, monitoring, malware protection)
  • Providing guidance and awareness training on acceptable use
  • Monitoring compliance and investigating suspected misuse

4.3 Human Resources

The Human Resources function is responsible for:

  • Ensuring employees receive and acknowledge this policy upon induction and when updated
  • Supporting disciplinary processes in the event of policy breaches

4.4 All Users

All users must:

  • Read, understand and comply with this policy and supporting policies
  • Use organisational systems responsibly and lawfully
  • Protect credentials and devices from unauthorised access
  • Report actual or suspected breaches or incidents promptly to [Incident Contact / Team]

5. Acceptable Use Rules

Users are expected to follow these rules when using organisationโ€™s systems, networks and information:

5.1 General Conduct

  • Use systems and information only for authorised business activities or limited personal use as outlined below
  • Act lawfully and ethically, respecting copyright, data protection and other legal requirements
  • Protect confidential and personal data in accordance with the [Data Protection Policy]
  • Do not attempt to bypass technical controls or access systems without approval

5.2 Email and Messaging

  • Use business email accounts for organisationโ€‘related communications; personal accounts must not be used for business purposes
  • Be vigilant for phishing and malicious messages; do not open suspicious attachments or links
  • Do not send confidential or personal data unencrypted unless explicitly approved
  • Use professional language and do not send offensive, discriminatory or harassing content

5.3 Internet Use

  • Access the internet for business purposes and limited personal use provided it does not interfere with work duties
  • Do not browse or download illegal, offensive, discriminatory or inappropriate material
  • Do not stream or download large files or software unrelated to work unless approved (this may consume bandwidth or introduce malware)
  • Only download software from trusted sources and with approval from IT

5.4 Software and Intellectual Property

  • Use only software that has been licensed and approved by the organisation
  • Do not install, copy or distribute unlicensed or pirated software
  • Respect thirdโ€‘party intellectual property rights and copyright

5.5 Social Media

  • When speaking on behalf of the organisation, follow the organisationโ€™s social media guidelines and obtain authorisation
  • Be professional and respectful; do not post confidential or proprietary information
  • Personal social media use should not interfere with work duties or violate this policy

5.6 Personal Use

  • Reasonable personal use of organisational devices and networks is permitted if it does not:
  • Interfere with productivity or performance
  • Create security or legal risks
  • Incur significant cost to the organisation
  • Personal files should be stored separately and must not contain illegal or inappropriate content

6. Prohibited Activities

Users must not:

  • Engage in any illegal activities, including downloading, sharing or storing illegal material
  • Circumvent security controls, introduce malicious software, or attempt unauthorised access to systems
  • Use organisational systems to harass, bully or discriminate against others
  • Use organisational resources for running a business unrelated to the organisation
  • Connect unauthorised devices to the corporate network without prior approval

7. Password and Account Security

  • Create strong, unique passwords that meet the organisationโ€™s password policy requirements
  • Keep passwords confidential; do not share accounts or credentials
  • Enable multiโ€‘factor authentication where supported
  • Lock devices when unattended and log off when finished
  • Report lost or stolen devices or suspected credential compromise immediately

8. Monitoring and Privacy

To protect the organisation and ensure compliance with this policy and legal obligations, the organisation may monitor the use of its systems and networks. Monitoring shall be:

  • Proportionate and relevant to business needs
  • Conducted in line with UK privacy and employment laws
  • Communicated clearly to staff and documented in supporting procedures

Personal data collected through monitoring will be processed in accordance with the [Data Protection Policy] and the UK GDPR.

9. Incident Reporting

All actual or suspected breaches of this policy, security incidents or misuse of systems must be reported immediately to [Incident Contact / Team]. Incidents shall be logged, investigated and managed according to the Incident Response Policy, and lessons learned will be incorporated into future training and controls.

10. Policy Compliance

Failure to comply with this policy may result in:

  • Disciplinary action (up to and including termination of employment)
  • Contractual action for third parties
  • Legal consequences

Compliance with this policy is mandatory.

11. Exceptions

Any exception to this policy must be:

  • Documented and approved by [Approving Authority]
  • Riskโ€‘assessed to ensure security is maintained
  • Timeโ€‘limited and reviewed regularly

12. Policy Communication

This policy shall be:

  • Communicated to all relevant users
  • Made available via [Intranet / Policy Portal]
  • Provided to third parties where appropriate

13. Supporting Policies and Documents

This policy is supported by (where applicable):

  • [Information Security Policy]
  • [Data Protection Policy]
  • [Access Control Policy]
  • [Incident Response Policy]
  • [Remote Working / BYOD Policy]
  • [Disciplinary Policy]

Policy Addons

This policy provides a general baseline for acceptable use. Some situations require additional controls or guidance. Use these optional addโ€‘on sections where relevant to supplement the policy without rewriting it entirely.

Bring Your Own Device (BYOD) โ€“ Addโ€‘On

Where the organisation permits users to access corporate systems using personally owned devices, additional controls shall be implemented to manage the risks. BYOD users must:

  • Ensure devices have upโ€‘toโ€‘date operating systems, security patches and antiโ€‘malware software installed
  • Agree to the installation of mobile device management (MDM) software or other controls that enforce encryption and enable remote wipe
  • Keep business and personal data separate where technically possible
  • Notify IT immediately if a BYOD device is lost, stolen
  • Register personal devices with IT/security before connecting to corporate systems

BYOD access may be revoked if the device fails to comply with security requirements.

Tags:
Table of Contents