This policy defines the acceptable, responsible, and secure use of your company's systems, devices, and internet. It provides clear do's and don'ts for employees, protecting your business data and operations from misuse.
-
Reduce Security Risks: Minimize threats from malware and unauthorized access by setting clear boundaries for all users.
-
Protect Business Data: Safeguard sensitive company and customer information by prohibiting risky behaviors like using personal cloud storage for business files.
-
Manage Personal Devices (BYOD): Set clear, secure rules for employees using their own phones or laptops for work.
-
Enable Safe Remote Work: Ensure consistent security standards apply whether your team works onsite, remote, or in a hybrid model.
Read Full Overview
The Acceptable Use Policy (AUP) for SMEs is a comprehensive framework that guides the responsible usage of IT resources within small to medium enterprises. It addresses the use of company-owned and personal devices under BYOD (Bring Your Own Device) arrangements, ensuring that all users understand the boundaries of acceptable and unacceptable behaviors. The policy's primary objectives include reducing security risks from misuse, safeguarding business and customer data, and maintaining the company's reputation. By setting clear, enforceable rules, the policy enables accountability and supports monitoring and compliance efforts to detect and correct violations early. The policy also outlines a structured approach for handling exceptions, which must be documented, reviewed, and approved by the General Manager or IT Provider.
What's Inside
- Permitted & Prohibited Use
- Personal Device (BYOD) Rules
- Software & Hardware Controls
- Internet & Email Usage
- User Monitoring & Privacy
- Enforcement & Violations
- Risk & Exception Handling
- Roles & Responsibilities
Built for Leaders, By Leaders
This policy translates complex security requirements into simple, clear rules that your team can understand and follow, empowering them to be your first line of defence. It was authored by a security leader to be a practical framework that stands up to auditor scrutiny.
Authored by an expert holding:
Framework Compliance
🛡️ Supported Standards & Frameworks
This product is aligned with the following compliance frameworks, with detailed clause and control mappings.
| Framework | Covered Clauses / Controls |
|---|---|
| ISO/IEC 27001:2022 | Clause 5.10 |
| ISO/IEC 27002:2022 | 5.105.115.12 |
| NIST SP 800-53 Rev.5 | AC-19AC-20AT-2 |
| EU GDPR | Art. 5(1)(f)Art. 32 |
| EU NIS2 | Art. 21(2)(b) |
| EU DORA | Art. 9 |
| COBIT 2019 | DSS05BAI08 |
Part of a Complete ISMS Toolkit
This policy is one of 37 documents in our complete toolkit. When implemented as a set, our framework helps you achieve comprehensive compliance across major standards.
100%
ISO 27001:2022
95%
NIST
88%
NIS2
75%
DORA
70%
GDPR
Related Policies
This foundational policy is directly linked to the following organizational security policies to ensure comprehensive alignment and traceability across the ISMS.
P4S - Access Control Policy
Defines technical and procedural enforcement of permitted use.
P8S - Information Security Awareness and Training Policy
Provides user education on acceptable use boundaries.
P9S - Remote Work Policy
Regulates use of company systems in offsite or home environments.
P17S - Data Protection and Privacy Policy
Enforces personal data handling rules for monitoring and BYOD.
P30S - Incident Response Policy
Governs procedures for investigating and responding to misuse.
About This Policy
An Acceptable Use Policy (AUP) is a critical document for any SME that defines the rules and guidelines for using company IT assets. This policy clarifies for all employees and contractors what constitutes appropriate and inappropriate behavior when using company networks, computers, software, and internet access. It is the foundation for protecting your business from security risks that arise from user actions, whether intentional or accidental.
This AUP for SMEs specifically addresses modern work environments, including rules for remote work and the use of personal devices (BYOD). By implementing this policy, you create an enforceable standard that helps achieve ISO 27001:2022 compliance, safeguards sensitive data, and protects your company's reputation. It ensures every user understands their responsibility in maintaining a secure IT environment.
