Acceptable Use Policy - SME

The Acceptable Use Policy (AUP) – SME version (document P03S) is designed to establish clear, practical, and enforceable standards for the responsible use of company-provided IT resources within small and medium-sized enterprises (SMEs). Its primary focus is to ensure all individuals, including employees, contractors, temporary staff, and even third-party providers, fully understand their obligations and behavioral expectations when accessing organizational systems, whether on-site, remote, or in a hybrid work environment. This policy is explicitly tailored for SMEs, as seen through the use of generalized management roles such as the General Manager rather than specialized IT or security officers, making it accessible to organizations without dedicated in-house IT or security teams yet seeking rigorous compliance with ISO/IEC 27001:2022. Comprehensively, the AUP defines what constitutes acceptable versus unacceptable usage of company-owned devices, personal devices (BYOD), networks, cloud platforms, and all software tools in use. It extensively details governance mechanisms, such as inventories of approved hardware and software, requirements for pre-approval and secure configuration of BYODs, and maintaining activity logs to trace violations or incidents. Monitoring is carried out by the IT Manager or authorized external provider, but always within the limits of legitimate business interests and applicable privacy laws. This approach strikes a balance between security, privacy, and organizational feasibility. The policy also sets forth a comprehensive risk treatment and exception framework: risks like malware infection, data breaches, and reputational damage resulting from misuse are mitigated through layered technical controls and user awareness. Exception requests, such as use of unapproved software, must be formally documented, risk-assessed, time-bound, and explicitly approved, typically by the General Manager or IT Provider. The strong focus on documentation, review triggers, and annual policy reassessment ensures that the policy remains effective as technologies, threats, and legal requirements evolve. Enforcement provisions are robust. All suspected or observed violations must be reported promptly, with clear escalation to the IT Manager or General Manager. Enforcement measures can include system or access lockdown, verbal or written warnings, and even contract termination for both staff and third-party providers. The contractually binding nature of the policy for third parties ensures consistent application of security standards across the organization's supply chain. Finally, the AUP’s integration with other core SME policies, Access Control, Information Security Awareness, Remote Work, Data Protection, and Incident Response, ensures holistic coverage of security responsibilities. The result is an easy-to-implement, ISO 27001:2022-aligned framework for companies seeking compliance and risk reduction even without large IT or security departments.