Overview
This Acceptable Use Policy (AUP) is the foundation for managing human-related risk. It establishes clear, enforceable rules for how everyone—from employees to contractors—interacts with your company’s information, systems, and devices. By setting explicit behavioral expectations, you can protect your organization from misuse, negligence, and malicious acts.
-
Define Clear "Rules of Behavior"
Provide explicit guidance on authorized activities, prohibited content, and proper use of email, internet, mobile devices, and cloud services to minimize ambiguity.
-
Minimize Critical User-Driven Risks
Protect against data leakage, malware infections, and unauthorized access stemming from negligent or malicious user actions.
-
Fulfill ISO 27001 Requirements
Directly implements ISO 27001 Clause 5.10 and key Annex A controls, making it an essential document for any organization pursuing or maintaining certification.
Designed for Clarity and Action
Our policies are built by certified auditors for one purpose: to be audit-ready and easy to implement. We go beyond vague paragraphs and provide a structure that gives you unparalleled flexibility and control.
Every rule is a uniquely numbered, standalone statement. This actionable format means you can adopt the policy wholesale or customize it line-by-line to fit your needs—without rewriting entire sections or breaking the document's integrity. Track implementation, assign ownership, and show auditors precise evidence of compliance with a policy designed for clarity, not confusion.
Framework Compliance
🛡️ Supported Standards & Frameworks
This single policy is aligned with 7 leading international frameworks, ensuring your rules of behavior are defensible and comprehensive.
| Framework | Covered Clauses / Controls |
|---|---|
| ISO/IEC 27001:2022 |
Clause 5.10
|
| ISO/IEC 27002:2022 |
Control 6.1
Control 6.2
Control 8.1
Control 8.12
|
| NIST SP 800-53 Rev.5 |
AC-19
AC-20
AT-2
|
| EU GDPR |
Article 5(1)(f)
Article 32
Recital 39
|
| EU NIS2 |
Article 21(2)(a–d)
|
| EU DORA |
Article 5
|
| COBIT 2019 |
APO07
BAI05
DSS05
MEA01
|
Related Policies
This document works as part of a layered defense, integrating seamlessly with other key policies to ensure comprehensive behavioral and technical governance.
P1 – Information Security Policy
Establishes the foundational commitment to acceptable use.
P4 – Access Control Policy
Defines access permissions that enforce AUP boundaries.
P6 – Risk Management Policy
Addresses behavior-related risks from user-driven threats.
P7 – Onboarding and Termination Policy
Ensures AUP terms are acknowledged at entry and revoked at exit.
P9 – Remote Work Policy
Extends acceptable use provisions to remote environments.
