← Back to Acceptable Use Policy Template
Free preview: Acceptable Use Policy
These are the genuine opening sections of one document from the Acceptable Use Policy Template (1 documents total). The amber [placeholders] are what you customize — everything else is ready to use.
Acceptable Use Policy
Purpose. This policy defines the acceptable use of [Company Name] information, systems, and services so that every authorized user understands what is permitted, what is prohibited, and how use of company resources may be monitored. It supports ISO/IEC 27001:2022 control A.5.10 by establishing clear, enforceable rules for the use of information and associated assets, reducing the likelihood of security incidents caused by misuse, negligence, or unauthorized activity.
Policy Statement and Objectives
[Company Name] provides information systems, accounts, and data to enable staff to perform their work effectively. These resources must be used responsibly, lawfully, and in a manner consistent with the Information Security Policy. Access to any company resource is granted for business purposes and may be revoked when the conditions of this policy are not met.
Limited personal use of company systems (for example, occasional personal email or web browsing) is permitted provided it does not interfere with work duties, consume significant resources, expose the company to security or legal risk, or violate any rule in this policy. The [Role, e.g. Information Security Lead] is the owner of this policy and must review it at least annually and after any significant incident involving misuse.
General Rules of Acceptable Use
- Users must access only the systems, data, and accounts they have been explicitly authorized to use, as defined in the Access Control Policy.
- Users must keep authentication credentials confidential, must not share accounts or passwords, and must use multi-factor authentication wherever it is offered on company systems.
- Users must lock their screen whenever leaving a device unattended and must store devices securely in accordance with the Physical and Environmental Security Policy.
- Users must handle information according to its classification label as defined in the Asset Management and Information Classification Policy.
- Users must complete all assigned security awareness training within the deadlines set by the [Role, e.g. Information Security Lead].
- Users must report suspected security incidents, lost devices, and policy violations immediately via the channel defined in the Information Security Incident Response Procedure, and in any case within [4] hours of discovery.
Email and Messaging
- Company email and messaging accounts (for example, [System name, e.g. Google Workspace or Microsoft 365]) must be used for company business communications; personal email accounts must not be used to send, receive, or store company data.
- Users must not auto-forward company email to external or personal addresses; any business-justified forwarding rule must be approved in writing by the [Role, e.g. Information Security Lead].
- Information classified as Confidential or Restricted must not be sent to external recipients unless the transfer method meets the requirements of the Asset Management and Information Classification Policy and, where required, the Cryptographic Controls Policy.
- Users must verify the identity of any sender requesting payments, credential entry, gift card purchases, or changes to bank details through a second channel (for example, a phone call to a known number) before acting.
- Users must not open attachments or click links from unexpected or suspicious messages; suspected phishing must be reported using the [phishing report button or designated mailbox] within the same business day.
- Mass external mailings must be sent only through the approved marketing platform [System name] and must comply with applicable anti-spam requirements.
Internet and Cloud Application Use
Internet access on company networks and devices is provided for business use and reasonable limited personal use. Users must not attempt to bypass web filtering, security software, VPN requirements, or other technical controls deployed by [Company Name].
- Only cloud applications on the approved application list maintained by the [Role, e.g. Information Security Lead] may be used to store, process, or transmit company data; the list must be reviewed at least quarterly.
- Users must request approval for any new cloud service before first use by submitting a request to [approval channel, e.g. IT request form]; unapproved services discovered in use will be blocked.
- Users must not upload company data classified as Internal or higher to personal cloud storage, personal file-sharing accounts, or unapproved file transfer sites.
- Users must not download or install software from untrusted sources, and must not use cracked, pirated, or unlicensed software on any company device.
- Streaming, gaming, and large personal downloads that degrade network performance during business hours are prohibited.
— Preview ends. The full document continues with 0 more documents in the toolkit. —
More free previews
See real opening sections from our other compliance toolkits before you buy:
- AI Governance Policy Pack — free preview
- ISO 27001 + SOC 2 Dual Toolkit — free preview
- GDPR Compliance Pack for Small Business — free preview
- HIPAA Compliance Toolkit — Dental Practices — free preview
- HIPAA Compliance Toolkit — Medical Practices — free preview
- HIPAA Compliance Toolkit — Mental Health Practices — free preview
- ISO 27001 Policy Pack — Core — free preview
- ISO 27001 Toolkit for E-commerce — free preview
- ISO 27001 Complete Toolkit — free preview
- ISO 27001 Toolkit for Law Firms — free preview
- ISO 27001 Toolkit for MSPs — free preview
- ISO 27001 Toolkit for SaaS Companies — free preview
- ISO 42001 AI Management System Toolkit — free preview
- NIST CSF 2.0 Complete Toolkit — free preview
- SOC 2 Policy Pack — Core — free preview
- SOC 2 Complete Toolkit — free preview
- Startup Trust Pack — SOC 2 Core + AI Governance — free preview
- WISP Toolkit for Tax Professionals — free preview
- Access Control Policy Template — free preview
- AI Acceptable Use Policy Template — free preview
- GDPR Privacy Notice Template — free preview
- HIPAA Privacy Policy Template — free preview
- Incident Response Plan Template — free preview
- Information Security Policy Template — free preview
