TheArtOfService
Information Security

Acceptable Use Policy

An acceptable use policy template defining permitted and prohibited use of organisational IT systems, networks, and data assets, aligned to ISO 27001 and NIST CSF.

14-18 pages|Updated 2026-02-15|2 frameworks
Aligned to:
ISO 27001
NIST CSF

What's Included

1. Purpose & Scope

Defines the objective and applicability of the acceptable use policy to all users of IT resources.

Policy ObjectiveCovered SystemsCovered Personnel

2. General Use Principles

Establishes baseline principles for responsible use of IT assets and resources.

Business PurposePersonal Use GuidelinesResource Conservation

3. Email & Communications

Defines acceptable use of email systems, instant messaging, and other communication tools.

Business Email UseProhibited ContentEmail SecurityRetention Requirements

4. Internet & Web Access

Governs internet browsing, downloading, and web-based service usage.

Permitted AccessProhibited Sites & ContentDownload RestrictionsStreaming & Bandwidth

5. Software & Hardware

Defines rules for software installation, hardware use, and device management.

Authorised SoftwareProhibited SoftwareHardware CarePeripheral Devices

6. Remote & Mobile Access

Establishes requirements for accessing organisational resources remotely or via mobile devices.

VPN RequirementsBYOD GuidelinesPublic WiFi RestrictionsDevice Encryption

7. Social Media

Defines guidelines for social media use in both professional and personal contexts.

Official AccountsPersonal Use BoundariesConfidentiality Requirements

8. Enforcement & Compliance

Outlines monitoring, enforcement actions, and consequences for policy violations.

Monitoring NoticeViolation ReportingDisciplinary ActionsAcknowledgement Requirements

Frequently Asked Questions

What should a acceptable use policy include?

A comprehensive acceptable use policy should include purpose & scope, general use principles, email & communications, internet & web access, and more. This template covers 8 key sections aligned to ISO 27001, NIST CSF requirements.

Which frameworks require a information security policy?

Major frameworks requiring information security policies include ISO 27001, NIST CSF. This template maps directly to their control requirements, making it easier to demonstrate compliance across multiple standards.

How often should a acceptable use policy be reviewed?

Best practice is to review your acceptable use policy at least annually, or whenever significant changes occur in your organisation, technology environment, or regulatory landscape. Most frameworks including ISO 27001 and NIST CSF require documented policy review cycles.

Related Templates

Information Security Policy

A comprehensive information security policy template covering governance, risk management, and security controls aligned to ISO 27001, NIST CSF, and SOC 2 requirements.

Network Security Policy

A network security policy template covering firewall management, network segmentation, intrusion detection, and secure network architecture.

Encryption & Cryptographic Controls Policy

A policy template governing the use of cryptographic controls, key management, and encryption standards for data at rest and in transit.

Build Your Compliance Programme

Pair this policy template with our compliance platform to map controls across 693+ frameworks, run self-assessments, and get AI-powered compliance advisory.

Get Started Free →

Free forever — no credit card required