Acceptable Use Policy
A document that defines the rules and guidelines for how employees and other authorized users may use the organization's information assets, systems, networks, and data, including permitted activities, prohibited behaviors, and consequences for violations.
An Acceptable Use Policy (AUP) establishes clear expectations for how organizational resources — including computers, networks, email, internet access, cloud services, mobile devices, and data — may be used. The policy typically covers permitted and prohibited activities, personal use guidelines, data handling requirements, password and authentication expectations, software installation rules, remote work requirements, social media guidelines, and the consequences of policy violations. By setting explicit boundaries, an AUP helps prevent security incidents caused by negligent or uninformed user behavior, which remains one of the most common vectors for security breaches.
ISO 27001 Annex A control A.5.10 specifically addresses acceptable use of information and other associated assets, requiring that rules for the acceptable use and handling of information be identified, documented, and implemented. SOC 2's Common Criteria require organizations to communicate policies and expectations to personnel, and the AUP is a primary vehicle for this communication. NIS2's requirements for basic cyber hygiene practices and cybersecurity training align with the AUP's role in defining expected user behavior. In technology due diligence, the existence and enforcement of an AUP demonstrates that the organization has established behavioral standards for information security.
An effective AUP must balance security requirements with practicality and usability. Overly restrictive policies that are routinely ignored or worked around are worse than balanced policies that are consistently followed. The policy should be written in plain language (avoiding excessive legal or technical jargon), kept to a reasonable length, and focused on the behaviors that matter most for security. All employees should acknowledge the AUP during onboarding, and periodic re-acknowledgment (typically annual) ensures ongoing awareness. The AUP should be reviewed and updated regularly to address new technologies, emerging threats, and changes in working practices — the rapid adoption of generative AI tools, for example, has prompted many organizations to update their AUPs with guidelines on the use of AI services with organizational data.
Related frameworks
Related terms
Asset Management
The process of identifying, classifying, documenting, and managing the lifecycle of information assets — including hardware, software, data, and cloud services — to ensure they are appropriately protected according to their value and sensitivity.
Data Loss Prevention
A set of strategies, tools, and processes designed to detect and prevent the unauthorized transmission, exfiltration, or leakage of sensitive data outside an organization's controlled environment.
Information Security Policy
A high-level document approved by top management that establishes the organization's overall direction and principles for information security, defines the scope of the ISMS, demonstrates management commitment, and sets the framework for establishing security objectives and controls.
Security Awareness Training
A structured program designed to educate employees and other authorized users about information security threats, policies, and best practices, equipping them to recognize and respond appropriately to security risks in their daily work.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment