ISO 27001 Acceptable Use Policy Ultimate Guide

ISO 27001 Acceptable Use Policy Beginner's Guide

In this article we lay bare the ISO 27001 Acceptable Use Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is the ISO 27001 Acceptable Use Policy

Table of contents

What is an Acceptable Use Policy?

There are things that we do and do not want people to do with company computers, systems and data. The acceptable use policy set’s out what we expect and explains it in simple terms.

An acceptable use policy would be read by everyone that uses the company systems and a signed acceptance of the policy would be kept.

It is about accountability, responsibility and respect.

The acceptable use policy ensures people understand what is expected of them when using company resources.

The purpose of the Acceptable Use Policy

The purpose of this policy is to make employees and external party users aware of the rules for the acceptable use of assets associated with information and information processing. Guiding principles, individually responsibility, intellectual property, use of personal equipment, internet and email usage, instant messaging, social media, working offsite and mobile storage devices as well as monitoring and filtering and reporting are covered in this policy.

Your primary purpose is to communicate exactly what is, and what is not, acceptable use of company assets.

Importance of Acceptable Use Policy

The acceptable use policy is important as it sets out clearly and in written form what you expect to happen. If you don’t tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked. The ISO 27001 standard wants you to have the acceptable use policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.

What should an acceptable use policy contain?

The acceptable use policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example acceptable use policy table of contents would look something like this:

Document Version Control
Document Contents Page
Purpose
Scope
Acceptable Use of Assets Policy
Principle
Individual Responsibility
Internet and Email Usage
Working Off Site
Mobile Storage Devices
Monitoring and Filtering
Reporting
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement

Acceptable Use Policy Template

Having an ISO 27001 template can save you hours of time in working out what you should include and writing it. This ISO 27001 Acceptable Use Template is pre written with what good looks like and comes with a free guide on how to implement policies into your organisation quickly and painlessly.

You don’t have to be an expert to deploy the policy and it is designed for organisation of all sizes and sectors.