PolicyForge
All posts
5 min

How to write an acceptable use policy

An acceptable use policy (AUP) tells employees what they can and cannot do with company systems. Here is what to include — and a template you can generate free.

What an AUP is for

The acceptable use policy is the document every employee actually signs. It sets the ground rules for using company systems, devices, networks and data — and gives you a basis to act when someone crosses the line. It is one of the first documents an auditor requests and a cornerstone of onboarding.

What to include

  1. Scope — who and what it applies to (staff, contractors, devices, accounts).
  2. Acceptable use — what systems are for, and reasonable personal use if you allow it.
  3. Prohibited use — illegal activity, circumventing controls, installing unauthorised software, sharing credentials.
  4. Data handling — link to your classification rules; no company data in unsanctioned tools.
  5. AI tools — whether and how generative AI may be used with company data (an increasingly expected section).
  6. Monitoring — what the organisation monitors, stated transparently for GDPR.
  7. Consequences — what happens on violation, linked to your disciplinary process.

Common mistakes

  • A wall of legalese no one reads; keep it plain and signable.
  • No mention of AI tools, now a real data-leak vector.
  • Promising monitoring you don't perform — or performing monitoring you never disclosed.

Framework alignment

Maps to ISO 27001:2022 Annex A 5.10 (acceptable use of information and assets) and supports SOC 2 and NIST CSF Protect.

Generate it in minutes

See a sample acceptable use policy or generate yours free.