Acceptable Use Policy
Defines acceptable and prohibited uses of company systems, devices, and networks.
Library
60 bilingual templates covering 38 compliance frameworks. Generate the policy that fits your context in minutes.
60 templates
Defines acceptable and prohibited uses of company systems, devices, and networks.
Defines how users gain, change, and lose access to systems and data.
Defines how employees may use generative AI and machine-learning tools — public chatbots, copilots, embedded assistants.
Defines how AI systems are designed, evaluated, deployed, and overseen — aligned with the EU AI Act and ISO/IEC 42001.
Prohibits bribery and corruption in any form, aligned with FCPA (US), UK Bribery Act, Sapin II (France), and ISO 37001.
Establishes how the workforce recognises, reports, and is protected from phishing, vishing, smishing, and social engineering attacks.
Defines security requirements for internal and external APIs across design, deployment, and decommissioning.
Defines how IT assets are inventoried, classified, owned, and decommissioned.
Defines pre-employment background verification appropriate to role sensitivity, in compliance with local labour and privacy law.
Defines how data is backed up, retained, and restored to ensure business continuity.
Establishes the business continuity management system aligned with ISO 22301 — BIA, plans, exercises, governance.
Defines acceptable use of personal devices for work, with security controls and reimbursement terms.
Ensures system capacity is monitored and planned to meet current and forecasted business demand (ISO 27001 A.8.6, SOC 2 A1).
Discloses consumer rights and data practices under the California Consumer Privacy Act and California Privacy Rights Act.
Defines how changes to production systems are proposed, reviewed, deployed, and rolled back.
Aligns the organization with the Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense contractors and subcontractors.
Defines how baseline configurations are established, deployed, and protected from unauthorised change (NIST CM family, ISO 27001 A.8).
Discloses the cookies set on your website, their purpose, retention, and how visitors can manage them.
Establishes the organization-wide framework for responding to severe events — cyber, safety, reputational, legal — beyond business continuity.
Defines the full lifecycle of cryptographic keys aligned with NIST SP 800-57 and FIPS 140-3.
Documents the five technical controls required by the UK NCSC Cyber Essentials and Cyber Essentials Plus schemes.
Defines controls to detect and prevent unauthorized exfiltration of sensitive data across email, endpoints, cloud, and network egress.
Defines how personal and sensitive data is collected, processed, stored, and protected, aligned with GDPR essentials.
Defines how long data is kept, why, and how it is securely destroyed when retention expires.
Defines the consistent, proportionate disciplinary process for workforce violations of information security policies.
Defines acceptable, secure, and professional use of company email.
Defines cryptographic standards for data at rest, in transit, and key management practices.
Aligns a cloud service offering with FedRAMP authorization requirements for use by US federal agencies.
Aligns the organisation with the French HDS (Hébergeur de Données de Santé) certification for hosting personal health data.
Establishes safeguards for Protected Health Information (PHI) in alignment with HIPAA Security and Privacy Rules.
Aligns information protection with the HITRUST Common Security Framework, used as the de-facto US healthcare standard.
Manages ICT third-party risk in alignment with EU DORA — including criticality assessment, register, and exit strategies.
Establishes IAM principles, identity proofing, authentication, authorisation, federation, and lifecycle management.
Defines who communicates what, to whom, and when during a cybersecurity incident — internal, customer, regulator, and public.
Defines how the organization detects, responds to, and learns from security incidents.
Defines how information is classified by sensitivity and the protections each tier requires.
Extends ISO 27001 controls with cloud-specific guidance per ISO/IEC 27017, defining shared responsibility for security in cloud services.
Implements the safeguards for processing PII as a public cloud PII processor in alignment with ISO/IEC 27018.
Defines what is logged, how logs are protected and retained, and how monitoring drives detection and response.
Defines network segmentation, perimeter and lateral controls, secure connectivity, and zero-trust principles.
Establishes the cybersecurity risk-management measures required by EU Directive 2022/2555 (NIS2) for essential and important entities.
Defines how open-source dependencies are evaluated, approved, monitored, and contributed to.
Establishes the framework to identify, protect, detect, respond to, recover from, and learn from operational disruptions (DORA / NIS2 aligned).
Defines password requirements and management practices.
Defines how operating system, application, and firmware patches are evaluated, tested, deployed, and verified.
Protects cardholder data (CHD) and the Cardholder Data Environment (CDE) in alignment with PCI DSS v4.0.
Establishes the program for authorized adversarial security testing of systems and applications.
Defines protection of facilities, equipment, and the environment supporting information systems (ISO 27001 Annex A.7).
Establishes a Privacy Information Management System aligned with ISO/IEC 27701, on top of ISO 27001.
Governs the creation, classification, retention, access, and destruction of organizational records (broader than data retention).
Sets security and operational expectations for employees working outside the office.
Defines how risks are identified, assessed, treated, monitored and reported (aligned to NIST RMF and ISO 27005).
Embeds security through the software development lifecycle (NIST SSDF, ISO/IEC 27034).
Aligns the cloud service provider with the French ANSSI SecNumCloud qualification requirements.
Defines the security activities for joiners, internal movers, and leavers — from access provisioning to deprovisioning and exit interviews.
Defines mandatory cybersecurity training, awareness campaigns, and effectiveness measurement.
Aligns information security with the TISAX (Trusted Information Security Assessment eXchange) catalogue used across the EU automotive industry.
Defines how vendors and third parties are assessed, contracted, monitored, and offboarded.
Establishes how vulnerabilities are discovered, prioritised, remediated, and verified across the technology stack.
Provides safe internal and external reporting channels and anti-retaliation protections, aligned with EU Directive 2019/1937 and national implementations.
Create a free account and start drafting your policies in minutes.
Start free