Acceptable Use Policy (AUP)
Definition
An Acceptable Use Policy (AUP) is a documented set of rules that defines how people may (and may not) use an organization’s systems, applications, networks, data, and digital services. Similar policies are commonly expected in information security management systems and cybersecurity programs (for example, ISO/IEC 27001-aligned ISMS programs and NIST-aligned security policies). It establishes clear expectations for employees, contractors, and other authorized users about secure, lawful, and ethical use of technology resources—covering topics like account use, device handling, internet and email activity, data access and sharing, software installation, and acceptable behavior on corporate platforms. In the context of ISO/IEC 42001 (an artificial intelligence management system standard), an AUP commonly extends to acceptable use of AI capabilities as well, including approved AI tools, permitted data types for prompts and uploads, restrictions on sensitive or regulated data, requirements to verify AI outputs before use, and safeguards against misuse such as generating harmful content, bypassing controls, or introducing data leakage. A strong AUP supports governance and risk management by reducing ambiguity, enabling consistent enforcement, and providing a basis for monitoring, training, incident response, and corrective action. It is often paired with user acknowledgement, role-based access controls, and exception handling so the organization can manage real-world needs without weakening security or compliance.
Real-World Examples
Startup AI tool usage rules
A small team limits AI prompts to non-sensitive data, requires review of AI-generated output, and blocks uploading customer data to unapproved tools.
Remote work and BYOD controls
A growing company allows personal devices only if encrypted, patched, and protected by MFA, and prohibits storing work files in personal cloud accounts.
Enterprise email and web use
An enterprise defines acceptable browsing, bans unauthorized software downloads, and uses logging to investigate suspected malware or phishing activity.
Contractor and vendor access
A regulated organization requires contractors to sign the AUP, use named accounts, follow least privilege, and return or delete data at engagement end.
An AUP is a formal policy that sets the rules for using company systems, networks, applications, and data, including what is allowed, prohibited, and monitored.
It reduces security and compliance risk by clarifying expectations, preventing misuse, supporting investigations, and providing a consistent basis for enforcement and training.
Typical sections include scope, user responsibilities, approved and prohibited activities, data handling rules, device and account requirements, monitoring notices, and consequences.
It should cover anyone who accesses organizational resources, including employees, contractors, interns, temporary staff, third parties with access, and sometimes guests on managed networks.
Start with scope and principles, define acceptable and prohibited behaviors, align with access control and data classification rules, include monitoring and enforcement language, and require acknowledgement.
Common prohibitions include sharing passwords, bypassing security controls, installing unauthorized software, accessing illegal content, exfiltrating data, and using systems for harassment or fraud.
Yes—many AUPs include BYOD and remote work rules such as encryption, screen locks, patching, approved apps, secure Wi-Fi/VPN use, and restrictions on local or personal cloud storage.
Often yes, but the policy should clearly disclose what may be monitored, why it is monitored, and how logs are handled, while respecting applicable employment and privacy requirements.
Use a defined process: triage and investigate, preserve evidence, apply corrective actions proportionate to risk, document outcomes, and update controls or training to prevent recurrence.
Review at least annually and whenever major changes occur (new tools like AI services, remote work shifts, new regulations, incidents, or technology changes) to keep it accurate and effective.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
