How to Make an Acceptable Use Policy for Your Organisation – a Step-by-Step Tutorial with Template

Anders Bryde Thornild
By: Anders Bryde Thornild Cyber Security | 29 November

Having an Acceptable Use Policy (AUP) in your organisation can help strengthen the information security in your organisation. In addition to promoting a strong information security culture, it also ensures that the entire organisation is on the same page and knows how they should handle their digital activities. The goal is to have everybody in the organisation to know what they can and cannot do with confidence.  

With this blog, we will guide you though an Acceptable Use Policy example using our template, which you can find further down this page. We will also discuss what to consider when you create these guidelines for your organisation.  

There is also a template to create an Information Security Policy, which you can find here. Both documents are vital tools to achieve a good information security culture in your organisation.

Information Security Policy vs. Acceptable Use Policy

When working with cybersecurity in your organisation, it can be very useful to have both an IT security policy and an Acceptable Use Policy. A policy and use policy both provide a clear set of expectations, which will strengthen your security.

What is an IT security policy?

The aim of an Information Security Policy is to provide a general set of objectives for the organisation to aim for.  Additionally, it emphasises that all staff are responsible for the information security in the organisation. The policy is a small document with only a few pages and is viewed as a management memo with ambitions for the organisationinformation security measures.

What is an Acceptable Use Policy?

The Acceptable Use Policy imore extensive and includes rules and guidelines, which the entire organisation must follow. Where the Information Security Policy is general and strategic, the Acceptable Use Policy is concrete and actionable. (If you would rather see the tutorial for making an Information Security Policy, then click here).

An Acceptable Use Policy provides specific rules

While the Information Security Policy provides a strategic objective, the Acceptable Use Policy defines specific rules to follow. Basically, it includes what should be incorporated into one’s daily routine while working. For example, it can include guidelines about the length of passwords, clean desks, or private use of company equipment, like laptops and smartphones 

The purpose of the AUP is to create the field for the organisation to play on. It is to provide clarity for all members of staff, so the guidelines should be easy to understand and follow.  

For the AUP to be successful, nobody in the organisation should be debating whether they are breaking the rules. They should be able to easily navigate through their daily work life in a secure way. Additionally, the document should be concise, as too many rules can lead to worse information security, because one could be overwhelmed by the sheer amount 


How to use the AUP template

This template we provide should only serve as an inspiration for your AUP. Your organisation has its own needs and context that perhaps only makes some of the rules relevant. We recommend taking what is relevant to you, add your own guidelines, and removing the rest.  

The template contains guidelines on the following aspects: 

  • Purpose statement

  • Confidentiality

  • Access codes (passwords and PIN codes)

  • Physical security

  • Handling of equipment and documents outside of premises

  • Equipment and software

  • User credentials

  • Digital activity

  • Security monitoring and logging

  • Handling of personal data

  • Report security incidents

The template contains two overall points: Purpose statements and guidelines and principles, where guidelines and principles have 10 focus areas for the rules in the organisation. We will go over each point below.

Purpose statement

First, we provide a purpose statement to set the tone and communicate the objectives of the Acceptable Use Policy. Generally, this should state that the document is a set of guidelines that are expected to be followed by all staff of the organisationWe give an example here:


“X (name of organisation) focuses on ensuring the availability, the confidentiality, and integrity of its systems and data. All staff must act in a responsible, ethical, and legal manner. All X staff, consultants, and temporary staff are required to manage knowledge with care and discretion, whether written, electronic, or verbal.

Therefore, the handling of must be per X’s information security policy as well as following the listed guidelines and principles. To ensure this, the staff of X are continuously trained and made aware of topics within cybersecurity and the GDPR with continuous training.” 


In short, the purpose statement lays down the basic rules for use of IT in your organisation. It should explicitly state the expectation of the staff’s continuous training and awareness.

Guidelines and principles:

The guidelines and principles point out specific rules to follow when using IT systems in the organisation. Here, we have added 10 points you can include with some guiding text.  

1. Confidentiality

Confidentially is normally included in employment or projects contracts, but it is still useful to state it in the guidelines to emphasise its importance. It states that the organisation expects confidentiality from its employees when it comes to confidential information, e.g., customer information. We give an example here:

“You must handle all of X’s information with discretion and care. Under no circumstances should you access or use information, systems, or networks that are not necessary for your job. Do not share confidential information with colleagues, consultants, or temporary staff who do not have a job-specific need for this information. You may not share confidential information with third parties unless it has a clear business purpose. When working with external parties, they must have signed a declaration of confidentiality."

2. Access codes (passwords and PIN codes)

In this section, the organisation can set requirements for the users’ access codes. For example, you can state requirements for the length, use of digits, or characters. You can also use this section to discourage staff from reusing passwords. We give an example here:

“All passwords and PIN codes are personal. To create a strong password, we recommend a long password of at least 12 characters, using both uppercase and lowercase letters, numbers, and special digitsWhen leaving your workstation, you must log off or lock the machine. Never leave passwords written on bulletin boards, paper, or stored on hard disk/email.” 

3. Physical security

The physical security section deals with how to handle information stored on physical equipment. It also provides some good practices and pointers on what to be aware of in physical settings. We provide an example here: 

Please ensure that your desk is organised and that there are no important documents in plain sight when you are not using them. Confidential information must be placed in locked drawers, cupboards, or the like to avoid unauthorised access. Additionally, be aware of the visibility of your PC screen – you should not have confidential and sensitive data open when unauthorised persons are behind you so that they can watch your activities over your shoulder.” 


Further reading: Have good Cybersecurity habits – Also at home! 

4. Handling equipment and files outside of premises

This section recommends how to handle equipment and files when outside of company/organisation premises, e.g., when working remotely. An increasing number of companies recently have had to concretely define this, as working from home has become a necessity.  

Here, you can include how expectations can differ compare to being on premises. This section mainly focuses on securing the organisation’s IT equipment.  We provide an example here:

“If you bring IT equipment outside of X’s premises, it must be secured with a pin or password that ensures a sufficient amount of security against access by unauthorised persons.  When flying, mobile equipment (I.e., laptop and mobile device) and documents must always be carried as hand luggage."

5. Equipment and software

Nowadays, we use cloud services and software which can be quickly accessed and downloaded from the internet. Therefore, it is essential to make some general rules on what types of services may be used and downloaded, as it can be incredibly difficult to control and keep track of your team’s activity. We give an example here:

All IT systems, equipment, or memory storage devices must be approved by X and follow company standards as issued. Never connect unauthorised equipment to workstations or networks. This also applies to USB keys and smartphones. Additionally, you may only install or download programs if you have been permitted to do so.  

Software and equipment are the property of X and must be treated accordingly. Therefore, they must not be lent to others, including family. For data handling, you must use X’s internal file server. Use of cloud-based services such as Google Drive, Dropbox, and web-based file sharing is only allowed if receiving data from external parties. It is not permitted to upload X’s data to unauthorised services. The software must always be used according to the license terms entered by X.” 


One way to keep track of your team’s activity is through Asset management – here’s how to get started.

6. User credentials

User credentials deal with usernames and passwords that are used for logging in to the organisation’s IT systems.  For example, multiple users could share user information and make use of each other’s loginsHowever, we recommend that you may only use your own user credentials so that you do not get into trouble because of the actions of others. We give an example of the guideline here:

“User rights must be respected, therefore only use your own user credentials to log inNever share your user information with others, including your employer. Misuse of credentials and digital activity can leave digital traces that have a negative impact on X.” 

7. Digital activity

Here, you can discuss best practices and limitations for digital activity on company-owned equipment. It is important to set realistic expectations, and some of these can include what we normally consider common sense. For example, it would be outrageous to ban visiting specific public websites or checking one’s private emails, but you can limit the level of private consumption during work hours.  Needless to say, illegal websites and activity should be banned. However, it is up to your organisation to specify these rules where your team still have some freedom, but you draw a line somewhere. We provide an example here:

“Please minimise the private use of the Internet and email on X’s equipment. For personal documents, save it locally in a folder on your computer and label it ‘Private. Personal data must not be sent by email. Under no circumstances, may work-related online correspondence take place through anonymised communication channels. It is strictly forbidden to use X’s email accounts, computers, tablets, and mobile phones to view pornographic, racist, extremist, or criminal content. When receiving an email, the sender’s email address must be checked before unknown links and documents are opened.” 

8. Security monitoring and logging

This is to communicate that you as the organisation can log and monitor your team’s digital activities for security purposes It does not necessarily mean that it is routinely done and more importantly, you respect your team’s privacy. But by bringing it up to their attention, you could encourage them to conduct their digital activities within reason. We provide an example here:

“X respect the individual employee’s privacy and complies with local laws and regulation. However, we reserve the right to log IT use and in special circumstances, require access to an employee’s email and files.”

9. Handling of personal data

The handling of personal data is one part of organisations being GDPR compliantNormally, compliance with the GDPR requires more elaborate processes than a set of rules in a document for IT use. However, the guidelines are still a place where employees can be made aware of the handling of personal data with some general requirements. These requirements do not say much about the processes that make you comply with the requirements but can create awareness of the importance of handling personal data. We give an example here: 

“At X, we are very careful to take good care of and protect the personal information that our customers, members, employees, and partners have entrusted us with. We work continuously to develop and implement secure processes, which must ensure the legal and secure processing of personal data.

We have established the following basic principles for the processing of personal data: 

  • Personal data may only access personal data that is relevant to their work and function

  • Personal data should only be shared internally if it is relevant to the recipient’s task and function. E.g., personal data from a client

  • E-mails containing personal data should be deleted once the relevant data has been processed

  • Personal data must not be stored locally or in one’s inbox for longer than necessary. Instead, use one of the systems designated for this in the organisation.

  • Both physical and digital files should be periodically reviewed to ensure that they do not contain personal data that is stored longer than necessary.”

10. Reporting security incidents

The last point is to illustrate the importance of reporting security incidents. As clear communication is the only way to warn and protect everybody else of the incident, it should be required for staff to report safety incidents that they observe or are exposed to.  In this section, you can provide examples of what a security incident might involve and to whom they should report. The important thing is that your team is aware of when to act and who to address. We give an example here:

“If you suspect of any security incidents, you must immediately report this to your immediate manager and the IT department.”

Examples of security incidents: 

  • You have received suspicious e-mail
  • E-mails with personal data have been sent to the wrong recipient
  • Lost IT equipment
Do not hesitate to contact the person in charge if you suspect something. Better safe than sorry!

The guidelines are a first step to reinforcing good habits

The guidelines make it possible for your team to easily check what they can or cannot do. However, it is important to point out that this effort cannot stand alone; you cannot just write down the rules and expect everyone to abide to themYour team must be trained on a continuous basis to ensure that awareness is always there.  

A strong foundation for your Cybersecurity culture

The Acceptable Use Policy provides a strong foundation for creating a strong information security culture in your organisation. We also have a guide for an Information Security Policy.

It is important that the documents do not just lie around and collect dust when you have filled them out, but that you continuously review and update them. We recommend that you do this annually. Additionally, we must work actively with the objectives and guidelines from the two documents, so that the information security culture in your organisation is enforced.  

We hope you found the template and guide useful!