Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
An IT Acceptable Use Policy (AUP) is an internal operational document that defines the rules governing how employees, contractors, and any other authorized users may access and use a company's technology systems β including computers, networks, email, internet access, mobile devices, and cloud platforms. It distinguishes permitted business use from prohibited activities, sets expectations for device security and data handling, establishes monitoring practices, and specifies the disciplinary consequences for violations. Unlike a general code of conduct, an AUP is focused exclusively on technology behavior and is typically acknowledged in writing by every user before they receive system credentials.
Without a documented IT acceptable use policy, your organization has no enforceable standard against which to measure or discipline technology misuse. When an employee forwards confidential client data to a personal email account, installs unauthorized software that introduces malware, or shares system credentials with a vendor, the absence of a written policy means you cannot demonstrate that any rule was broken β making disciplinary action, legal claims, and insurance filings far more difficult. Beyond internal enforcement, an AUP is a hard requirement for SOC 2 Type II audits, ISO 27001 certification, HIPAA compliance, and most cyber liability insurance applications. Organizations that have experienced a breach also face insurer scrutiny of whether documented controls were in place at the time of the incident. This template gives you a complete, editable starting point that covers every essential section β from prohibited activities to monitoring notices β so you can distribute a credible, enforceable policy in hours rather than weeks.
| If your situation is⦠| Use this template |
|---|---|
| Policy for a company allowing personal devices to access corporate systems | BYOD (Bring Your Own Device) Policy |
| Policy governing remote and hybrid workforce access to company resources | Remote Work Policy |
| Policy covering how sensitive business data is classified and handled | Data Classification Policy |
| Policy setting rules for employee social media conduct | Social Media Policy |
| Policy covering how the company responds to a cybersecurity breach | Incident Response Plan |
| Policy governing use and access to passwords and credentials | Password Management Policy |
| General employee code of conduct covering broader workplace behavior | Employee Code of Conduct |
Why it matters: Third-party users with network access create the same data leakage and breach risk as employees. Limiting the policy to staff leaves a documented gap that auditors and insurers will flag.
Fix: Explicitly name every user category in the scope section and require acknowledgment from all of them before granting system access.
Why it matters: Terms like 'inappropriate use' or 'excessive personal use' cannot be consistently enforced and rarely hold up in disciplinary proceedings when the employee argues the rule was unclear.
Fix: List specific prohibited behaviors with concrete examples. Replace 'inappropriate content' with 'pornographic, violent, or hate-based material' and define the examples your legal team has approved.
Why it matters: Without a signed acknowledgment on file, you cannot demonstrate the employee knew the rules β which is the foundational requirement in any disciplinary or legal proceeding stemming from a policy violation.
Fix: Require all covered users to sign or digitally acknowledge the policy before receiving system credentials, and store those records in a searchable system.
Why it matters: A policy written in 2020 will not address cloud collaboration tools, AI assistants, or the remote work security practices that have become standard since then β creating unaddressed risk and audit findings.
Fix: Set a mandatory annual review date inside the document itself, assign a named policy owner responsible for the review, and log each revision with a version number and date.
Why it matters: In the EU under GDPR and in several US states, monitoring employees' electronic activity without prior notice and a documented lawful basis can expose the company to regulatory fines and employee claims.
Fix: Include an explicit monitoring notice in the policy, collect acknowledgments as proof of notice, and confirm the lawful basis for monitoring with a legal or privacy advisor before deployment.
Why it matters: A clause stating that any violation 'will result in immediate termination' removes the discretion managers need for minor or ambiguous first offenses, and can create wrongful termination exposure.
Fix: Replace absolute language with tiered consequences β 'may result in disciplinary action up to and including termination' β and align the tiers with your employee handbook.
Identify every category of person who accesses your IT systems β full-time employees, part-time staff, contractors, vendors, and interns. List the specific systems and networks covered, including cloud services.
π‘ If your company uses a named cloud platform (Microsoft 365, Google Workspace, AWS), list it explicitly. Vague references to 'cloud systems' create gaps in coverage.
List the asset categories in scope: company-owned laptops, mobile devices, servers, on-premise networks, VPN, and SaaS platforms. This inventory anchors every section of the policy.
π‘ Work with your IT team to pull the actual device and software inventory before drafting. Policies written without this step routinely miss whole categories of endpoints.
Go beyond 'inappropriate use' and list concrete prohibited actions: installing unapproved software, using personal cloud storage for company files, accessing competitor systems, and attempting to escalate system privileges.
π‘ Review your last 12 months of IT support tickets and security incidents. The most common real-world violations in your organization should be explicitly named.
Decide your actual position on personal use during work hours β a blanket ban is rarely enforced. Define clear limits: no personal webmail forwarding of company data, no social media posting about clients, no accessing personal streaming services on company networks.
π‘ Calibrate your rules to your culture. A startup with a casual environment needs different language than a regulated financial services firm.
Specify VPN requirements, MFA enrollment deadlines, screen-lock timeout settings (10 minutes is a common standard), and rules for working in public spaces.
π‘ Include the IT helpdesk contact details directly in this section so employees know who to call when they cannot connect remotely.
State clearly that company systems are subject to monitoring and that employees have no expectation of privacy on company equipment. Reference this section in the acknowledgment employees sign.
π‘ If your company operates in the EU or California, review GDPR and CCPA requirements before finalizing the monitoring language β employee monitoring has additional notice requirements in these jurisdictions.
Establish a tiered disciplinary response: verbal warning for minor first offenses, written warning for repeat violations, suspension or termination for serious breaches, and law enforcement referral for criminal activity.
π‘ Align this section with your employee handbook's disciplinary procedure so there are no contradictions between documents.
Publish the policy to all covered users, collect signed or digital acknowledgments before granting access, and calendar an annual review date in the document itself.
π‘ Store acknowledgment records in your HRIS or document management system β not in a shared folder. You need to retrieve individual acknowledgments quickly if a violation occurs.
An IT acceptable use policy is a formal document that defines how employees and other authorized users may use a company's technology assets β including computers, networks, email, internet access, mobile devices, and cloud services. It sets clear boundaries between permitted and prohibited activities, establishes monitoring practices, and specifies the consequences for violations. Most organizations require employees to sign or acknowledge the policy before receiving system access.
Without a written policy, there is no documented standard against which employee behavior can be measured or enforced. An AUP also satisfies explicit requirements in security frameworks such as SOC 2, ISO 27001, HIPAA, and PCI-DSS, all of which require documented controls over user access and system use. Cyber insurance underwriters increasingly review policies like this as part of the application process and may reduce premiums or deny coverage without one.
The policy should apply to every person who accesses company IT systems, including full-time employees, part-time staff, contractors, consultants, temporary workers, interns, and vendors with network access. Limiting scope to employees only is one of the most common gaps cited in security audits, since third parties with system access present the same data risk.
Employees do not need to physically sign the policy for it to be effective, but some form of documented acknowledgment β a wet signature, digital signature, or a logged click-through acceptance β is essential. Acknowledgment records are the primary evidence that an employee was aware of the rules, which is the foundational requirement in any disciplinary proceeding or legal claim stemming from a policy violation.
An annual review is the minimum standard recommended by most security frameworks. The policy should also be reviewed after any significant change to the technology environment β such as adopting a new cloud platform, enabling remote work, or experiencing a security incident. Outdated policies that do not address current tools and threats create audit findings and leave actual risks undocumented.
An employee code of conduct addresses broad workplace behavior β professionalism, conflicts of interest, harassment, and ethics. An IT acceptable use policy is specific to technology systems, covering device use, internet access, data handling, and cybersecurity rules. The two documents complement each other and should be consistent, but the AUP provides the technical detail that a general code of conduct cannot.
Yes, in most jurisdictions, employers may monitor activity on company-owned systems and networks, provided employees are given prior notice that monitoring occurs β which the AUP acknowledgment process fulfills. The scope and legal basis for monitoring vary by jurisdiction: GDPR in the EU and state laws in California impose additional requirements around notice, proportionality, and lawful basis. Consult a legal or privacy advisor before deploying monitoring tools.
Consequences should be proportionate to the severity of the violation and aligned with the company's existing disciplinary procedure. Minor first offenses typically warrant a verbal or written warning. Repeated violations, deliberate data misuse, or illegal activity may result in suspension, termination, or referral to law enforcement. Using tiered language β 'up to and including termination' β preserves managerial discretion while documenting that serious consequences are possible.
SOC 2 Type II audits examine whether a documented acceptable use policy exists and whether employees have acknowledged it. ISO 27001 Annex A control A.8.1.3 specifically requires a policy on acceptable use of information assets. HIPAA's Security Rule requires covered entities to implement policies governing workstation use and electronic media access. In each case, the absence of a documented, acknowledged policy is a finding that can affect certification status or audit outcomes.
An employee code of conduct governs broad workplace behavior including professionalism, ethics, and harassment. An IT acceptable use policy is narrower and more technical, covering only technology systems and data. Both documents should coexist and cross-reference each other β the AUP cannot replace a general code of conduct.
A data privacy policy (or privacy notice) explains to customers and users how their personal data is collected, used, and protected β it is an external-facing document. An IT acceptable use policy is an internal document governing how employees handle data. Regulated organizations need both, and the internal AUP should align with the commitments made in the external privacy policy.
A remote work policy governs where and how employees may work outside the office β covering ergonomics, availability expectations, and equipment stipends. An IT acceptable use policy governs what employees may do on company systems, regardless of location. For distributed teams, both documents are needed and should be consistent on VPN, device security, and data handling rules.
An incident response plan defines how the organization detects, contains, and recovers from a cybersecurity breach. An IT acceptable use policy is a preventive control that reduces the likelihood of incidents by setting rules for user behavior. The two documents are complementary β the AUP aims to prevent incidents; the incident response plan addresses what happens when prevention fails.
Covers use of development environments, code repositories, API keys, and AI coding assistants, with stricter rules on forwarding proprietary source code to personal accounts.
Addresses SEC and FINRA recordkeeping rules, prohibitions on personal trading using company systems, and encryption requirements for transmitting client financial data.
Incorporates HIPAA workstation use and device disposal requirements, prohibits forwarding protected health information to personal email, and mandates encryption for any PHI stored on endpoints.
Focuses on client confidentiality protections, restricts use of personal cloud storage for client documents, and addresses rules for using client-provided system credentials.
Extends coverage to student-facing systems and shared devices, addresses FERPA requirements for student data, and includes separate acceptable use provisions for minors where applicable.
Addresses PCI-DSS requirements for systems that process payment card data, restricts point-of-sale device use to authorized transactions, and prohibits storing cardholder data on endpoint devices.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-sized businesses establishing or formalizing IT rules for the first time | Free | 2β4 hours to customize and distribute |
| Template + professional review | Companies in regulated industries (healthcare, finance) or those preparing for a SOC 2 or ISO 27001 audit | $300β$800 for an IT security consultant or attorney review | 1β3 days |
| Custom drafted | Enterprise organizations with complex IT environments, multi-jurisdiction operations, or mandatory compliance programs | $1,500β$5,000+ for a full policy suite from a cybersecurity firm or law firm | 2β4 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
