Skip to content

Acceptable Use Policy Template for Business IT

Updated

What Is an Acceptable Use Policy?

An acceptable use policy (AUP) is a formal document that defines how employees are permitted to use company IT resources — including computers, networks, email, internet access, software, and data. It sets clear boundaries, protects the business from misuse, and helps ensure compliance with regulations like GDPR and Cyber Essentials.

Every UK business that provides IT resources to staff should have an AUP in place. Without one, you have no documented basis for addressing misuse, and you may struggle to demonstrate compliance in an audit or legal dispute.

Why Your Business Needs an Acceptable Use Policy

  • Legal protection — Provides a documented framework for addressing misuse and potential disciplinary action
  • Compliance — Supports GDPR, Cyber Essentials, and ISO 27001 requirements for documented security policies
  • Security — Reduces the risk of malware, data breaches, and unauthorised access by setting clear expectations
  • Productivity — Discourages excessive personal use of business resources
  • Consistency — Ensures all employees are held to the same standard regardless of role or seniority

What to Include in Your AUP

A comprehensive AUP should cover the following areas:

1. Scope and Applicability

Clarify who the policy applies to (all employees, contractors, temporary staff, and visitors) and which resources it covers (company-owned devices, networks, cloud services, and personal devices used for work under a BYOD arrangement).

2. Acceptable Use

Define what is considered appropriate use of IT resources:

  • Business-related activities and tasks directly supporting the employee's role
  • Limited personal use during breaks, provided it does not interfere with work or violate other policy sections
  • Use of approved software and cloud services only

3. Prohibited Activities

Clearly state what is not permitted. Common prohibitions include:

  • Accessing, downloading, or distributing illegal, offensive, or inappropriate material
  • Installing unauthorised software or browser extensions
  • Sharing login credentials with colleagues or third parties
  • Connecting personal devices to the company network without approval
  • Attempting to bypass security controls, firewalls, or content filters
  • Sending unsolicited bulk emails or messages from company accounts
  • Using company resources for personal commercial activities
  • Storing company data on personal cloud storage without authorisation

4. Email and Communications

Set expectations for professional use of email and messaging platforms:

  • All email sent from company accounts represents the business
  • Confidential information should only be shared via approved, encrypted channels
  • Staff should be vigilant against phishing and report suspicious messages
  • The business reserves the right to monitor email and communications in line with UK law

5. Data Protection and Confidentiality

Link the AUP to your data protection obligations:

  • Employees must handle personal data in accordance with GDPR and the company's data protection policy
  • Sensitive data must not be stored on unencrypted devices or transferred via insecure methods
  • Data classification rules should be followed when handling, sharing, or disposing of information

6. Security Responsibilities

Outline each employee's security obligations:

  • Use strong, unique passwords and enable MFA on all accounts
  • Lock devices when unattended
  • Report lost or stolen devices to IT immediately
  • Keep software and operating systems up to date
  • Complete mandatory security awareness training

7. Monitoring and Enforcement

Be transparent about the business's right to monitor IT usage:

  • State that the business may monitor network traffic, email, and device usage for security and compliance purposes
  • Reference the legal basis for monitoring under UK employment law and the Data Protection Act 2018
  • Explain the disciplinary process for policy violations, up to and including termination

8. Acknowledgement

Include a section where the employee confirms they have read, understood, and agree to comply with the policy. This should be signed and dated.

Maintaining Your AUP

An AUP should not be a set-and-forget document. Review and update it at least annually — or whenever there are significant changes to your IT environment, regulatory requirements, or working practices (e.g., the introduction of remote working or BYOD).

For guidance on broader IT compliance requirements including Cyber Essentials and ISO 27001, our detailed blog post covers what UK businesses need to know.

If you use managed IT support, your provider can help you draft, implement, and maintain your AUP alongside your other IT policies.

Need IT Support?

Get professional IT policies drafted and implemented for your business.

Get a Free IT Quote

Other articles in IT Policies & Compliance

BYOD Policy for UK Business: What to Include & Template GuideGDPR Data Protection Checklist for Small Business

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap