What should an acceptable use policy cover?

An AUP should cover: permitted and prohibited uses of company devices and systems, internet and email use rules, password and access control requirements, rules around personal use of company equipment, consequences of policy violations, and how the policy is enforced.

Does an AUP cover personal devices used for work?

It should if your employees use their own devices to access company systems or data (BYOD — bring your own device). Your AUP should define what is acceptable when accessing company systems from personal devices and what security requirements apply.

Acceptable Use Policy Template for UK Businesses

Q: What is an acceptable use policy?

An acceptable use policy (AUP) is a document that sets out the rules for how employees may use company IT systems, devices, internet access, and email. It protects the business from misuse, data breaches, and legal liability — and is required for Cyber Essentials certification.

Q: Is an acceptable use policy a legal requirement?

It is not directly required by a single piece of legislation, but it is required for Cyber Essentials certification and is strongly recommended by the NCSC. It also supports compliance with UK GDPR by documenting the measures you have in place to prevent unauthorised data access or disclosure.

An acceptable use policy sets the rules for how employees use company IT systems, devices, and internet access. It protects your business from misuse, data breaches, and legal liability — and is required for Cyber Essentials certification.

Get Acceptable Use Policy — £15 Get all 14 documents — £99

Instant PDF & Word download · 14-day money-back guarantee

What is an acceptable use policy?

An acceptable use policy (AUP) is a document that defines how employees are permitted to use company IT systems, devices, networks, email, and internet access. It sets clear boundaries between acceptable and unacceptable use, and sets out the consequences of policy violations.

Without an AUP, employees have no clear guidance on what is and isn't allowed — which creates legal and security risk. If an employee uses company equipment to access inappropriate content, leak confidential data, or install unauthorised software, your business could face significant legal and reputational consequences.

What your acceptable use policy should cover

Permitted and prohibited uses of company devices, systems, and networks
Internet and email use — acceptable purposes and prohibited activities
Password requirements and access control
Rules around personal use of company equipment
BYOD (bring your own device) rules if applicable
Social media use on company time or devices
Data handling and confidentiality obligations
Monitoring of device and system use
Consequences of policy violations and disciplinary procedures

Get your acceptable use policy today

£15

Acceptable Use Policy only

Single document

Get this document

£69

10 docs incl. Privacy Policy & breach procedure

Professional plan

Get all 10 documents

£99

All 14 compliance documents

Complete plan

Get all 14 documents

Common questions about acceptable use policies

What is an acceptable use policy?

An AUP sets out the rules for how employees may use company IT systems, devices, internet access, and email. It protects the business from misuse, data breaches, and legal liability — and is required for Cyber Essentials certification.

Is an AUP a legal requirement?

It is required for Cyber Essentials certification and strongly recommended by the NCSC. It also supports UK GDPR compliance by documenting controls against unauthorised data access. Without one, you have no documented basis for disciplinary action if employees misuse systems.

What should an AUP cover?

Permitted and prohibited uses of company devices and systems, internet and email rules, password requirements, personal use rules, BYOD rules, data handling obligations, system monitoring, and the consequences of policy violations.

Does it cover personal devices used for work?

It should if employees use personal devices to access company systems or data. Your AUP should define what is acceptable for BYOD access and what security requirements — such as encryption or MDM — apply to personal devices used for work.

All 14 UK compliance documents

Privacy Policy Data Protection Policy Data Retention Policy Health & Safety Policy Risk Assessment Employee Privacy Notice Cookie Policy CCTV Policy Data Breach Procedure SAR Procedure Acceptable Use Policy Social Media Policy Fire Safety Policy Lone Worker Policy