Acceptable Use Policy [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out the responsibilities of the employee for the use of information and of assets associated with information and information processing facilities and asks them to sign to say that they understand them.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: • • • • • •
A.5 Information security policies o A.5.1 Management direction for information security ▪ A.5.1.1 Policies for information security A.7 Human resources security o A.7.2 During employment ▪ A.7.2.1 Management responsibilities A.8 Asset management o A.8.1 Responsibility for assets ▪ A.8.1.3 Acceptable use of assets A.9 Access control o A.9.3 User responsibilities ▪ A.9.3.1 Use of secret authentication information A.11 Physical and environmental security o A.11.2 Equipment ▪ A.11.2.8 Unattended user equipment A.16 Information security incident management o A.16.1 Management of information security incidents and improvements ▪ A.16.1.3 Reporting information security weaknesses
General guidance This is effectively a summary of several other documents, the key aspect being that this document requires a signature. In many organizations the signed acceptable use policy is required before access to IT systems is granted and the forms are kept in case of any later disputes. Version 1
Page 2 of 15
[Insert date]
