Acceptable Use Policy
ISO/IEC 27001 Toolkit: Version 10 ©CertiKit
Acceptable Use Policy [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out the responsibilities of the employee for the use of information and of assets associated with information and information processing facilities and asks them to sign to say that they understand them.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: • • • • • •
A.5 Information security policies o A.5.1 Management direction for information security ▪ A.5.1.1 Policies for information security A.7 Human resources security o A.7.2 During employment ▪ A.7.2.1 Management responsibilities A.8 Asset management o A.8.1 Responsibility for assets ▪ A.8.1.3 Acceptable use of assets A.9 Access control o A.9.3 User responsibilities ▪ A.9.3.1 Use of secret authentication information A.11 Physical and environmental security o A.11.2 Equipment ▪ A.11.2.8 Unattended user equipment A.16 Information security incident management o A.16.1 Management of information security incidents and improvements ▪ A.16.1.3 Reporting information security weaknesses
General guidance This is effectively a summary of several other documents, the key aspect being that this document requires a signature. In many organizations the signed acceptable use policy is
Version 1
Page 2 of 10
[Insert date]
Acceptable Use Policy [Insert classification]
required before access to IT systems is granted and the forms are kept in case of any later disputes. Remember that if you change any of the supporting policies then this document may need to be updated.
Review frequency We would recommend that this document is reviewed annually.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Version 1
Page 3 of 10
[Insert date]
Acceptable Use Policy [Insert classification]
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ŠCertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 10
[Insert date]
Acceptable Use Policy [Insert classification]
Acceptable Use Policy
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
ISMS-FORM-A07-4
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 10
[Insert date]
Acceptable Use Policy [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 10
DATE
[Insert date]
Acceptable Use Policy [Insert classification]
Contents 1
Introduction.............................................................................................................. 8
2
Acceptable Use Policy ............................................................................................... 9
Version 1
Page 7 of 10
[Insert date]
Acceptable Use Policy [Insert classification]
1 Introduction [Organization Name] takes the subject of information security very seriously. We have a duty to protect the information that we collect and use for the benefit of the organization and its customers. As an employee, you will be expected to comply fully with all of the information security policies that are in place and to report any breaches of these policies of which you may become aware. This document gives a summary of the main points of the relevant policies and asks you to sign to say that you have read it and understand its provisions. Anyone breaching information security policy may be subject to disciplinary action. If a criminal offence has been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, please seek advice from your immediate manager in the first instance. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • • • • • • • • • • • • • • •
Information Security Policy Electronic Messaging Policy Internet Acceptable Use Policy Mobile Device Policy Teleworking Policy Privacy and Personal Data Protection Policy Cloud Computing Policy Asset Handling Procedure Software Policy Access Control Policy Anti-Malware Policy Information Security Incident Response Procedure IP and Copyright Compliance Policy Social Media Policy HR Security Policy Asset Management Policy
Version 1
Page 8 of 10
[Insert date]
Acceptable Use Policy [Insert classification]
2 Acceptable use policy Please ensure you have read the following summary of the main points of the organization’s policies regarding information security. 1.
2.
3. 4. 5.
6. 7.
8. 9. 10. 11. 12. 13.
14. 15. 16.
17. 18. Version 1
I acknowledge that my use of [Organization Name] computer and communications systems may be monitored and/or recorded for lawful purposes. I accept that I am responsible for the use and protection of the user credentials with which I am provided (user account and password, access token or other items I may be provided with) I will not use anyone else’s user account and password to access company systems I will not attempt to access any computer system to which I not been given access I will protect any classified material sent, received, stored or processed by me according to the level of classification assigned to it, including both electronic and paper copies I will ensure that I label any classified material that I create appropriately according to published guidelines so that it remains appropriately protected I will not send classified information over the Internet via email or other methods unless appropriate methods (e.g. encryption) have been used to protect it from unauthorised access I will always ensure that I enter the correct recipient email address(es) so that classified information is not compromised I will ensure I am not overlooked by unauthorised people when working and will take appropriate care when printing classified information I will securely store classified printed material and ensure it is correctly destroyed when no longer needed I will not leave my computer unattended such that unauthorised access can be gained to information via my account while I am away I will make myself familiar with the organization’s security policies and procedures and any special instructions relating to my work I will inform my manager immediately if I detect, suspect or witness an incident that may be a breach of security or if I observe any suspected information security weaknesses in systems or services I will not attempt to bypass or subvert system security controls or to use them for any purpose other than that intended I will not remove equipment or information from the organization’s premises without appropriate approval I will take precautions to protect all computer media and mobile devices when carrying them outside my organization’s premises (e.g. leaving a laptop unattended or on display in a car such that it would encourage an opportunist theft) I will not introduce viruses or other malware into the system or network I will not attempt to disable anti-virus protection provided at my computer Page 9 of 10
[Insert date]
Acceptable Use Policy [Insert classification]
19. 20.
I will comply with the legal, statutory or contractual obligations that the organization informs me are relevant to my role On leaving the organization, I will inform my manager prior to departure of any important information held in my account
Declaration I have read the information security policy summary above and agree to comply with its contents and those of any other relevant policies of which the organization may make me aware.
Name of User:
Signature of User:
Date:
A copy of this statement should be retained by the User and [Organization Name].
Version 1
Page 10 of 10
[Insert date]