What is an acceptable use policy (AUP)?

The document that sets the rules for how staff may use company technology.

By Kat Korson · Last reviewed May 2026

Eaglepedia mascot

An acceptable use policy is a written document that sets out how staff may and may not use an organisation's IT - its computers, devices, internet, email and data. It makes expectations clear, helps protect the business legally and from security risks, and gives a fair, consistent basis for dealing with misuse.

What an acceptable use policy is

An acceptable use policy, usually shortened to AUP, is a short, practical document that tells staff what they can and can't do with the technology the business provides. It covers the basics: use the internet for work, don't install unauthorised software, don't share your password, treat company data carefully. That's it. It doesn't need to be long to be useful.

It's one of the most straightforward IT policies a business can put in place, and one of the most valuable. Many businesses discover they need it only after something goes wrong - when a member of staff has misused a system and the business realises it never actually told anyone what was and wasn't acceptable. An AUP removes that ambiguity.

The AUP sits at the practical end of IT governance. Governance is the framework of policies, controls and decisions that keeps technology working safely in a business's interests. The AUP translates that framework into a set of clear, everyday rules that every member of staff - technical or not - can understand and follow.

What an AUP usually covers

There's no single required format, but most acceptable use policies cover the following areas:

  • Company devices and equipment: what devices belong to the business, how they should be looked after and what happens if one is lost or stolen.
  • Internet and web use: acceptable purposes for internet access at work, and categories of content that are always off-limits (for example, anything illegal or discriminatory).
  • Email and messaging: professional standards for business communication, and rules about sending sensitive data by email.
  • Passwords and access: basic requirements - don't share credentials, use strong passwords, lock your screen when you step away.
  • Personal use: whether staff may use work devices or systems for personal purposes, and to what extent.
  • Social media: what staff may say publicly about the business, clients or colleagues, and from which accounts.
  • Software installation: whether staff may install software themselves, and if so, what kind.
  • Data handling: how company and personal data should be stored, shared and disposed of.
  • Monitoring: what activity the business may monitor (email, internet use, device activity) and why. This is an area where UK law matters directly: the ICO's guidance on monitoring at work makes clear that employers must have a lawful basis for monitoring, carry out a data protection impact assessment and tell staff what's being monitored before it starts.
  • Consequences of a breach: what happens if someone breaks the rules - up to and including disciplinary action or dismissal.

That might look like a long list, but in practice each point needs only a sentence or two. A well-written AUP for a small business can comfortably sit on two pages.

Why every business needs one

The most immediate reason is risk. Staff who don't know the rules can't be expected to follow them, and when something goes wrong - a data breach, a misuse incident, a complaint - the absence of a policy makes the business's position much weaker. An AUP doesn't prevent every incident, but it reduces the likelihood and strengthens the business's response when one does occur. For a fuller picture of where AUP fits within your overall IT risk management approach, that entry is worth reading alongside this one.

There's also a legal and compliance dimension. The NCSC's 10 Steps to Cyber Security specifically identifies user education and awareness - of which a clear AUP is a cornerstone - as one of the most important things a business can do to reduce cyber risk.

Cyber Essentials certification, ISO 27001 and most cyber insurance policies all expect evidence that staff have been told what is and isn't acceptable. Without an AUP, achieving or maintaining those standards is harder than it needs to be. Our entry on Cyber Essentials vs ISO 27001 explains the difference between those two frameworks and what each asks of a business.

And it's fair to staff as well as to the business. People deserve to know the rules they're working under. An AUP that's clear, proportionate and written in plain English isn't a heavy-handed control document - it's a reasonable statement of mutual expectations.

How to make it work

The most common mistake businesses make with an AUP is writing one and then doing nothing with it. A policy that lives in a shared drive no one visits is worth very little.

Keep it short and in plain English. If staff have to wade through dense legalese to find out whether they can check their personal email at lunch, they won't read it. Aim for something a new starter can read and understand in ten minutes.

Get a signed or digital acknowledgement from every member of staff. This doesn't have to be a separate form - it can be part of the onboarding process - but the record matters if you ever need to refer back to it.

Cover it at induction. A policy is much more likely to influence behaviour if it's explained in person, with a chance to ask questions, than if it's simply emailed as an attachment.

Review it regularly. Technology changes quickly, and an AUP written three years ago may say nothing about cloud storage, remote working or AI tools. The rapid spread of generative AI at work is something many businesses are now addressing through a dedicated AI policy - our AI governance guide for UK SMEs covers the specific questions AI raises and how to approach them.

An annual review, plus a review whenever there's a significant change in how the business uses technology, is a reasonable baseline. It doesn't always mean a full rewrite - sometimes it's just a check that nothing important has been missed.

Practical IT policies that actually get used Getting an AUP written is straightforward; making sure it's proportionate, legally sound and embedded into how staff actually work is where most businesses need a hand. Our technology governance service helps growing businesses put practical, plain-English IT policies in place - including an AUP that staff will read and follow.

Frequently asked questions

A well-written AUP typically covers: acceptable and unacceptable use of company devices and the internet; email and messaging rules; password and security basics; rules on personal use of work systems; social media; software installation; how the business handles company and personal data; what the employer may monitor and why; and the consequences of breaking the policy. The exact scope depends on the size and nature of the business, but the principles are the same.

There is no single UK law that requires a business to have an AUP by name. However, it is strongly advisable and is often effectively required in practice - many Cyber Essentials and ISO 27001 certification programmes expect one, and cyber insurers commonly ask for evidence of IT policies. Without an AUP, it is also much harder to take fair disciplinary action if something goes wrong, because expectations were never clearly set out.

An acceptable use policy focuses on staff behaviour - what employees may and may not do with the business's technology. An IT security policy is broader and covers the technical and organisational controls the business puts in place to protect its systems and data (for example, patch management, access controls and incident response). The two are complementary: the security policy describes how the business protects itself; the AUP describes how staff are expected to behave within those controls.

Yes. Having staff sign or formally acknowledge the AUP is important for two reasons. First, it confirms they have actually read it - you can't rely on people to read a policy they were simply handed. Second, it creates a clear record that the rules were communicated, which matters enormously if you ever need to take disciplinary action. Digital acknowledgement through an HR or onboarding system is fine; what counts is that the record exists.

Most businesses review their AUP at least once a year, and also whenever there is a significant change in how staff use technology. The rapid adoption of AI tools is a good current example - many businesses that had a solid AUP in place two years ago are now updating it to address generative AI use at work. A review doesn't always mean a complete rewrite; sometimes it is just a check that the policy still reflects how the business actually operates.
Kat Korson - Company Director at Red Eagle Tech

About the author

Kat Korson

Company Director

Company Director at Red Eagle Tech, leading our mission to make enterprise-grade technology accessible to businesses of all sizes. With a background spanning marketing, operations, and business development, I understand firsthand the challenges businesses face when trying to leverage technology for growth.

Read more about Kat

Discovery call

A friendly 15-minute video call with Kat to understand your needs. No preparation needed.

  • Discuss your project
  • Get honest advice
  • No obligation
Choose a time
Kat Korson, Founder of Red Eagle Tech

Kat Korson

Founder & Technical Director

Our team has 10+ years delivering software solutions for growing businesses across the UK.

Send us a message

Your information is secure. See our privacy policy.

Microsoft Partner Network certified technology partner badge
DesignRush Top AI Company award badge
Clutch Top Company award badge
Secure payment methods accepted: Visa, Mastercard, American Express and more

Find us