Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Back to Glossary
    compliance
    2 min read

    Acceptable Use Policy (AUP)

    An AUP defines the rules for using an organization's IT resources, outlining permitted and prohibited activities.

    An Acceptable Use Policy sets expectations for how employees and users should use company technology resources.

    Typical AUP coverage: - Personal use of company devices - Internet and email use - Social media guidelines - Software installation rules - Data handling requirements - Remote work policies - BYOD (Bring Your Own Device) rules

    Key policy elements: - Clear, understandable language - Specific prohibited activities - Monitoring disclosure - Consequences for violations - Acknowledgment requirement

    AUP supports: - Legal protection for the organization - Setting clear employee expectations - Compliance framework requirements - Incident response (policy violations)

    Why It Matters

    An AUP is one of the first policies auditors check during SOC 2 and ISO 27001 assessments. Without a clear, acknowledged AUP, organizations lack the legal foundation to enforce security requirements, take disciplinary action for violations, or defend against liability claims. It also sets the cultural tone for security awareness across the organization.

    Key Points

    Required by most compliance frameworks
    Employees must acknowledge receipt
    Should be reviewed and updated annually
    Must disclose monitoring practices
    Clear consequences for violations

    Applicable Compliance Frameworks

    SOC 2ISO 27001

    Related Terms

    Security Policy

    Security policies are formal documents that define an organization's rules and guidelines for protecting information assets.

    Security Awareness Training

    Security awareness training educates employees about cybersecurity threats, safe practices, and their role in protecting organizational assets.

    BYOD

    BYOD (Bring Your Own Device) is a policy allowing employees to use personal devices for work, requiring specific security controls.

    Frequently Asked Questions

    Can I monitor employee activity?

    Generally yes if disclosed in your AUP. Laws vary by jurisdiction. Always consult legal counsel on monitoring practices.

    How often should AUP be updated?

    At least annually, and whenever there are significant technology or policy changes (e.g., new AI tools, remote work policies).

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    HIPAA Compliance

    Healthcare data protection requirements for PHI security

    Learn more
    Standard

    PCI DSS Compliance

    Payment card industry data security standards

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with Acceptable Use Policy (AUP)?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms