An AUP (Acceptable Use Policy) defines the rules for permissible use of an organization’s IT resources — including internet access, email, software, mobile devices, and cloud services. It applies to all employees and often also to external parties.
ISO 27001 Annex A control A.5.10 (Acceptable Use of Information and Associated Assets) explicitly requires such a policy. The AUP is one of the foundational ISMS documents that must be in place for certification. Typical contents include permitted and prohibited use, private use of company hardware, handling of confidential information, incident reporting obligations, and consequences for violations. The AUP should be signed upon onboarding and reconfirmed regularly (e.g., annually).