IT & Acceptable Use Policy template
An IT and acceptable use policy is the written set of rules for how staff use {{org.name}}'s systems, devices, email, and internet access — what is allowed, what is banned, and what to do when something goes wrong. It is the document you reach for when an account is compromised, a laptop goes missing, or someone's use of company systems becomes a problem.
Most security incidents start with ordinary user behaviour: a reused password, a phishing link, work files copied to a personal account. A short, trained acceptable use policy is the cheapest security control a small business can deploy — and without one, disciplining misuse is an uphill argument.
This template gives you the full policy: acceptable and unacceptable use, password and device security, personal use and monitoring, and an incident reporting procedure.
Full text, ready to adapt.
Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.
IT & Acceptable Use Policy
Policy · Company Policies
1. Purpose and scope
This policy sets the rules for using {{org.name}}'s IT systems: computers, phones, email, internet access, software, and the cloud services we provide, including [list main systems]. It applies to all employees, contractors, and anyone else given access, whether working on site or remotely.
Its purpose is to protect our systems, our data, and the people whose personal information we hold — and to make sure nobody is disciplined for breaking a rule they were never told about.
2. Policy statement
{{org.name}} provides IT systems so people can do their jobs. We expect everyone to use them lawfully, securely, and professionally. Reasonable personal use is permitted within the limits below, but the systems remain company property and business needs come first.
Breaches are dealt with under the disciplinary policy and, where personal data is involved, under our data protection procedures.
3. Responsibilities
- Policy owner ([name/role]): keeps this policy current, approves exceptions in writing, and reviews incidents.
- IT lead ([name/role or provider]): manages accounts and access rights, applies security updates, and responds to reported incidents.
- Managers: confirm their team has read this policy, and request access changes when people join, change roles, or leave.
- All users: follow the rules, complete required training, and report anything suspicious without delay.
4. Acceptable use
- Work under your own named account — never use someone else's login, and never lend yours.
- Use only software and cloud services approved by [IT lead/role]; ask before installing anything new.
- Store work files in [approved location, e.g. the company drive], not on desktops, USB sticks, or personal cloud accounts.
- Lock your screen whenever you leave a device unattended, on site or at home.
- Keep business communication in company email and messaging so records stay in company systems.
5. Unacceptable use
- Sharing your password or credentials with anyone, including colleagues and managers.
- Accessing, storing, or sending material that is illegal, discriminatory, pornographic, or likely to harass or offend.
- Sending company or customer data to personal email accounts or personal storage.
- Attempting to access systems, records, or accounts you are not authorised to use — this can also be a criminal offence.
- Disabling security controls such as antivirus software, screen locks, or device encryption.
- Using company systems to run a personal business or for any other unlawful activity.
6. Passwords, devices and security basics
- Use a strong, unique password for every company account, and change it immediately if you suspect anyone else knows it.
- Turn on multi-factor authentication wherever [IT lead/role] has made it available.
- Treat unexpected messages asking for logins, payments, or urgent action as suspect — verify through a second channel before acting.
- Install security updates promptly; do not postpone them for more than [number] days.
- Report lost or stolen devices to [name/role] immediately, at any hour — speed limits the damage.
7. Personal use and monitoring
Reasonable personal use of email and the internet is allowed during breaks, provided it does not interfere with work, use significant resources, or involve anything listed as unacceptable use. Personal use is a privilege we can restrict for operational reasons.
{{org.name}} monitors its systems only to the extent needed for security, legal compliance, and operational management — currently [describe: spam filtering, web filtering logs, access logs]. We do not routinely read personal messages, and any targeted monitoring must be authorised by [senior role] and recorded. Full details are in our employee privacy notice; if what we monitor changes, we will tell you before the change takes effect.
8. Security incidents, records and review
Signed acknowledgments, training records, and the incident log are kept in [system/location]. This policy is reviewed [frequency, e.g. annually] and after any significant incident. Owner: [name/role]. Next review: [date].
- 1Report suspected incidents — a clicked phishing link, a lost device, an email to the wrong recipient, unusual account activity — to [name/role] immediately. Nobody will be criticised for reporting an honest mistake quickly.
- 2[Name/role] contains the incident: isolating devices, resetting credentials, and preserving evidence.
- 3If personal data is involved, follow the data breach response procedure — notifiable breaches must reach the ICO within 72 hours of awareness.
- 4Record the incident, its cause, and the fix in [log/system], and feed lessons back into training.
How to adapt this template.
List the systems people actually use before editing — the policy should name real tools, not generic categories.
Agree the monitoring paragraph with whoever runs your IT, and check it matches your employee privacy notice exactly.
Decide your position on personal use and state it plainly — vague tolerance is where disputes start.
Fill every [bracketed placeholder], and name a real person for incident reports with a deputy for absences.
Collect a signed or digital acknowledgment from every user — an unacknowledged IT policy is hard to enforce.
Reissue and retrain whenever you adopt a major new system; do not just re-send the document.
Turn this template into trained, proven behaviour
A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.
IT & Acceptable Use Policy template FAQs
Is an IT and acceptable use policy a legal requirement in the UK?
No single statute names it. But UK GDPR and the Data Protection Act 2018 require appropriate measures to protect the personal data on your systems, and a written, trained acceptable use policy is one of the most basic measures a regulator would expect to see. It also makes disciplinary action for misuse far more defensible.
Can we legally monitor employees' email and internet use?
Yes, within limits. Monitoring must have a clear business purpose, be proportionate to it, and be communicated to staff before it happens — covert monitoring is justifiable only in rare, documented circumstances. Set out what you monitor in this policy and your employee privacy notice, and check current ICO guidance on monitoring workers.
Should we allow personal use of work devices?
Most small businesses allow reasonable personal use, because a total ban is unenforceable and corrosive. What matters is defining the limits: when personal use is acceptable, what stays banned, and that monitoring still applies. The argument is never really about the browsing — it is about whether the rule was clear.
What should staff do if they click a phishing link?
Report it to the named contact immediately, even outside working hours, and never try to fix it quietly. Fast reporting is the biggest single factor in limiting damage, which is why this template promises staff they will not be criticised for reporting an honest mistake promptly.
How often should an acceptable use policy be reviewed?
At least annually, after any significant security incident, and whenever you adopt a major new system or way of working. A policy that still describes tools you retired two years ago teaches staff to ignore it.
Related templates
Social Media Policy
Free social media policy template for UK employers: personal use rules, talking about work online, business accounts, confidentiality, and breaches.
Bring Your Own Device (BYOD)
Free BYOD policy template for UK businesses: security rules for personal phones and laptops, privacy boundaries, remote wipe, and leaver steps.
Data Protection Policy
Free UK GDPR data protection policy template: the principles in practice, staff handling rules, responsibilities, rights requests, and breach routing.
Remote & Hybrid Working
Free remote and hybrid working policy template (UK): eligibility, availability rules, home workstation safety, data security, and equipment.