Acceptable Use Policy Template for the CIS Controls

The CIS Critical Security Controls® (CIS Controls®) recommends several policies that an enterprise should have in place as foundational elements of its cybersecurity program. The CIS Controls Information Security Policy Working Group worked to develop policies to support the CIS Controls. Once the initial scope of the Working Group was completed, the Working Group recommended that an Acceptable Use Policy template also be created. This policy template exists outside the typical topics covered within the CIS Controls, since the CIS Controls do not address acceptable use. If desired, enterprises are encouraged to use this policy template in whole or in part. The specific content of an Acceptable Use Policy varies widely. With that said, it’s often considered best practice to include what a user is permitted to do with enterprise data, how the enterprise assets can be used, and how enterprise data can be transmitted to other parties.

This policy template is meant to supplement the CIS Controls v8. The policy statements included within this document can be used by all CIS Implementation Groups (IGs) but are specifically geared towards Safeguards in Implementation Group 1 (IG1).