Establish and Maintain a Web Usage Policy
Develop and maintain a policy to manage how the web is used and accessed.
Plain language
A web usage policy is about setting clear rules for how employees can use the internet at work. This is important because without guidelines, people might visit unsafe websites, leading to potential security threats like viruses or data breaches, which can harm the business and its reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityTopic
Web Usage PolicyOfficial control statement
A web usage policy is developed, implemented and maintained.
Why it matters
Without a web usage policy, staff may visit unsafe sites, increasing malware, credential theft and data leakage risk, and causing reputational damage.
Operational notes
Review the web usage policy at least annually and after major incidents; brief staff on acceptable browsing and prohibited sites, and align it to current web threats.
Implementation tips
- The business owner should draft a basic web usage policy outlining acceptable internet behaviour at work. Start by listing sites and activities that are beneficial for work and those that pose risks, like downloading pirated software.
- Have the HR manager introduce the web usage policy to all staff. Hold a short training session to explain the policy's importance and answer any questions employees might have.
- IT personnel should configure web filters to block access to inappropriate or dangerous websites. Use software that automatically prevents access to these sites and monitor activity to ensure compliance.
- Managers should periodically review web usage reports. They can check these reports provided by IT to ensure employees are adhering to the policy and discuss any issues with staff members involved.
- Regularly update the policy to adapt to new risks and technologies. The policy should be reviewed annually by the business owner in consultation with IT to reflect changes in the internet landscape.
Audit / evidence tips
- AskThe written web usage policy document GoodWill be a comprehensive document with clear rules and consequences for misconduct
- GoodResult means the software is active and regularly updated to block new threats
- GoodIs when employees know the main do's and don'ts without ambiguity
- GoodIs the creation of regular and insightful reports highlighting adherence or violations
- GoodOutcome is clear documentation of actions taken and resolved incidents
Cross-framework mappings
How ISM-0258 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.15 | ISM-0258 requires organisations to develop, implement and maintain a web usage policy governing web access and use | |
| handshake Supports (1) expand_less | ||
| Annex A 8.23 | Annex A 8.23 requires organisations to manage access to external websites to reduce exposure to malicious content | |
| link Related (1) expand_less | ||
| Annex A 5.10 | Annex A 5.10 requires organisations to identify, document and implement rules for acceptable use and handling of information and associat... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.3 | ISM-0258 requires organisations to define and maintain rules for how web access is used, including who may access web services and under ... | |
| E8-RA-ML1.4 | ISM-0258 requires organisations to establish and maintain a web usage policy defining acceptable access and use of web services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.