Develop and Maintain an Email Usage Policy
Create and uphold a policy to guide the use of email communications.
Plain language
An email usage policy acts as a guide for how emails should be used within an organisation. It's important because without clear rules, people might misuse emails in ways that could lead to security risks, like sharing private information accidentally or falling for scams.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
An email usage policy is developed, implemented and maintained.
Why it matters
Without a clear email usage policy, unintentional data leaks and phishing attacks can increase, compromising organisational security.
Operational notes
Regularly review, update, and re-issue the email usage policy, including phishing reporting, attachments, and sensitive data handling.
Implementation tips
- The office manager should draft a simple email usage policy: Start by listing acceptable and unacceptable email practices such as avoiding the use of personal email accounts for work purposes, and not clicking on suspicious links. Ensure the policy is written in plain language that all staff can understand.
- HR should organise training sessions for all employees: Explain the policy, why it's important, and give examples of how to spot and handle suspicious emails. This can be a part of a routine quarterly meeting or a mandatory online module.
- The IT team should set up automatic email filters: Configure your email system to flag or block emails with suspicious attachments or links. This helps prevent harmful emails from reaching employees, complementing the guidance in the usage policy.
- Managers should lead by example in email communication: They should follow the policy guidelines and demonstrate appropriate email behaviour, such as using work email for work purposes and respecting confidentiality.
- Regularly review and update the policy: The policy should be reviewed annually or after any major email security incident. This ensures it remains relevant and effective in addressing current email threats.
Audit / evidence tips
-
Askthe latest email usage policy document: Check if the document is up-to-date and accessible to all employees
Gooda clear and comprehensive document with a recent revision date
-
Askthem about key points in the email usage policy and what actions they would take upon receiving a suspicious email
Goodis an employee clearly describing the policy and demonstrating awareness
-
Goodincidents being promptly managed according to policy with learning points shared across the team
-
Goodactive engagement from participants and clarity in delivery
-
Goodregular updates with records of changes and justifications
Cross-framework mappings
How ISM-0264 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.1 | Annex A 5.1 requires topic-specific policies to be defined, approved, communicated and reviewed to govern secure behaviour | |
| Annex A 5.4 | Annex A 5.4 requires managers to ensure personnel apply information security according to established policies and procedures | |
| handshake Supports (1) expand_less | ||
| Annex A 5.36 | ISM-0264 requires an organisation to maintain an email usage policy, implying it should remain effective and relevant over time | |
| link Related (1) expand_less | ||
| Annex A 5.10 | Annex A 5.10 requires organisations to document and implement rules for acceptable use and handling of information and assets | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.