Develop and Enforce a System Usage Policy
Create and regularly update a policy that dictates how systems should be used within the organisation.
Plain language
Creating and enforcing a system usage policy means setting clear rules about how people in your organisation can use computers and other devices. This matters because without clear guidelines, employees might use systems in ways that lead to security breaches, data loss, or even legal trouble for the organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityTopic
System Usage PolicyOfficial control statement
A system usage policy is developed, implemented and maintained.
Why it matters
Without a system usage policy, users may misuse systems (e.g., unauthorised software or data handling), increasing breach risk and legal exposure.
Operational notes
Assign policy ownership; publish to all users; require onboarding and annual acknowledgement; review at least annually and after major system or threat changes.
Implementation tips
- The IT manager should draft the system usage policy outlining acceptable and unacceptable uses of company systems. They should collaborate with department heads to understand specific needs and address them in the policy.
- The HR department should integrate the system usage policy into employee onboarding. New employees should be briefed on the policy and asked to sign a document confirming their understanding and agreement.
- Managers should hold regular training sessions to refresh employees' knowledge about the policy. This can be done through short presentations and Q&A sessions where common misuse scenarios are discussed.
- The compliance officer should schedule an annual review of the system usage policy. This involves checking whether the policy still aligns with current business operations and technological advancements.
- IT staff should monitor system usage to detect violations of the policy. This can be achieved by implementing and reviewing basic system logs or using monitoring software to flag potential misuse.
Audit / evidence tips
-
Askthe current system usage policy document
Goodis a recently reviewed policy signed off by a senior manager
-
Askrecords of employee acknowledgments of the system usage policy
Goodis a complete set of acknowledgments from current employees
-
Goodincludes regular training sessions with comprehensive materials provided to all staff
-
Goodincludes evidence of regular monitoring and follow-up actions on detected issues
-
Askthe schedule or documentation of policy reviews
Goodshows consistent, periodic reviews with updates reflecting changes in technology or business processes
Cross-framework mappings
How ISM-1864 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | ISM-1864 requires a specific topic-level policy for system usage to be developed, implemented, and maintained | |
| handshake Supports (4) expand_less | ||
| Annex A 5.4 | ISM-1864 requires the organisation to establish and maintain a system usage policy | |
| Annex A 5.36 | ISM-1864 requires a system usage policy to be developed, implemented, and maintained | |
| Annex A 6.3 | ISM-1864 requires a system usage policy to be created and maintained to define expected system use | |
| Annex A 6.4 | Annex A 6.4 requires a formalised and communicated disciplinary process for handling information security policy violations | |
| link Related (1) expand_less | ||
| Annex A 5.10 | ISM-1864 requires the organisation to develop, implement, and maintain a system usage policy governing how systems are used | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.