Develop and Enforce a System Usage Policy
Create and regularly update a policy that dictates how systems should be used within the organisation.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for personnel securityTopic
System Usage PolicyA system usage policy is developed, implemented and maintained.
Source: ASD Information Security Manual (ISM)
Plain language
Creating and enforcing a system usage policy means setting clear rules about how people in your organisation can use computers and other devices. This matters because without clear guidelines, employees might use systems in ways that lead to security breaches, data loss, or even legal trouble for the organisation.
Why it matters
Without a system usage policy, users may misuse systems (e.g., unauthorised software or data handling), increasing breach risk and legal exposure.
Operational notes
Assign policy ownership; publish to all users; require onboarding and annual acknowledgement; review at least annually and after major system or threat changes.
Implementation tips
- The IT manager should draft the system usage policy outlining acceptable and unacceptable uses of company systems. They should collaborate with department heads to understand specific needs and address them in the policy.
- The HR department should integrate the system usage policy into employee onboarding. New employees should be briefed on the policy and asked to sign a document confirming their understanding and agreement.
- Managers should hold regular training sessions to refresh employees' knowledge about the policy. This can be done through short presentations and Q&A sessions where common misuse scenarios are discussed.
- The compliance officer should schedule an annual review of the system usage policy. This involves checking whether the policy still aligns with current business operations and technological advancements.
- IT staff should monitor system usage to detect violations of the policy. This can be achieved by implementing and reviewing basic system logs or using monitoring software to flag potential misuse.
Audit / evidence tips
-
Ask: the current system usage policy document
Good: is a recently reviewed policy signed off by a senior manager
-
Ask: records of employee acknowledgments of the system usage policy
Good: is a complete set of acknowledgments from current employees
-
Good: includes regular training sessions with comprehensive materials provided to all staff
-
Good: includes evidence of regular monitoring and follow-up actions on detected issues
-
Ask: the schedule or documentation of policy reviews
Good: shows consistent, periodic reviews with updates reflecting changes in technology or business processes
Cross-framework mappings
How ISM-1864 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.1 | ISM-1864 requires a specific topic-level policy for system usage to be developed, implemented, and maintained | |
| Supports (3) | ||
| Annex A 5.4 | ISM-1864 requires the organisation to establish and maintain a system usage policy | |
| Annex A 5.36 | ISM-1864 requires a system usage policy to be developed, implemented, and maintained | |
| Annex A 6.3 | ISM-1864 requires a system usage policy to be created and maintained to define expected system use | |
| Related (1) | ||
| Annex A 5.10 | ISM-1864 requires the organisation to develop, implement, and maintain a system usage policy governing how systems are used | |