Companies should require customers and staff to promise to abide by acceptable use of information systems and not to breach the Computer Misuse Act (CMA).
The guidelines do not ban the legitimate use of hacking tools and activities to emulate unauthorised access to computer systems and data.
The CPS said there is a "legitimate industry that generates 'articles' to test and/or audit hardware and software. Some articles will therefore have dual use, and prosecutors need to ascertain that the suspect has a criminal intent."
It asks prosecutors to consider, before deciding to prosecute, whether the victim had robust and up-to-date contracts, terms and conditions or acceptable-use polices whether staff, customers and others were made aware of the CMA and what was lawful and whether they had to formally acknowledge their intention not to contravene the CMA.
To secure a prosecution, the CPS said the offender had to know that their access was unauthorised. "Mere recklessness is not sufficient. This covers not only hackers, but also employees who deliberately exceed their authority and access parts of a system officially denied to them," it said.
Penalties for unlawful access to systems and data or for distributed denial of service attacks include up to two years in jail and/or a fine, but making and using hacking tools with criminal intent attract 10 years and five years respectively.
Read more on IT risk management
Swedish court finds ambiguities in hacked EncroChat cryptophone evidence
EncroChat: Top lawyer warned CPS of risk that phone hacking warrants could be unlawful
Out of date security laws leave UK plc at risk during pandemic
CPS faces legal ruling over refusal to disclose emails with US on WikiLeaks and Assange extradition