Prevent Sensitive Data in Messaging Services
Do not send sensitive information using paging or messaging apps.
Plain language
This control is about making sure that sensitive or classified information is not shared through messaging apps or services, like text messaging or WhatsApp. This matters because if sensitive data falls into the wrong hands, it can lead to privacy breaches, financial loss, or damage to your organisation’s reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data.
Why it matters
If sensitive or classified data is sent via SMS/MMS/paging or messaging apps, it may be intercepted, causing breaches, financial loss and reputational damage.
Operational notes
Train staff not to send sensitive or classified data via SMS/MMS/paging or messaging apps; provide approved secure channels and regularly reinforce this rule.
Implementation tips
- Office managers should identify which messaging apps are used within the organisation and ensure everyone knows not to send sensitive information via these apps. They can do this by sending an email notice or holding a brief meeting explaining the importance of this rule.
- The IT team should set up network filters to block the exchange of sensitive data through messaging apps. This can be done by using data loss prevention tools that trigger alerts if sensitive keywords are detected in outgoing messages.
- HR should update the employee handbook to include guidelines on what constitutes sensitive information and how it should be communicated. This document should clearly state that sensitive data should not be sent via messaging services and should offer alternative methods like secure emails or business-grade collaboration tools.
- Training coordinators should organise a periodic training session for employees explaining why these restrictions are important, using real-world examples of data breaches caused by mishandling sensitive information via consumer messaging apps.
- Procurement staff should ensure that any new communication tools brought into the organisation meet security standards for handling sensitive data, meaning they should include features like end-to-end encryption and data leakage prevention.
Audit / evidence tips
-
Askthe employee handbook: Request to see the sections outlining communication policies
Goodis that it clearly lists messaging services not to use with reasons why
-
Askcontent used in staff training sessions on secure data handling
Goodincludes interactive content like quizzes or real-world examples
-
Askthem to explain how they handle sensitive information and where they would go to find the organisation's communication policy
Goodis that they can identify correct channels and know the risks of using messaging apps
-
Askto see any recorded instances of attempted transmission of sensitive data through messaging apps
Goodhas evidence that alerts are generated and reviewed
-
Goodis adherence to the policy as demonstrated through secure systems
Cross-framework mappings
How ISM-0240 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.10 | ISM-0240 requires that paging, MMS, SMS and messaging apps are not used to communicate sensitive or classified data | |
| handshake Supports (3) expand_less | ||
| Annex A 5.12 | ISM-0240 prohibits communicating sensitive or classified data via paging and messaging services | |
| Annex A 5.13 | ISM-0240 requires organisations to prevent staff from using SMS/MMS/paging/messaging apps to transmit sensitive or classified data | |
| Annex A 5.14 | Annex A 5.14 requires organisations to establish rules and procedures that control how information is transferred, including selecting ap... | |
| link Related (1) expand_less | ||
| Annex A 8.12 | Annex A 8.12 requires organisations to apply data leakage prevention measures wherever sensitive information is processed, stored, or tra... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.