ISM-0240 ASD Information Security Manual (ISM)

Prevent Sensitive Data in Messaging Services

Do not send sensitive information using paging or messaging apps.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Information transfer ASD Information Security Manual Guidelines for enterprise mobility Data loss prevention

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2021

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile device usage

Topic

Using Paging, Message Services and Messaging Apps

Official control statement

Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure that sensitive or classified information is not shared through messaging apps or services, like text messaging or WhatsApp. This matters because if sensitive data falls into the wrong hands, it can lead to privacy breaches, financial loss, or damage to your organisation’s reputation.

Why it matters

If sensitive or classified data is sent via SMS/MMS/paging or messaging apps, it may be intercepted, causing breaches, financial loss and reputational damage.

Operational notes

Train staff not to send sensitive or classified data via SMS/MMS/paging or messaging apps; provide approved secure channels and regularly reinforce this rule.

Implementation tips

Office managers should identify which messaging apps are used within the organisation and ensure everyone knows not to send sensitive information via these apps. They can do this by sending an email notice or holding a brief meeting explaining the importance of this rule.
The IT team should set up network filters to block the exchange of sensitive data through messaging apps. This can be done by using data loss prevention tools that trigger alerts if sensitive keywords are detected in outgoing messages.
HR should update the employee handbook to include guidelines on what constitutes sensitive information and how it should be communicated. This document should clearly state that sensitive data should not be sent via messaging services and should offer alternative methods like secure emails or business-grade collaboration tools.
Training coordinators should organise a periodic training session for employees explaining why these restrictions are important, using real-world examples of data breaches caused by mishandling sensitive information via consumer messaging apps.
Procurement staff should ensure that any new communication tools brought into the organisation meet security standards for handling sensitive data, meaning they should include features like end-to-end encryption and data leakage prevention.

Audit / evidence tips

Ask: the employee handbook: Request to see the sections outlining communication policies

Good: is that it clearly lists messaging services not to use with reasons why
Ask: content used in staff training sessions on secure data handling

Good: includes interactive content like quizzes or real-world examples
Ask: them to explain how they handle sensitive information and where they would go to find the organisation's communication policy

Good: is that they can identify correct channels and know the risks of using messaging apps
Ask: to see any recorded instances of attempted transmission of sensitive data through messaging apps

Good: has evidence that alerts are generated and reviewed
Good: is adherence to the policy as demonstrated through secure systems

Cross-framework mappings

How ISM-0240 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 5.10	ISM-0240 requires that paging, MMS, SMS and messaging apps are not used to communicate sensitive or classified data
Supports (3)
Annex A 5.12	ISM-0240 prohibits communicating sensitive or classified data via paging and messaging services
Annex A 5.13	ISM-0240 requires organisations to prevent staff from using SMS/MMS/paging/messaging apps to transmit sensitive or classified data
Annex A 5.14	Annex A 5.14 requires organisations to establish rules and procedures that control how information is transferred, including selecting ap...
Related (1)
Annex A 8.12	Annex A 8.12 requires organisations to apply data leakage prevention measures wherever sensitive information is processed, stored, or tra...