Skip to content
Control Stack logo Control Stack
ISM-0249 ASD Information Security Manual (ISM)

Separate Classified and Personal Data on Personal Devices

Private devices must keep classified work data separate from personal data to protect sensitive info.

Preventative SECRET TOP SECRET ASD Information Security ManualGuidelines for physical securitydevicesidentity and access managementuser behaviourMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for physical security

Section

Emanation Security

Topic

Emanation Security Threat Assessments
Official control statement
System owners deploying SECRET or TOP SECRET systems in mobile platforms, or as a deployable capability, contact ASD for an emanation security risk assessment.

Source: ASD Information Security Manual (ISM)

Plain language

This control means you need to keep work data separate from personal data on your devices. It's important because mixing the two could lead to sensitive work information being accessed by the wrong people, risking data breaches and loss of trust.

Why it matters

Mixing work and personal data on devices can lead to unauthorised access, data breaches, and loss of sensitive information.

Operational notes

Regularly review device management policies and ensure ongoing employee awareness to maintain clear data separation on all personal devices used for work.

Implementation tips

  • IT team should create separate user profiles on personal devices for work and personal use. This helps ensure that classified work data stays within the work account, reducing risk of accidental sharing with personal contacts.
  • Managers should educate employees on the importance of not storing work files in personal directories. Hold a short awareness session highlighting the risks and consequences of data breaches.
  • System administrators should configure devices to disable sharing work data via personal apps. Use device management software to prevent access to work files through unapproved applications.
  • HR should ensure new employees sign an agreement on the use of personal devices for work. Include clauses about data separation responsibilities and potential consequences for non-compliance.
  • Procurement should check that any devices used for work have updated security features. Ensure they support user profiles and can run necessary security apps to enforce data separation.

Audit / evidence tips

  • Ask: user profile configuration records

    Look at: if profiles clearly separate work and personal use

    Good: includes profiles differentiated by use with access controls in place

  • Good: shows settings that restrict work data from being copied to personal apps

  • Ask: to see the employee training materials and attendance logs

    Look at: comprehensive sessions covering data separation

    Good: includes updated materials and regular attendance from staff

  • Good: is all agreements duly signed and on file

  • Ask: the list of approved personal devices used for work. Ensure each device meets the organisation’s security standards

    Good: is a current list with compliance checks for each device

Cross-framework mappings

How ISM-0249 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Supports (1)
Annex A 5.5 ISM-0249 requires system owners deploying SECRET or TOP SECRET systems on mobile platforms or as a deployable capability to contact ASD f...

Mapping detail

Mapping

Direction

Controls