Separate Classified and Personal Data on Personal Devices
Private devices must keep classified work data separate from personal data to protect sensitive info.
Plain language
This control means you need to keep work data separate from personal data on your devices. It's important because mixing the two could lead to sensitive work information being accessed by the wrong people, risking data breaches and loss of trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Emanation securityOfficial control statement
System owners deploying SECRET or TOP SECRET systems in mobile platforms, or as a deployable capability, contact ASD for an emanation security risk assessment.
Why it matters
Mixing work and personal data on devices can lead to unauthorised access, data breaches, and loss of sensitive information.
Operational notes
Regularly review device management policies and ensure ongoing employee awareness to maintain clear data separation on all personal devices used for work.
Implementation tips
- IT team should create separate user profiles on personal devices for work and personal use. This helps ensure that classified work data stays within the work account, reducing risk of accidental sharing with personal contacts.
- Managers should educate employees on the importance of not storing work files in personal directories. Hold a short awareness session highlighting the risks and consequences of data breaches.
- System administrators should configure devices to disable sharing work data via personal apps. Use device management software to prevent access to work files through unapproved applications.
- HR should ensure new employees sign an agreement on the use of personal devices for work. Include clauses about data separation responsibilities and potential consequences for non-compliance.
- Procurement should check that any devices used for work have updated security features. Ensure they support user profiles and can run necessary security apps to enforce data separation.
Audit / evidence tips
- Askuser profile configuration records Look atif profiles clearly separate work and personal use Goodincludes profiles differentiated by use with access controls in place
- Goodshows settings that restrict work data from being copied to personal apps
- Askto see the employee training materials and attendance logs Look atcomprehensive sessions covering data separation Goodincludes updated materials and regular attendance from staff
- Goodis all agreements duly signed and on file
- Askthe list of approved personal devices used for work. Ensure each device meets the organisation’s security standards Goodis a current list with compliance checks for each device
Cross-framework mappings
How ISM-0249 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.5 | ISM-0249 requires system owners deploying SECRET or TOP SECRET systems on mobile platforms or as a deployable capability to contact ASD f... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.