Use Approved Platforms for Secure Mobile Access
Use only ASD-approved mobile platforms for accessing SECRET or TOP SECRET data.
Plain language
For data that's really sensitive, like secret or top-secret government information, it's crucial to use mobile devices that have been checked and approved by experts in Australia. This is important because if we use insecure devices, there's a risk that confidential data could be stolen or leaked, which could lead to serious national security issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Mobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that have been issued an Approval for Use by ASD and are operated in accordance with the latest version of their associated Australian Communications Security Instruction.
Why it matters
Using non-approved mobile platforms for SECRET data can lead to unauthorised access and severe national security breaches.
Operational notes
Use only ASD Approval for Use mobile platforms for SECRET/TOP SECRET access, and operate them per the latest ACSI, including configuration and update requirements.
Implementation tips
- Organisational leaders should ensure that only mobile devices approved by the Australian Signals Directorate (ASD) are used for accessing sensitive data. This means verifying the ASD's list of approved devices and only procuring from that list.
- IT teams should check that all mobile devices used for accessing secret and top-secret information are set up according to the latest Australian Communications Security Instruction. This involves reviewing the setup instructions and applying all recommended security configurations.
- Procurement officers need to collaborate with IT to ensure that when new devices are purchased, they are not only ASD-approved but also configured appropriately before use. This can involve a checklist to ensure each device is compliant before distribution to users.
- Managers should conduct regular training sessions for staff on the importance of using approved devices for sensitive information. This can be done through workshops or informational emails that explain the risks and the expected practices.
- Security teams should perform regular audits on the mobile devices being used to ensure compliance with ASD requirements. This means checking device settings and software to verify they match the standards outlined in the security instructions.
Audit / evidence tips
-
Askthe list of mobile devices currently in use for accessing secret or top-secret data
Goodis all devices matching the approved list and having recent certification dates
-
Goodshows these settings are up-to-date and conform to official guidance
-
Asktraining records related to mobile device security
Goodincludes comprehensive training covering ASD requirements and proof that all relevant staff attended
-
Goodhas clear records showing that only approved devices are procured
-
Askthe results of recent audits on mobile device compliance
Goodshows no significant issues were found, or if there were, they were promptly addressed
Cross-framework mappings
How ISM-0687 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-0687 requires that mobile devices used to access SECRET or TOP SECRET systems/data are on ASD-approved mobile platforms and operated ... | |
| Annex A 8.1 | ISM-0687 requires ASD-approved mobile platforms for accessing SECRET or TOP SECRET systems or data, with operation aligned to the applica... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.