Use Approved Platforms for Secure Mobile Access
Use only ASD-approved mobile platforms for accessing SECRET or TOP SECRET data.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S, TS
🗓️ ISM last updated
Aug 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementMobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that have been issued an Approval for Use by ASD and are operated in accordance with the latest version of their associated Australian Communications Security Instruction.
Source: ASD Information Security Manual (ISM)
Plain language
For data that's really sensitive, like secret or top-secret government information, it's crucial to use mobile devices that have been checked and approved by experts in Australia. This is important because if we use insecure devices, there's a risk that confidential data could be stolen or leaked, which could lead to serious national security issues.
Why it matters
Using non-approved mobile platforms for SECRET data can lead to unauthorised access and severe national security breaches.
Operational notes
Use only ASD Approval for Use mobile platforms for SECRET/TOP SECRET access, and operate them per the latest ACSI, including configuration and update requirements.
Implementation tips
- Organisational leaders should ensure that only mobile devices approved by the Australian Signals Directorate (ASD) are used for accessing sensitive data. This means verifying the ASD's list of approved devices and only procuring from that list.
- IT teams should check that all mobile devices used for accessing secret and top-secret information are set up according to the latest Australian Communications Security Instruction. This involves reviewing the setup instructions and applying all recommended security configurations.
- Procurement officers need to collaborate with IT to ensure that when new devices are purchased, they are not only ASD-approved but also configured appropriately before use. This can involve a checklist to ensure each device is compliant before distribution to users.
- Managers should conduct regular training sessions for staff on the importance of using approved devices for sensitive information. This can be done through workshops or informational emails that explain the risks and the expected practices.
- Security teams should perform regular audits on the mobile devices being used to ensure compliance with ASD requirements. This means checking device settings and software to verify they match the standards outlined in the security instructions.
Audit / evidence tips
-
Ask: the list of mobile devices currently in use for accessing secret or top-secret data
Good: is all devices matching the approved list and having recent certification dates
-
Good: shows these settings are up-to-date and conform to official guidance
-
Ask: training records related to mobile device security
Good: includes comprehensive training covering ASD requirements and proof that all relevant staff attended
-
Good: has clear records showing that only approved devices are procured
-
Ask: the results of recent audits on mobile device compliance
Good: shows no significant issues were found, or if there were, they were promptly addressed
Cross-framework mappings
How ISM-0687 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.15 | ISM-0687 requires that mobile devices used to access SECRET or TOP SECRET systems/data are on ASD-approved mobile platforms and operated ... | |
| Annex A 8.1 | ISM-0687 requires ASD-approved mobile platforms for accessing SECRET or TOP SECRET systems or data, with operation aligned to the applica... | |